Cisco Catalyst

This pack includes Cortex XSIAM content.

Enabling Timestamps with a Time Zone on Log Messages

The timestamp parsing is supported only for timestamps including a time zone.
Follow the steps below to enable time stamping of log messages including a UTC timezone:

Access the switch's command-line interface (CLI) using a terminal emulator or SSH.
Access privileged EXEC mode by entering the following command and providing the enable password:

enable

Enter global configuration mode:

configure terminal

Configure the logging timestamp and specify the desired time format with the time zone:

logging timestamp datetime UTC

Exit configuration mode:

exit

To save the configuration changes run the command:

write memory

Note The time format is: "May 16 2023 14:30:00 UTC"

Collect Events from Vendor

In order to use the collector, use the Broker VM option.

Broker VM

You will need to use the information described here.

You can configure the specific vendor and product for this instance.

Navigate to Settings → Configuration → Data Broker → Broker VMs.
Go to the APPS column under the Brokers tab and add the Syslog app for the relevant broker instance. If the Syslog app already exists, hover over it and click Configure.
Click Add New.

When configuring the Syslog Collector, set the following parameters:

Parameter	Value
`Port`	Enter the syslog service port that Cortex XSIAM Broker VM should listen on for receiving forwarded events from Cisco Catalyst Devices.
`Vendor`	Enter cisco.
`Product`	Enter catalyst.

Name	Description
Cisco Catalyst Modeling Rule

Name	Description
Cisco Catalyst Parsing Rule

Modeling Rules

Cisco Catalyst Modeling Rule

Improved implementation of the various extractions.
Added support for additional event log formats.
Added mapping for additional XDM fields, including the following:
- xdm.event.id.
- xdm.event.log_level.
- xdm.event.outcome_reason.
- xdm.network.session_id.
- xdm.source.host.device_id.
- xdm.source.host.device_model.
- xdm.source.host.hardware_uuid.
- xdm.source.host.mac_addresses.
- xdm.observer.unique_identifier.
- xdm.session_context_id.
- xdm.target.host.hostname.
- xdm.target.ipv4.
- xdm.target.port.
Deprecated mappings of the following XDM fields:
- xdm.source.port.
- xdm.source.process.identifier.

Parsing Rules

CiscoCatalyst Parsing Rule

Added support for out-of-the-box parsing for system log message format common fields, which would be available as JSON entries under the parsed_fields field, for example:

    {
        "parsed_fields": {
            "sequence_number": "000123",
            "facility": "SYS",
            "severity": "5",
            "mnemonic": "CONFIG_I",
            "description": "Configured from console by vty2 (10.1.2.3)"
        }
    }

Common fields included:
- severity.
- facility.
- mnemonic.
- description.
- sequence_number.
- event_id.
You can now access the out-of-the-box parsed fields listed above with the XQL json_extract_scalar function. For example:

        | alter 
            event_name = parsed_fields -> mnemonic, 
            event_payload = parsed_fields -> description

Certification	Certified	Read more
Supported By	Cortex
Created	May 23, 2023
Last Release	May 18, 2025

Cisco Catalyst

Cisco Catalyst

Enabling Timestamps with a Time Zone on Log Messages

Collect Events from Vendor

Broker VM

Parsing Rules

Cisco Catalyst Parsing Rule

Parsing Rules

CiscoCatalyst Parsing Rule

Modeling Rules

Cisco Catalyst Modeling Rule

Parsing Rules

CiscoCatalyst Parsing Rule

Parsing Rules

CiscoCatalyst Parsing Rule

Parsing Rules

CiscoCatalyst Parsing Rule

PUBLISHER

PLATFORMS

INFO

DISCLAIMER