Cisco Stealthwatch Alarm and Graylog

I just love Stealthwatch and Cisco “network a as sensor” concept. If you think traditional SIM/SIEM systems and visibility what is moving in your network L2/L3 level, I claim that the visibility is zero.

You can send switch or router or server syslog data to your SIM/SIEM server and still not get visibility to your network traffic in L2/L3 level. If your router is smart enough it maybe can told some information about connections, but what if there is asymmetric/dynamic routing and different data flows goes to different paths?

SIM/SIEM can see network connection traffic only from Firewalls, because FW can told that.

But what if your network device where your client is connected can told every flow what you send or receive? What if all network switches, routers, firewall and clients can told that where traffic going? If you are lucky and you have also identity based network with pxGrid, then you get real 360 visibility in your traffic.

Think about situation, when you are implementing new DNS server and you want to know what clients are still using old ones or tried to use some public servers. What if you have SCADA network and you want to do segmentation without segmentation? In Stealthwatch you can create rules that SCADA1 can talk to the SCADA2, but not SCADA3 server when those servers are in same network segment or even same switch. If SCADA1 sends any data to SCADA3 Stealthwatch will create alarm and that alarm can be forward to the Graylog server.

How STW (Stealthwatch) and Graylog can be integrate together, so that you can see STW generated alarms in your Graylog server? I assume that you already have Stealthwatch and Graylog up and running. I will use STW version 7.1.1 and Graylog 3.2.3.

Graylog configuration

First we configure Graylog to receive message from STW.

Go System/Inputs and Inputs.
Launch new Raw/Plaintext UDP input.
Create new input at port 1516 and name it.

Now we need to add extractor, which is parse incoming messages.

Click Manage extractors.
Choose Actions and Import extractors.

You can download latest extractor in my github paste that json file in your Graylog import extractors.

Extractor brings these new fields in your graylog:

ALARMSEV = Alarm severity
ALARMSTATUS = Alarm current status
CAT = Alarm category
DST = Destination
DSTPORT = Destination port
FLOWCOLLECTORNAME = Flowcollector name
HOSTNAME = SMC hostname
PROTO = IP protocol
SOURCEHG = Source host group
SRC = Source
TARGETHG = Target host group

Stealthwatch configuration

First open Configuration > Response Management.
Choose Syslog Formats.
Give name, description, facility and severity. Copy MSG Part bellow.

Create new syslog format.


Syslog message format and fields what Stealthwatch is sending to the Graylog.

Choose Actions.

Next we create server where to send alarms.

Give name, description, your Graylog server IP-address, port and choose your new syslog message format.
Choose Rules.

Next we choose what to send.

Give name, description, domain and what should be true. I choose here All, so this will send all STW alarms to Graylog.

And where to send alarms.

Click Add and choose your new

Graylog Stealthwatch Dashboard

I have created also simple example dashboard, which is telling basic information about alarms. You can download json file in my github. You must edit dashboard so that you replace DOMAIN:PUT-MY-OWN-DOMAIN-HERE at you own domain, like DOMAIN:acme.local

STW simple dashboard.

Leave a Reply

Your email address will not be published. Required fields are marked *