Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2840
Views
0
Helpful
3
Replies

Logging questions, snmp traps

NormMuelleman
Level 1
Level 1

‎10-16-2011 10:13 AM

Sorry, I tried to move this from the security forum, but it failed, so I'm reposting here to see if I get any answers:

Hello all;

I'm  a netadmin for my company, and have my CCNA, and am working on my CCNA  Security. Thanks to my studies, I've been getting to know how logging  works, etc.

But I ran across an issue that I'm perplexed by, and was looking for some help

1. Here is the logging info from the config on my switch:

logging history informational

logging trap warnings

logging facility local6

logging xx.xx.xx.xx

The  issue I"m having is I think there is someone without authorization,  connecting to the console port. We can go on and on about security,  etc...believe me, I bang my head against the desk. However, let's say  that Jane Doe has access to the switch. She could try and brute force  the username/password. She could have should-surfed it. Or, she could do  a password recovery on it, gain access...grab the password off the  config and do some hacking with it...I know, it's MD5 hashed...but with  the right motivation, etc, people can accomplish anything.

So,  looking above, I see that the system will log any SNMP Traps that are  at lvl 4 (warning) and greater (more severe). I don't know what logging  history does, but it will grab lvl 5 (informational) and greater. But  what is logging facility local6? To me, that looks like for logging  local connection. The local logs will show when I SSH into the device,  but they never show when I connect via the console. I'm sure it's a  quick setting fix...

Next,  I'd like to know about logging port-security and err-disable msgs. I  know our SNMPc system will notify us of any port security issues, but we  never get msgs about err-disable. Is it a setting in the config under  snmp settings that I need to modify?

Finally,  why do some of my logs not capture a bunch of information locally? THey  are all configured pretty much with the same baseline. I should be able  to see the most recent logs on the device; they are also kept on  x.x.x.x syslog server, with the logging xx.xx.xx.xx setting, correct?

Side  note; what's a good way to review the logs on the syslog? I know they  are saved as a .csv file, but there's got to be a good freeware tool out  there to make it easier

Labels:
0 Helpful
3 Replies 3

Joe Clarke
Cisco Employee
Cisco Employee

‎10-16-2011 06:15 PM

The configuration you provided does not do anything with SNMP traps.  The trap keyword is a bit confusing.  The logging trap command specifies what messages will be sent to a remote syslog receiver.  These messages will be sent using the syslog protocol, not SNMP.

The logging history keyword specifies which messages will be logged to the CISCO-SYSLOG-MIB history buffer so that they can be polled via SNMP.  Again, this has nothing to do with traps.

The logging facility specifies what syslog facility will be used when sending the messages to the remote syslog hosts.  In this case, you are using the local6 facility.  The default facility is local7.  Facilities are used for filing the syslog messages into different buckets on your syslog hosts.  Some syslog hosts ignore the facility and simply log everything to the same destination.  The facility has nothing to do with what messages are logged.

I do not know what you mean when you say the "local logs" do not show up when you connect via the console.  The console should be monitored by default unless you configured "no logging console".  Additionally, all messages should be logged to the logging buffer, which you can view with the "show log" command.

Syslogs for err-disable should be sent when a port goes disabled.  The syslogs are sent with a severity of 4 (warning) so your syslog configuration should capture them.  However, if your management app is only looking at SNMP traps, it will not see err-disable messages unless you configure:

snmp-server enable traps syslog

If you're missing some messages in your local logging buffer, check the logging buffer configuration.  Make sure the severity is set high enough to capture the messages you want.

If you're looking for a good syslog server, check out Kiwi (http://www.kiwisyslog.com/kiwi-syslog-server-overview/).

0 Helpful

NormMuelleman
Level 1
Level 1
In response to Joe Clarke

‎10-17-2011 02:25 AM

This has helped a bunch. I know that the items are dumped to a windows server. They are in a .csv file, which I can (with great frustration) look at with pivot tables in excel.

I've heard great things about Kiwi Syslog server, but the $$ is the problem. We have the freeware version, and it only shows that last 50 log entries.

If someone connects to the console port, there should be a msg kept somewhere. You say it's on by default? I thought so, but then why when I connect to the switch is there nothing listed in the cache?

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to NormMuelleman

‎10-17-2011 10:55 PM

There is no connection on the console port.  That port is always open.  If you are doing authentication on the console port, consider adding:

login on-failure log

Then, when someone fails authentication, that failure will be logged.

0 Helpful
Customers Also Viewed These Support Documents