Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
0
Helpful
2
Replies

Problems with Syslog and IDS messages

dmunyak
Level 1
Level 1

‎06-08-2004 10:32 AM - edited ‎03-09-2019 07:41 AM

Router is a C1720 with FW/IDS feature set 12.2(17)

On a LAN workstation I loaded and configured KIWI-syslog server.(192.168.222.61)

On the router I setup the Post Office to send syslog messages to the syslog server(my pc).

I have reloaded the router twice.

I am pretty sure(99%) the syslog server is configured properly to receive Level-0 thru Level-7 messages.

I tested this using the KIWI SysGen application from another worksatation pointing to 192.168.222.61

At this time I keep getting a syslog message every 5 seconds with basically nothing it.

The syslog server reports 720 messages per hour. Each message is the same...HEX

2004-06-07 15:35:47 Local7.Debug 192.168.222.1 <001><000>'<027><000><000><000><010><000><000><000><010><001><000>'<021><000><000><000><010><000><000><000><010><©î±<000>,<001><001>‚<026><001><000><000><000><000><004><000><000><000><001>

I setup IDS and syslog hoping to capture potential hacks.

It doesn't appear to be capturing anything but the above HEX message over..n..over.

What have I configured incorrectly?

Why does it continuously send a message every 5 seconds?

Why isn't it sending the information I am looking for?

***************************************

Router# sho run

Building configuration...

Current configuration : 4537 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

no service dhcp

!

hostname Router

!

logging buffered 8192 debugging

logging console emergencies

enable secret 5 xxxxxxxxxxxxxxxxxxxxx

!

memory-size iomem 25

ip subnet-zero

no ip domain-lookup

!

no ip bootp server

ip audit attack action alarm drop reset

ip audit notify log

ip audit po max-events 100

ip audit po remote hostid 10 orgid 10 rmtaddress 192.168.222.61 localaddress 192.168.222.1 port 514 preference 1 timeout 5 application logger

ip audit po local hostid 10 orgid 10

ip audit smtp spam 25

ip audit name SYSLOG.1 info list 99 action alarm

ip audit name SYSLOG.1 attack action alarm drop reset

!

!

!

!

interface FastEthernet0

ip address 192.168.222.1 255.255.255.0 secondary

ip address XX.43.155.33 255.255.255.240

ip nat inside

ip audit SYSLOG.1 in

speed auto

!

interface Serial0

no ip address

encapsulation frame-relay IETF

no fair-queue

frame-relay lmi-type ansi

!

interface Serial0.744 point-to-point

ip address XX.43.154.230 255.255.255.252

ip access-group inboundfilters in

ip access-group outboundfilters out

no ip unreachables

no ip proxy-arp

ip nat outside

frame-relay interface-dlci 744 IETF

!

no ip nat service H225

ip nat pool net-192 XX.43.155.44 XX.43.155.44 netmask 255.255.255.240

ip nat inside source list 1 pool net-192 overload

!

!

ip classless

ip route 0.0.0.0 0.0.0.0 XX.43.154.229

no ip http server

!

!

ip access-list extended inboundfilters

!

! [deleted for forum]

!

ip access-list extended outboundfilters

!

!

! [deleted for forum]

!

!

logging trap notifications

logging source-interface FastEthernet0

logging 192.168.222.61

access-list 1 permit 192.168.222.0 0.0.0.255

access-list 99 deny 192.168.222.0 0.0.0.255

access-list 99 permit any

!

!

Router#

Router#show ip audit conf

Event notification through syslog is enabled

Event notification through Net Director is disabled

Default action(s) for info signatures is alarm

Default action(s) for attack signatures is alarm drop reset

Default threshold of recipients for spam signature is 25

PostOffice:HostID:10 OrgID:10 Msg dropped:0

:Curr Event Buf Size:100 Configured:100

Host ID:10, Organization ID:10, SYN pkts sent:3484,

ACK pkts sent:0, Heartbeat pkts sent:0, Heartbeat ACK pkts sent:0,

Duplicate ACK pkts received:0, Retransmission:0, Queued pkts:0

ID:1 Dest:192.168.222.61:514 Loc:192.168.222.1:45000 T:5 S:SYN SENT

Audit Rule Configuration

Audit name SYSLOG.1

info acl list 99 actions alarm

attack actions alarm drop reset

Router#

Labels:
0 Helpful
2 Replies 2

marcabal
Cisco Employee
Cisco Employee

‎06-08-2004 11:37 AM

I think you are confused about post office.

Post office does not generate syslog messages.

Post office is an older proprietary protocol for sending messages to special viewers running post office applications.

New viewers are no longer even being developed to use postoffice so I don't recommend even trying to use it.

Postoffice and syslog are 2 different methods and format for sending the alarms.

If you are going to use syslog then remove all of the "ip audit po" configuration lines in your configuration.

You only need the "ip audit notify log" command which tells it send them as syslog instead of postoffice messages.

By default the syslog messages will go the router's own internal logging mechanisms and show up on the router console along with all of the other router log messages.

To get them to your syslog server just set up your router to send all syslog messages to your syslog server.

0 Helpful

dmunyak
Level 1
Level 1
In response to marcabal

‎06-08-2004 12:55 PM

Confused was an understatement. Upon initial configuration, I didn't understand why I needed it in the first place. The configuration came from CISCO CCO doc's.

Anyway, took out: ip audit po....

Changed running-config:

#logging trap debugging

#logging source interface FastEthernet0

#logging 192.168.222.61

The constant loop of a blank message every 5 seconds has stopped.

Now to figure out why ping sweepes aren't getting logged.

0 Helpful
Customers Also Viewed These Support Documents