Logging questions

NormMuelleman · ‎08-27-2011

So, being the busy beaver on night shift, trying to stay awake, I'm always looking for upgrades to the mess my fellow netadmin and I have inherited.

Since I'm in the middle of working on my CCNA Security cert, studying hard..I've noticed the logging topic and had some questions.

I know our devices have logging set up. They dump the logs to a file server. Here's where I have the questions..

1. To set up the syslogs to get dumped, you make an entry about logging, and direct it to the particular ip address where you want the info saved. But, where does it get saved? How do you determine where it gets saved? Does it get saved to a file? Is that determined by something set on the actual server itself?

2. I know Cisco doesnt have a syslog viewer..well, I'm sure they do in some form like in the MARS or something that we don't have. We just have about 100 devices dumping log files onto a file server. I want to be able to review them as a good security oriented person should. Any thoughts on looking at them? I know KiwiTools has a syslog viewer that's free. Any other freeware?

3. We run SNMPc for our network monitoring. Traps are set up for various events which get displayed in SNMPc. I believe we can set up traps for various events like log-ins and such. So, what would be the purpose then of having the traps AND the logs? Just playing the advocate here...

Thanks in advance

Jon Marshall · ‎08-27-2011

Norm

Firslty, if your acl post was resolved could you use the rating system as it helps identify useful posts for other people and also is a recognition of the people who helped.

Okay, that's the boring bit out of the way

1) It is determined by the server not the Cisco devices. They simply send the syslog message on UDP port 514 (they can also use TCP) and it is up to the server where to store it. On Unix you can specify the exact file and location although i suspect you can do the same on the Windows.

2) I used to use syslog-ng which is a Unix syslog server with more features built in. You could send different logs to different files, pattern match on certain logs you were interested in etc. A quick Google would give you quite a few options for freeware syslog servers.

3) Syslog is quite simple in its functionality. SNMP however has whole management systems built around it, and as well as traps you can also manage devices with SNMP. An SNMP trap would being your attention to the fact straight away if you have a SNMP monitoting tool running all the time whereas syslog would require additional effort to get the same effect.

Syslog is very useful for security incidents etc. where you need to track back through what has happened although it is vital you get all your devices agreeing on the same time using something like NTP.

Jon

Mohamed Sobair · ‎08-27-2011

Hi Norm,

Its very important to have a Syslog server if you have medium to large Size Networks I believe, the Importance is not less than having Active Monitoring system shows Active events.

Some Monitoring Softwares allows you to setup Traps on them as well, there are alot of them but I would recommend (Solarwinds), its very reliable product.

for the Syslog, there also lots of Softwares if you search , I can name here one I have used (www.snmpsoft.com), they have a Syslog support for Windows. and yes, the log file can be saved to a specific file.

Regrards,

Mohamed

JohnTylerPearce · ‎08-28-2011

They're are several network monitoring applications out there. Where I work, we have Orion Solar Winds, which

works pretty decent. A Syslog server should be a "very" important implimentation of your network. You can

see everything that's going on in your network. Right after I started working at my current job we had two

Catalyst 6504e's put in to replace our old core switch of a full stack of 3750s. Well after a few weeks all of

a sudden the entire network took a shit. I found out that the switch overheated and took a shit. Since my old

boss never had a syslog server configured we never saw the temperature warnings since it was not forwarded

to a syslog server, the only way we would have known about it is if we actually consoled in to the switch itself.

My old boss is gone and I'm pretty much in charge, and a Syslog server has been implemented

Just remember one rule (Don't log everything, only the necessary information).

You can control that by the trap levels when you configure logging. There are several

levels of logging 0 - 7. If you choose logging trap 7 for instance it will log everything

from 7 to 0. And if you configure logging trap 4 you will log everything 4 and down.

Kiwi has several free syslog servers and just google search for any freeware ones.

Which Kiwi actually has btw.