Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
0
Helpful
6
Replies

Need to view logs of all made connections on C891F

mediasploit
Level 1
Level 1

‎05-11-2017 01:18 AM - edited ‎03-08-2019 10:32 AM

Hello,

I suspect that one of my clients computers is infected and trying to contact a botnet. Since there are hundreds of computers, I need to find out which one is trying to connect to the botnet IP, therefore I need to view the logs of all the devices and the connections they made a couple of days ago. 
My question is:
Is it possible to view these logs, are they stored at all? How do I view these logs (all made connections specifically),  is there a file somewhere, where the logs are stored?

Cisco manual is not informative at all on the matter.

All help is appreciated! 

Labels:
0 Helpful
6 Replies 6

Mark Malone
VIP Alumni
VIP Alumni

‎05-11-2017 01:22 AM

Hi

logs are only stored if you have set the device up to do that , if there not in your show logs there not there and you wont be able to get anything further from 2 days ago , you need to setup detailed logging and also logging to a syslog server

what way is your current logging setup , is logging even enabled to the buffer  ...show log

https://supportforums.cisco.com/document/24661/how-configure-logging-cisco-ios

0 Helpful

mediasploit
Level 1
Level 1
In response to Mark Malone

‎05-11-2017 01:30 AM

Thanks for the quick response, I'm new to Cisco, what makes the inferface even harder to learn is that I'm more of a unix/bash type of guy.

This is what I got in show logging:

Console logging: level debugging, 1706 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 1706 messages logged, xml disabled,
filtering disabled
Exception Logging: size (8192 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled

and a bunch of messages irrelevant to me:
May 5 01:20:51.559: %CRYPTO-6-IKMP_POLICY_DEFAULT: Using ISAKMP Default policies

I did not setup the router, it was done sometime ago by someone else, I'm just here to inspect what happened after I got a cert flag.

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to mediasploit

‎05-11-2017 01:42 AM

are there any logs there from 2 days ago that match the issue , they have probably overwritten at this stage as the buffer is only set to 8192 , you could increase the buffer for longer logging collection and setup an external syslog too but catching it now after the fact without full logging setup may be impossible unless you can replicate it

we use splunk for issues like that you have faced its useful

0 Helpful

mediasploit
Level 1
Level 1
In response to Mark Malone

‎05-11-2017 01:50 AM

WellI then, guess I'll just have to enable more thorough logging and hope that the flag pops up again in a couple of days.

Thanks for the help.

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to mediasploit

‎05-11-2017 01:54 AM

yes sorry if the logs aren't there , there's no way of pulling them now , routers aren't great for logging , most companies use third party apps and point router to them , as well logs are stored in nvram  if router reboots youll lose the logs so its advisable to push the to syslog to an external server or pc to prevent that form happening

0 Helpful

a.alekseev
Level 7
Level 7

‎05-11-2017 01:26 AM

use netflow....

https://www.manageengine.com/products/netflow/?gclid=CjwKEAjwl9DIBRCG_e3DwsKsizsSJADMmJ11FW66TlgJfzR5Lcz7BRWtCoCNJqRHUXXULYEXjq6yIBoCO1fw_wcB

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card