05-11-2017 01:18 AM - edited 03-08-2019 10:32 AM
Hello,
I suspect that one of my clients computers is infected and trying to contact a botnet. Since there are hundreds of computers, I need to find out which one is trying to connect to the botnet IP, therefore I need to view the logs of all the devices and the connections they made a couple of days ago.
My question is:
Is it possible to view these logs, are they stored at all? How do I view these logs (all made connections specifically), is there a file somewhere, where the logs are stored?
Cisco manual is not informative at all on the matter.
All help is appreciated!
05-11-2017 01:22 AM
Hi
logs are only stored if you have set the device up to do that , if there not in your show logs there not there and you wont be able to get anything further from 2 days ago , you need to setup detailed logging and also logging to a syslog server
what way is your current logging setup , is logging even enabled to the buffer ...show log
https://supportforums.cisco.com/document/24661/how-configure-logging-cisco-ios
05-11-2017 01:30 AM
Thanks for the quick response, I'm new to Cisco, what makes the inferface even harder to learn is that I'm more of a unix/bash type of guy.
This is what I got in show logging:
Console logging: level debugging, 1706 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 1706 messages logged, xml disabled,
filtering disabled
Exception Logging: size (8192 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
and a bunch of messages irrelevant to me:
May 5 01:20:51.559: %CRYPTO-6-IKMP_POLICY_DEFAULT: Using ISAKMP Default policies
I did not setup the router, it was done sometime ago by someone else, I'm just here to inspect what happened after I got a cert flag.
05-11-2017 01:42 AM
are there any logs there from 2 days ago that match the issue , they have probably overwritten at this stage as the buffer is only set to 8192 , you could increase the buffer for longer logging collection and setup an external syslog too but catching it now after the fact without full logging setup may be impossible unless you can replicate it
we use splunk for issues like that you have faced its useful
05-11-2017 01:50 AM
WellI then, guess I'll just have to enable more thorough logging and hope that the flag pops up again in a couple of days.
Thanks for the help.
05-11-2017 01:54 AM
yes sorry if the logs aren't there , there's no way of pulling them now , routers aren't great for logging , most companies use third party apps and point router to them , as well logs are stored in nvram if router reboots youll lose the logs so its advisable to push the to syslog to an external server or pc to prevent that form happening
05-11-2017 01:26 AM
use netflow....
https://www.manageengine.com/products/netflow/?gclid=CjwKEAjwl9DIBRCG_e3DwsKsizsSJADMmJ11FW66TlgJfzR5Lcz7BRWtCoCNJqRHUXXULYEXjq6yIBoCO1fw_wcB
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide