Logging Router Activity

Logs allow you to verify that a router is working properly or to determine whether the router has been compromised. In some cases, a log can show what types of probes or attacks are being attempted against the router or the protected network.
Configuring logging (syslog) on the router should be done carefully. Send the router logs to a designated log host. The log host should be connected to a trusted or protected network or an isolated and dedicated router interface. Harden the log host by removing all unnecessary services and accounts. Routers support different levels of logging. The eight levels range from 0, emergencies indicating that the system is unstable, to 7 for debugging messages that include all router information.

Logs can be forwarded to a variety of locations, including router memory or a dedicated syslog server. A syslog server provides a better solution because all network devices can forward their logs to one central station where an administrator can review them. An example of a syslog server application is Kiwi Syslog Daemon.
Also consider sending the logs to a second storage device, for example, to write-once media or a dedicated printer, to deal with worst-case scenarios (for example, a compromise of the log host).

The most important thing to remember about logging is that logs must be reviewed regularly. By checking over the logs regularly, you can gain a feeling for the normal behavior of your network. A sound understanding of normal operation and its reflection in the logs helps you identify abnormal or attack conditions.
Accurate time stamps are important to logging. Time stamps allow you to trace network attacks more credibly. All routers are capable of maintaining their own time of day, but this is usually not sufficient. Instead, direct the router to at least two different reliable time servers to ensure the accuracy and availability of time information. A Network Time Protocol (NTP) server may have to be configured to provide a synchronized time source for all devices. Configuring this option is beyond the scope of this course.

For example:

R2(config)#service timestamps ?
debug Timestamp debug messages
log Timestamp log messages

R2(config)#service timestamps

Later in this chapter you will learn about the debug command. Output from the debug command can also be sent to logs.


Post a Comment


NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog