Event
Logging on Perimeter Routers
Perimeter router logs can be invaluable in troubleshooting,
capacity planning, and dealing with security incidents. For security purposes,
the events to log are interface status changes, changes to the system
configuration, access list matches, events detected by the firewall, and
intrusion detection features. System logging events might be reported to a
variety of destinations, including the following:
-
The system console port (logging console
command). Because many console ports are unattended or are connected to
terminals with no historical storage, this information might be unavailable to
reconstruct a major event.
-
Servers running the syslog daemon can send logging
information to a server with the logging server-ip-address command, and you can control the
urgency threshold for logging to the server with the logging trap
urgency command. Even if you have a
syslog server, you should probably still enable local logging. If you don’t have
access to a syslog server, go to Kiwi Enterprises at http://www.kiwisyslog.com
/index.htm and download its free Kiwi Syslog Daemon.
-
Remote sessions on VTYs and local sessions on TTYs (logging monitor and terminal monitor
commands).
-
Most routers can save system logging information to a local
RAM buffer. This buffer is a fixed size and retains only the most recent
information, and the contents are lost whenever the router is reloaded. Use the
show memory command to make sure your router has enough free
memory to support a logging buffer. Create the buffer using the logging buffered buffer-size configuration command.
If the router has a real-time clock or is running NTP, time-stamp
log entries by adding the service timestamps log datetime
msecs command to the configuration
Sections
Comments (0 posted)
Syndication
