Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Set Audit Trails and Alerts

Set Audit Trails and Alerts

Sep 10,2009 by alperen

small font medium font large font
image

Set Audit Trails and Alerts

Real-time alerts send syslog error messages to central management consoles upon detecting suspicious activity, allowing network managers to respond immediately to intrusions. Enhanced audit-trail features use syslog to track all transactions, recording time stamps, source host, destination host, ports used, session duration, and the total number of transmitted bytes for advanced, session-based reporting.

Cisco IOS Firewall alerts and audit-trail features are now configurable, enabling more flexible reporting and error tracking. The configurable audit-trail features support mod- ular tracking of specific CBAC-supported applications and Java blocking. Both the real-time alerts and the audit-trail features are supported by a variety of third-party reporting tools.

Use the Global Configuration Mode command ip inspect audit-trail to turn on CBAC audit-trail messages. The messages are displayed on the console after each CBAC session closes. Use the no form of the command to turn off the feature. The syntax is

Rtr1(config)#ip inspect audit-trail
Rtr1(config)#no ip inspect audit-trail

This command has no arguments or keywords. By default, the audit-trail messages aren’t displayed. This command was introduced in IOS 11.2 P.

The following messages are two examples of audit-trail messages. To determine which protocol was inspected, refer to the responder’s port number following the responder’s IP address.

%FW-6-SESS_AUDIT_TRAIL: tcp session initiator (192.168.1.13:33192)
     sent 22 bytes -- responder (192.168.129.11:25) sent 208 bytes
%FW-6-SESS_AUDIT_TRAIL: ftp session initiator 192.168.1.13:33194) 
     sent 336 bytes -- responder (192.168.129.11:21) sent 325 bytes

CBAC alert messages are displayed on the console by default. Use the Global Configuration Mode command ip inspect alert-off to disable these messages. To reenable CBAC alert messages, use the no form of the command. The syntax is

Rtr1(config)#ip inspect alert-off Rtr1(config)#no ip inspect alert-off

This command has no arguments or keywords. This command was introduced in IOS 12.0(5)T.

Logging

While it isn’t a CBAC feature, make sure logging is enabled and a syslog server is specified, so any incidents are properly logged for future reference.

Rtr1(config)#service timestamps log datetime Rtr1(config)#logging host Rtr1(config)#logging facility facility-type Rtr1(config)#logging trap level

The commands,—in order,—do the following:

  1. Adds the date and time to syslog and audit-trail messages.

  2. Defines the host name or IP address of the host to send syslog messages to.

  3. Configures the syslog facility in which error messages are sent.

  4. (Optional) Limits messages logged to the syslog servers based on severity. The default is level 7 (informational).


800 times read

Related news
» XML-Formatted Log Messages
by admin posted on Jul 21,2008
» Restricting What Log Messages Are Sent to the Server
by admin posted on Jul 21,2008
» Sending Log Messages to Your Screen
by admin posted on Jul 21,2008
» Test and Verify
by alperen posted on Sep 10,2009
» The ip audit notify Command
by alperen posted on Sep 15,2009
Did you enjoy this article?
1 2 3 4 5
Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00 (total 131 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.