Verifying and
Monitoring Logging
Use the show logging
command to display which logging options are enabled. If the logging buffered command is on, the show
logging command lists the current message buffer.
This example shows how to set Syslog trap logging and view the
results:
pix(config)#logging trap debugging
pix(config)#show logging
Syslog logging: enabled
Timestamp logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level debugging, 43 messages logged enabled
Use the show logging queue
command to display the current number of messages in the queue, the highest
number recorded, and the number of messages discarded because block memory is
unavailable to process them.
The following output shows the results of using the logging queue command to set the queue size to Unlimited and show logging queue commands:
pix(config)#logging queue 0
pix(config)#show logging queue
Logging Queue length limit : Unlimited
Current 9 msg on queue, 2721 msgs most on queue, 3 msg discard.
Exercise 18-1
Objective: This lab (which is also available on
this book’s accompanying CD-ROM) looks at using a Syslog daemon to provide
remote storage of system messages. An important part of any project, logging can
be used as a debugging tool during development, and a troubleshooting tool once
a system has been deployed, and for analyzing and documenting events, such as
security breaches. Logging provides a way to see what’s happening—good or
bad—inside a running system. As such, it should be addressed with care and
forethought, rather than used as a last-minute burden.
A Syslog daemon (an open-source logging system) receives, logs,
displays, and forwards Syslog system messages from a variety of hosts, such as
routers, switches, UNIX hosts/servers, PIX firewall, LinkSys home firewall, SNMP
servers, programming projects, and any other Syslog-enabled device. Depending on
the Syslog application, customizable options are available, such as the
following:
-
Display the message in the scrolling window.
-
Log the message to a text file.
-
Forward the message to another Syslog daemon.
-
Log to an ODBC database.
-
Log to the Windows Server Application Event Log.
-
E-mail an alert message to someone via SMTP.
-
Trigger a sound alarm.
-
Run an external program, such as a pager notification
system.
Actions can be performed on received messages. Messages can be
filtered by host name, host IP address, priority, message text, or time of
day.
|
Note |
This lab looks only at using a Syslog daemon and doesn’t
specifically address using a PIX Firewall with a Syslog server. Once you know
how easy it is to set up a Syslog server, it’ll be simple enough to add the
feature to your next firewall exercise. |
Preparation: The purpose of a Syslog daemon
(server) is to capture the various log messages that programs like the router’s
IOS generates. As long as the host with the Syslog software running can be
reached from the router or switch, debug, error, and log messages can all be
directed to it.
If you don’t already have a copy of Kiwi Enterprise’s Syslog
daemon (or something comparable), consider going to the web site http://www.kiwisyslog.com and
downloading it. The software is free to use and runs on Win9X, WinNT, Win2000, and XP. A “for money” version is available
from the same site with additional features. The download is 3+MB in size.
Several other interesting tools are also on the site to work with the Syslog
concepts.
This exercise can be done in any networked environment using
TCP/IP. There should be no impact on the network itself.
Download both the Syslog daemon and the SyslogGen tools for this
lab. You might want to download the other tools for later self-study.
This lab can be done with the Syslog installed on any number of
computers on the same network, or, if necessary, it can be done using one
computer. The SyslogGen tool should be on each machine.
-
Use the winipcfg or ipconfig
command to determine the IP address of the machine(s) that will be running
the Syslog daemon. If necessary, create a simple map of the room.
-
Start the Syslog daemon using the Start | Programs menu.If
you’re using the Kiwi daemon, press CTRL-T at the same time to send a test
message, which you should be able to read in the Syslog window.The following
illustration shows the Syslog with a sample entry.
-
The Kiwi Syslog Message Generator can be used to generate
Syslog traffic, so you can experiment with different types and volumes of
traffic. Start the SyslogGen tool from the Start menu.The Syslog Message
Generator window looks like the following illustration. Look over the
options:
-
The 127.0.0.1 target address means it will send the messages
to Syslog running on the local PC. We use this for our first test.Confirm the
previous settings and, with the Syslog window visible on the screen, click the
Send button. Messages should be appearing in the Syslog window. Notice that the
status bar at the bottom tells you how many messages have been sent.Use the Stop
button to halt the traffic.Use the scrollbar to look through the messages.
-
On the Syslog machine, choose View | View Syslog Statistics
from the menu to bring up the following display and let you view some
interesting counters.Use the View | Clear Display to clear the
entries.Experiment with the features. If possible, change the target to the
other host IP address.
-
Saving the output.On the Syslog machine, use the File | Copy
Display To Clipboard | Copy Whole Display To Clipboard from the menu or the
CTRL-A keys to copy the entire contents of the Syslog window.Open a Notepad file
and choose Edit | Paste from the menu. The text should appear in the Notepad.
This text file can be saved to a disk.The saved text file can be opened using MS
Excel, MS Access, or the Kiwi LogFile Viewer using the Open | Tab Delimited
option to sort and analyze the results.
Sections
Comments (0 posted)
Syndication
