Hi, collecting logs are important. In my daily job, I am working with logs about a lot of systems like WMware, Application, Linux, Windows, Cisco, checkpoint, pfSense. Logs provide info about the system, application, etc. Security incident management systems heavily rely on logs.
Logs consist of date system name and event detail like
Aug 1 05:39:30.992: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
Here Aug 1 05:39:30.992 is date info, %LINK-3-UPDOWN is subsystem info which says the log is about port, Interface Ethernet0/0, changed state to up says that the ethernet 0/0 interface is changed to up. This log can seem simple but a lot of logs means special things. If you properly correlate you can get a lot of info about the whole system especially from a security perspective. But the first step is collecting logs from the systems. There is a lot of log collection ways but the systems may not provide all of them. Network devices generally use Syslog technique which uses UDP packets and port 514 to transmit logs. In the most simple way logs transmitted without any CIA (confidentiality, integrity, availability). To collect log we need a Syslog server which accepts Syslog from the network. We assume it is set up correctly. No, we will configure the Cisco switch to send logs.
Specify Log Server
Set IP address of the log server here if the switch has name resolution you can use a hostname.
S1(config)#logging host 10.250.1.1
Specify Logging Level or Severity
This step is important because we set up the log level. making log level high make a lot of logs especially if the system is the core system, but it is very useful to see all details about events. debug is level 7 and emergency is level 0 you can select this according to your needs.
S1(config)#logging trap debugging
Specify Log Source Interface
This is config is useful if you collect logs from more than one system. Logs from a lot of systems are separated by their source IP’s. With this option, you set your source interface and source IP.
S1(config)#logging source-interface ethernet 0/0
Syslog uses the facility to separate logs. You can use this option like the source interface but you have not a lot of space to use.
S1(config)#logging facility syslog