How Configure Cisco For Logging? – POFTUT

How Configure Cisco For Logging?

Hi, collecting logs are important. In my daily job, I am working with logs about a lot of systems like WMware, Application, Linux, Windows, Cisco, checkpoint, pfSense. Logs provide info about the system, application, etc. Security incident management systems heavily rely on logs.

Example Log

Logs consist of date system name and event detail like

Here Aug  1 05:39:30.992 is date info, %LINK-3-UPDOWN is subsystem info which says the log is about port, Interface Ethernet0/0, changed state to up says that the ethernet 0/0 interface is changed to up. This log can seem simple but a lot of logs means special things. If you properly correlate you can get a lot of info about the whole system especially from a security perspective. But the first step is collecting logs from the systems. There is a lot of log collection ways but the systems may not provide all of them. Network devices generally use Syslog technique which uses UDP packets and port 514 to transmit logs. In the most simple way logs transmitted without any CIA (confidentiality, integrity, availability). To collect log we need a Syslog server which accepts Syslog from the network. We assume it is set up correctly. No, we will configure the Cisco switch to send logs.

Specify Log Server

Set IP address of the log server here if the switch has name resolution you can use a hostname.

Specify Logging Level or Severity

This step is important because we set up the log level. making log level high make a lot of logs especially if the system is the core system, but it is very useful to see all details about events. debug is level 7 and emergency is level 0 you can select this according to your needs.          

LEARN MORE  Logrotate Command Tutorial With Examples For Linux

Specify Log Source Interface

This is config is useful if you collect logs from more than one system. Logs from a lot of systems are separated by their source IP’s. With this option, you set your source interface and source IP.

Specify Facility

Syslog uses the facility to separate logs. You can use this option like the source interface but you have not a lot of space to use.

Leave a Reply

Your email address will not be published. Required fields are marked *

Enjoy this blog? Please spread the word :)