Hi, collecting logs are important. In my daily job I am working with logs about a lot of systems like vmware,application,linux,windows,cisco,checkpoint,pfsense. Logs provides info about the system, application etc. Security incident management systems heavily rely on logs.Logs consist of date system name and event detail like
1 Aug 1 05:39:30.992: %LINK-3-UPDOWN: Interface Ethernet0/, changed state to up
Here Aug 1 05:39:30.992 is date info, %LINK-3-UPDOWN is subsystem info which says the log is about port, Interface Ethernet0/0, changed state to up says that the ethernet 0/0 interface is changed to up. This log can be seem simple but a lot of logs means special things. If you properly correlate the you can get a lot of info about the whole system especially from security perspective. But the first step is collecting logs from the systems. There is a lot of log collection ways but the systems may not provide all of them. Network devices generally use syslog technique which uses udp packets and port 514 to transmit logs. In the most simple way logs transmitted without any CIA (confidenciality, integrity, availibility). To collect log we need a syslog server which accepts syslog from network. We assume it is setup correctly. No we will configure cisco switch to send logs.
Set ip address of the log server here if the switch has name resolution you can use host name.
1 S1(config)#logging host 10.250.1.1 <strong> </strong>
This step is important because we setup the log level. making log level high make a lot of logs especially if the system is core system, but it is very useful to see all details about events. debug is level 7 and emergency is level 0 you can select this according to your needs.
1 S1(config)#logging trap debugging <strong> </strong>
This is lconfig is usefull if you collect logs from more than one system. Logs from a lot of systems are separated by their source ips. With this option you set your source interface and source ip.
1 S1(config)#logging source-interface ethernet 0/0
Syslog uses facillity to separate logs. You can use this option like the source interface but you have not a lot of space to use.
1 S1(config)#logging facility syslog