SYSLOG
System logs or SYSLOG provide you with information for monitoring and troubleshooting devices within your infrastructure. In addition, they give you excellent visibility into what is happening within your network. You can enable SYSLOG on network devices such as routers, switches, firewalls, VPN devices, and others. This section covers how to enable SYSLOG on routers, switches, the Cisco ASA, and Cisco PIX security appliances.
Enabling Logging (SYSLOG) on Cisco IOS Routers and Switches
The logging facility on Cisco IOS routers and switches allows you to save SYSLOG messages locally or to a remote host. By default, routers send logging messages to a logging process. The logging process controls the delivery of logging messages to various destinations, such as the logging buffer, terminal lines, a SYSLOG server, or a monitoring event correlation system such as CS-MARS. You can set the severity level of the messages to control the type of messages displayed, in addition to a time stamp to successfully track the reported information.
The following example shows the commands necessary to configure SYSLOG on Cisco IOS devices:
myrouter#configure terminal myrouter(config)#logging on myrouter(config)#logging host 172.18.85.190
In this example, the router is configured to send the SYSLOG messages to a host with IP address 172.18.85.190. (This is the CS-MARS used in the examples of the previous sections.)
On Cisco IOS routers, the log messages are not time-stamped by default. To enable time stamping of log messages, use the service timestamps log datetime command. The following example shows the different options of this command:
myrouter(config)#service timestamps log datetime ? localtime Use local time zone for timestamps msec Include milliseconds in timestamp show-timezone Add time zone information to timestamp year Include year in timestamp
You can specify the severity level of the SYSLOG messages. The following are the different levels you can configure:
- Level 0: Emergencies
- Level 1: Alerts
- Level 2: Critical
- Level 3: Errors
- Level 4: Warnings
- Level 5: Notifications
- Level 6: Informational
- Level 7: Debugging
To set the severity level of log messages sent to a SYSLOG server, use the logging trap command. The following example shows the options of this command:
myrouter(config)#logging trap ? <0-7> Logging severity level alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) emergencies System is unusable (severity=0) errors Error conditions (severity=3) informational Informational messages (severity=6) notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4)
It is recommended that you send SYSLOG messages over a separate management segment, just as you learned to do earlier in this article in the "NetFlow" section.
Enabling Logging Cisco Catalyst Switches Running CATOS
To enable the logging of system messages to a SYSLOG server on Cisco Catalyst switches running Catalyst Operating System (CATOS), use the following commands:
set logging server enable set logging server syslog server 172.18.85.190 set logging timestamp enable set logging server severity 4
In this example, the switch is configured to send the SYSLOG messages to the host with IP address 172.18.85.190. Time stamp is enabled, and the severity level of the messages sent to the external server is set to 4 or warnings. Setting logging to the debugging level can cause performance problems. A good rule of thumb is to set the logging severity to 4 or warnings.
Note: A good whitepaper describing best practices when managing Cisco Catalyst switches running CATOS is located at http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml.
Enabling Logging on Cisco ASA and Cisco PIX Security Appliances
The commands used to enable logging and to send SYSLOG messages to a SYSLOG server are the same on the Cisco ASA and the Cisco PIX security appliances. To enable logging, use the logging on command. To configure the ASA or PIX to send logs to a SYSLOG server, use the logging host command, and to change the log severity level, use the logging trap command. The following example demonstrates the use of these commands.
ciscoasa(config)# logging on ciscoasa(config)# logging host inside 172.18.85.190 ciscoasa(config)# logging trap informational
In this example, the Cisco ASA is configured to send its logs to the host with IP address 172.18.85.190, and the severity level is set to informational. On the Cisco ASA and Cisco PIX security appliances, all SYSLOG messages begin with a percent sign (%) and are designed as follows:
%PIX|ASA Level Message_number: Message_text
The following is an example of a SYSLOG message.
Apr 09 2007 07:35:56: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.202.22/0 gaddr 192.168.202.40/0 laddr 192.168.202.40/0
- PIX|ASA: A static value indicating that the log message is generated by a Cisco ASA or Cisco PIX.
- Level: The severity level (1–7). For most environments, it is recommended that you set the severity level to 4 to avoid performance issues. You may want to temporally increase it to a higher value when troubleshooting a specific problem.
- Message number: A unique 6-digit number that identifies the SYSLOG message.
- Message text: The description of the log message. It sometimes includes IP addresses, port numbers, or usernames.
You can filter SYSLOG messages on the Cisco ASA, Cisco PIX, and Cisco FWSM to send only specific events to a particular output destination. In other words, you can configure the device to send all SYSLOG messages to one output destination and also to send a subset of those SYSLOG messages to a different output destination. You can also configure the Cisco ASA, Cisco PIX, and Cisco FWSM to send SYSLOG messages based on specific criteria, such as the following:
- Message ID number (range of 104024 to 105999)
- Severity level
- Message class
For example, you can use the logging class <message_class> command to specify the specific class.
SNMP
SNMP is one of the most basic forms of getting information from your network. It is a Layer 7 protocol designed to obtain information from network devices. This information includes but is not limited to the following:
- Device health statistics (CPU, memory, and so on)
- Device errors
- Network traffic statistics
- Packet rates
- Packet errors
The SNMP solution has three components:
- An SNMP manager: The system used to control and monitor the activities of network hosts using SNMP.
- An SNMP agent: The software component within the managed device that maintains the data for the device and reports this data, as needed, to managing systems.
- A Management Information Base (MIB): An information storage medium that contains a collection of managed objects (MIB modules) within each device. MIB modules are written in the SNMP MIB module language, as defined in STD 58, RFC 2578, RFC 2579, and RFC 2580.
Enabling SNMP on Cisco IOS Devices
As a best practice, you should set the system contact, location, and serial number of the SNMP agent so that your management servers can obtain these descriptions. This information is useful when responding to incidents. The following example shows how to enter the contact information on the Cisco IOS device:
myrouter#configure terminal myrouter(config)#snmp-server contact John Route myrouter(config)#snmp-server location 1st Floor NY Office myrouter(config)#snmp-server chassis-id ABC12345
In the previous example, the name of the administrator is John Route, the device is located on the 1st floor of an office in New York, and the chassis identification number is ABC12345.
The following example shows how you can configure SNMP Version 3 on a Cisco IOS device:
myrouter(config)#snmp-server group mygroup v3 auth
SNMP Version 3 supports authentication. In the previous example, an SNMP group named mygroup is configured for SNMP Version 3. Authentication is also enabled with the auth keyword. When you configure the snmp-server group command, there are no default values for authentication. To specify authentication user parameters, use the snmp-server user command, as shown in the following example:
myrouter(config)#snmp-server user admin1 mygroup v3 auth md5 zxasqw12 *Feb 8 15:45:04.902: Configuring snmpv3 USM user, persisting snmpEngineBoots. Please Wait...
In the previous example, a user (admin1) is configured and mapped to the SNMP group mygroup. Authentication is done with MD5, and the password is zxasqw12. After you invoke this command, the preceding warning message is displayed. You should match all this information in your SNMP management server.
To verify the configuration, you can invoke the show snmp user command as follows:
myrouter#show snmp user User name: admin1 Engine ID: 8000000903000013C4EC5528 storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: DES Group-name: mygroup
To view SNMP group information, invoke the show snmp group command, as shown in Example 4. The configured group (mygroup) is shown in the highlighted line.
Note: The following site includes detailed information on how to configure SNMP Version 1 and 2: http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcg/tnm_c/snmp/confsnmp.htm#wp1032846. This document also includes the following information:
- Configuring the router as an SNMP manager
- Enabling the SNMP Agent Shutdown mechanism
- Defining the maximum SNMP Agent packet size
- Disabling the SNMP Agent
- Limiting the number of Trivial File Transfer Protocol (TFTP) servers used via SNMP
myrouter#show snmp group groupname: ILMI security model:v1 readview : *ilmi writeview: *ilmi notifyview: <no notifyview specified> row status: active groupname: ILMI security model:v2c readview : *ilmi writeview: *ilmi notifyview: <no notifyview specified> row status: active groupname: mygroup security model:v3 auth readview : v1default writeview: <no writeview specified> notifyview: <no notifyview specified> row status: active
- Configuring SNMP notifications
- Configuring interface index display and interface indexes and configuring long name support
- Configuring SNMP support for VPNs
- Configuring MIB persistence
Enabling SNMP on Cisco ASA and Cisco PIX Security Appliances
The Cisco ASA and the Cisco PIX security appliances support only SNMP Versions 1 and 2c. They both support traps and SNMP read access; however, SNMP write access is not supported. The following example shows how to configure an ASA to receive SNMP Version 2c requests from host 172.18.85.190 on the inside interface:
ciscoasa(config)# snmp-server host inside 172.18.85.190 Version 2c ciscoasa(config)# snmp-server location Raleigh NC Branch ciscoasa(config)# snmp-server contact Jeff Firewall ciscoasa(config)# snmp-server community th1s1sacommstrng
The ASA in this example is located in a branch office in Raleigh, North Carolina. The point of contact is Jeff Firewall, and the community string is <th1s1sacommstrng>. You can use the snmp deny version command to deny SNMP packets from other SNMP versions. The following example shows the available options:
ciscoasa(config)# snmp deny version ? configure mode commands/options: 1 SNMP version 1 2 SNMP version 2 (party based) 2c SNMP version 2c (community based) 3 SNMP version 3
Note: You can obtain the MIBs for any Cisco device at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.