Identifying and Classifying Security Threats

SYSLOG

System logs or SYSLOG provide you with information for monitoring and troubleshooting devices within your infrastructure. In addition, they give you excellent visibility into what is happening within your network. You can enable SYSLOG on network devices such as routers, switches, firewalls, VPN devices, and others. This section covers how to enable SYSLOG on routers, switches, the Cisco ASA, and Cisco PIX security appliances.

Enabling Logging (SYSLOG) on Cisco IOS Routers and Switches

The logging facility on Cisco IOS routers and switches allows you to save SYSLOG messages locally or to a remote host. By default, routers send logging messages to a logging process. The logging process controls the delivery of logging messages to various destinations, such as the logging buffer, terminal lines, a SYSLOG server, or a monitoring event correlation system such as CS-MARS. You can set the severity level of the messages to control the type of messages displayed, in addition to a time stamp to successfully track the reported information.

The following example shows the commands necessary to configure SYSLOG on Cisco IOS devices:

myrouter#configure terminal
myrouter(config)#logging on
myrouter(config)#logging host 172.18.85.190

In this example, the router is configured to send the SYSLOG messages to a host with IP address 172.18.85.190. (This is the CS-MARS used in the examples of the previous sections.)

On Cisco IOS routers, the log messages are not time-stamped by default. To enable time stamping of log messages, use the service timestamps log datetime command. The following example shows the different options of this command:

myrouter(config)#service timestamps log datetime ?
localtime Use local time zone for timestamps
msec Include milliseconds in timestamp
show-timezone Add time zone information to timestamp
year Include year in timestamp

You can specify the severity level of the SYSLOG messages. The following are the different levels you can configure:

• Level 0: Emergencies
• Level 1: Alerts
• Level 2: Critical
• Level 3: Errors
• Level 4: Warnings
• Level 5: Notifications
• Level 6: Informational
• Level 7: Debugging

To set the severity level of log messages sent to a SYSLOG server, use the logging trap command. The following example shows the options of this command:

myrouter(config)#logging trap ?
<0-7> Logging severity level
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)

It is recommended that you send SYSLOG messages over a separate management segment, just as you learned to do earlier in this article in the "NetFlow" section.

Enabling Logging Cisco Catalyst Switches Running CATOS

To enable the logging of system messages to a SYSLOG server on Cisco Catalyst switches running Catalyst Operating System (CATOS), use the following commands:

set logging server enable
set logging server syslog server 172.18.85.190
set logging timestamp enable
set logging server severity 4

In this example, the switch is configured to send the SYSLOG messages to the host with IP address 172.18.85.190. Time stamp is enabled, and the severity level of the messages sent to the external server is set to 4 or warnings. Setting logging to the debugging level can cause performance problems. A good rule of thumb is to set the logging severity to 4 or warnings.

Note: A good whitepaper describing best practices when managing Cisco Catalyst switches running CATOS is located at http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml.

Enabling Logging on Cisco ASA and Cisco PIX Security Appliances

The commands used to enable logging and to send SYSLOG messages to a SYSLOG server are the same on the Cisco ASA and the Cisco PIX security appliances. To enable logging, use the logging on command. To configure the ASA or PIX to send logs to a SYSLOG server, use the logging host command, and to change the log severity level, use the logging trap command. The following example demonstrates the use of these commands.

ciscoasa(config)# logging on
ciscoasa(config)# logging host inside 172.18.85.190
ciscoasa(config)# logging trap informational

In this example, the Cisco ASA is configured to send its logs to the host with IP address 172.18.85.190, and the severity level is set to informational. On the Cisco ASA and Cisco PIX security appliances, all SYSLOG messages begin with a percent sign (%) and are designed as follows:

%PIX|ASA Level Message_number: Message_text

The following is an example of a SYSLOG message.

Apr 09 2007 07:35:56: %ASA-6-302021: Teardown ICMP connection for faddr
192.168.202.22/0 gaddr 192.168.202.40/0 laddr 192.168.202.40/0

• PIX|ASA: A static value indicating that the log message is generated by a Cisco ASA or Cisco PIX.
• Level: The severity level (1–7). For most environments, it is recommended that you set the severity level to 4 to avoid performance issues. You may want to temporally increase it to a higher value when troubleshooting a specific problem.
• Message number: A unique 6-digit number that identifies the SYSLOG message.
• Message text: The description of the log message. It sometimes includes IP addresses, port numbers, or usernames.

You can filter SYSLOG messages on the Cisco ASA, Cisco PIX, and Cisco FWSM to send only specific events to a particular output destination. In other words, you can configure the device to send all SYSLOG messages to one output destination and also to send a subset of those SYSLOG messages to a different output destination. You can also configure the Cisco ASA, Cisco PIX, and Cisco FWSM to send SYSLOG messages based on specific criteria, such as the following:

• Message ID number (range of 104024 to 105999)
• Severity level
• Message class

For example, you can use the logging class <message_class> command to specify the specific class.

SNMP

SNMP is one of the most basic forms of getting information from your network. It is a Layer 7 protocol designed to obtain information from network devices. This information includes but is not limited to the following:

• Device health statistics (CPU, memory, and so on)
• Device errors
• Network traffic statistics
• Packet rates
• Packet errors

The SNMP solution has three components:

• An SNMP manager: The system used to control and monitor the activities of network hosts using SNMP.
• An SNMP agent: The software component within the managed device that maintains the data for the device and reports this data, as needed, to managing systems.
• A Management Information Base (MIB): An information storage medium that contains a collection of managed objects (MIB modules) within each device. MIB modules are written in the SNMP MIB module language, as defined in STD 58, RFC 2578, RFC 2579, and RFC 2580.

Enabling SNMP on Cisco IOS Devices

As a best practice, you should set the system contact, location, and serial number of the SNMP agent so that your management servers can obtain these descriptions. This information is useful when responding to incidents. The following example shows how to enter the contact information on the Cisco IOS device:

myrouter#configure terminal
myrouter(config)#snmp-server contact John Route
myrouter(config)#snmp-server location 1st Floor NY Office
myrouter(config)#snmp-server chassis-id ABC12345

In the previous example, the name of the administrator is John Route, the device is located on the 1st floor of an office in New York, and the chassis identification number is ABC12345.

The following example shows how you can configure SNMP Version 3 on a Cisco IOS device:

myrouter(config)#snmp-server group mygroup v3 auth

SNMP Version 3 supports authentication. In the previous example, an SNMP group named mygroup is configured for SNMP Version 3. Authentication is also enabled with the auth keyword. When you configure the snmp-server group command, there are no default values for authentication. To specify authentication user parameters, use the snmp-server user command, as shown in the following example:

myrouter(config)#snmp-server user admin1 mygroup v3 auth md5 zxasqw12
*Feb 8 15:45:04.902: Configuring snmpv3 USM user, persisting snmpEngineBoots.
Please Wait...

In the previous example, a user (admin1) is configured and mapped to the SNMP group mygroup. Authentication is done with MD5, and the password is zxasqw12. After you invoke this command, the preceding warning message is displayed. You should match all this information in your SNMP management server.

To verify the configuration, you can invoke the show snmp user command as follows:

myrouter#show snmp user
User name: admin1
Engine ID: 8000000903000013C4EC5528
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: mygroup

To view SNMP group information, invoke the show snmp group command, as shown in Example 4. The configured group (mygroup) is shown in the highlighted line.

Note: The following site includes detailed information on how to configure SNMP Version 1 and 2: http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcg/tnm_c/snmp/confsnmp.htm#wp1032846. This document also includes the following information:

• Configuring the router as an SNMP manager
• Enabling the SNMP Agent Shutdown mechanism
• Defining the maximum SNMP Agent packet size
• Disabling the SNMP Agent
• Limiting the number of Trivial File Transfer Protocol (TFTP) servers used via SNMP

myrouter#show snmp group
groupname: ILMI security model:v1
readview : *ilmi writeview: *ilmi
notifyview: <no notifyview specified>
row status: active
groupname: ILMI security model:v2c
readview : *ilmi writeview: *ilmi
notifyview: <no notifyview specified>
row status: active
groupname: mygroup security model:v3 auth
readview : v1default writeview: <no writeview specified>
notifyview: <no notifyview specified>
row status: active

• Configuring SNMP notifications
• Configuring interface index display and interface indexes and configuring long name support
• Configuring SNMP support for VPNs
• Configuring MIB persistence

Enabling SNMP on Cisco ASA and Cisco PIX Security Appliances

The Cisco ASA and the Cisco PIX security appliances support only SNMP Versions 1 and 2c. They both support traps and SNMP read access; however, SNMP write access is not supported. The following example shows how to configure an ASA to receive SNMP Version 2c requests from host 172.18.85.190 on the inside interface:

ciscoasa(config)# snmp-server host inside 172.18.85.190 Version 2c
ciscoasa(config)# snmp-server location Raleigh NC Branch
ciscoasa(config)# snmp-server contact Jeff Firewall
ciscoasa(config)# snmp-server community th1s1sacommstrng

The ASA in this example is located in a branch office in Raleigh, North Carolina. The point of contact is Jeff Firewall, and the community string is <th1s1sacommstrng>. You can use the snmp deny version command to deny SNMP packets from other SNMP versions. The following example shows the available options:

ciscoasa(config)# snmp deny version ?
configure mode commands/options:
1 SNMP version 1
2 SNMP version 2 (party based)
2c SNMP version 2c (community based)
3 SNMP version 3

Note: You can obtain the MIBs for any Cisco device at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.