Event Logging on Perimeter Routers

Event Logging on Perimeter Routers

Perimeter router logs can be invaluable in troubleshooting, capacity planning, and dealing with security incidents. For security purposes, the events to log are interface status changes, changes to the system configuration, access list matches, events detected by the firewall, and intrusion detection features. System logging events might be reported to a variety of destinations, including the following:

  • The system console port (logging console command). Because many console ports are unattended or are connected to terminals with no historical storage, this information might be unavailable to reconstruct a major event.

  • Servers running the syslog daemon can send logging information to a server with the logging server-ip-address command, and you can control the urgency threshold for logging to the server with the logging trap urgency command. Even if you have a syslog server, you should probably still enable local logging. If you don’t have access to a syslog server, go to Kiwi Enterprises at http://www.kiwisyslog.com /index.htm and download its free Kiwi Syslog Daemon.

  • Remote sessions on VTYs and local sessions on TTYs (logging monitor and terminal monitor commands).

  • Most routers can save system logging information to a local RAM buffer. This buffer is a fixed size and retains only the most recent information, and the contents are lost whenever the router is reloaded. Use the show memory command to make sure your router has enough free memory to support a logging buffer. Create the buffer using the logging buffered buffer-size configuration command.

If the router has a real-time clock or is running NTP, time-stamp log entries by adding the service timestamps log datetime msecs command to the configuration.

Access List Violation Logs

With traffic filtering and access control ACLs, you should consider logging packets that violate the filtering criteria. Older Cisco IOS software versions use the log keyword option, which captures the IP addresses and port numbers of packets matching an access list entry. Newer IOS versions use the log-input keyword, which adds receiving interface information and the MAC address of the host that sent it.

To manage file size and minimize performance impacts, configure logging for those critical access list entries. Don’t log entries that will match a large number of packets and generate little useful information, such as the permit any statement.

Part III: Virtual Private Networks (VPNs)