Category:Cisco Systems -> Security
Category:Cisco Systems -> Routing and Switching
The hierarchy of logging events is represented by 8 levels, where 0 - system is dead, 7 - debugging messages:
emergencies System is unusable (severity=0)
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
errors Error conditions (severity=3)
warnings Warning conditions (severity=4)
notifications Normal but significant conditions (severity=5)
informational Informational messages (severity=6)
debugging Debugging messages (severity=7)
It’s better to choose something in the middle. Lever 4-5 would be just all right. If level 4 is chosen the system would log level 4 and down to more critical levels up to 0 including Warnings, Errors, Critical, Alerts and Emergencies.
There are two places for event storage:
- Internal memory;
- External log server.
Internal memory logging configuration example (be warned, the internal log memory is cleared if system restarts for any reason):
logging on
logging buffered 256000
logging buffered warnings
// We define 256Kbites as storage capacity and take Warnings level as the starting point.
External log server configuration example:
logging 192.168.1.50
logging trap debugging
logging origin-id hostname
// Using "hostname" makes the device to place its hostmane in front of each log message which comes in handy
or
snmp-server enable traps syslog
snmp-server host 192.168.1.50 public syslog
Watching log messages via VTY connection example:
logging monitor
// Use it in global configuration mode.
terminal monitor
// use it in EXEC mode
To include date and time into log messages use service timestamps log datetime command.
Adjusting log messages output into VTY or Console screen example:
line vty 0 15
logging synchronous
line console
logging synchronous
Example of logging all user’s actions:
logging buffered 256000 notifications
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
login on-failure log every 1
login on-success log every 1
NOTE
Log level must be equal to or greater than Notifications, otherwise no info about user login attempts would be logged.
Some advanced logging techniques to log failed login attemts and prevent brute force attacks:
login block-for 120 attempts 5 within 60
// If 5 unsuccessful attemts in 60 seconds would be made, the device would be locked up for 120 from any login attempts from anywhere.
login quiet-mode access-class MyAccessList
// You can provide yourself back door if such a thing happens
login on-failure
// Activate function of following unsuccessful login attempts
ip access-list extended MyAccessList
10 permit ip 192.168.1.0 0.0.0.255 any
// This is ACL for the back door
To check for IP addresses from which attempts were made, use show login failures command.
Summary:
logging on
logging buffered 256000 notifications
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
logging on
logging 192.168.1.50
logging trap notifications
login block-for 120 attempts 5 within 60
login quiet-mode access-class MyAccessList
login on-failure log every 1
login on-success log every 1
ip access-list extended MyAccessList
10 permit ip 192.168.1.0 0.0.0.255 any