Logs are very important to network security. They record all kinds of events that occur in the system every day. You can use them to check the cause of the error or the traces left by the attacker when the system is attacked. Vro is a hub for information transmission. It is widely used in the network construction of enterprises and institutions, and is responsible for connecting LAN and LAN to wan.
Cisco is a widely used router and widely used in many industry systems. The following are some of my accumulated experience in setting Cisco router logs in my daily work. These instances have been debugged and put into use in practical applications for your reference.
Some important information about the vrosyslog can be logged on the Unix host of the internal network through the syslog mechanism. When the vro is running, the vro sends log information to the log host, including the link establishment Failure Information and packet filtering information. By logging on to the log host, the network administrator can understand the log events, log files can be analyzed to help administrators locate, troubleshoot, and manage network security.
Recognize syslog Devices
First, we will introduce the syslog device, which is a standard Unix tracking mechanism. syslog can record local events or events on another host over the network, write the information to a file or device, or send a message to the user. The syslog mechanism is mainly based on two important files:/etc/syslogd (Daemon) and/etc/syslog. in the conf configuration file, syslogd is controlled by/etc/syslog. conf. The syslog. conf file specifies the log behavior recorded by the syslogd program. The program queries the syslog. conf configuration file at startup. This file consists of a single entry of different programs or message categories, each occupying a row. Provides a selection domain and an action domain for each type of message. These fields are separated by tabs (Note: they can only be separated by the tab key, rather than the space key). Select a field to specify the type and priority of the message; the action field specifies the action that sysloqd performs when receiving a message that matches the selection criteria. Each option is composed of a device and a priority. That is to say, the first column is "under what circumstances" and "to what extent ". Then, press the TAB key to jump to the next column and continue to write "what to do after the conditions are met ". When a priority is specified, syslogd records two messages with the same or higher priority. The action fields in each row indicate where to send a specified message to the selected domain.
The first column contains the conditions and degrees separated by the decimal point. The detailed settings are as follows:
1. Under what circumstances should a record be recorded?
Different situations are determined by the following Yu strings:
Auth about system security and user authentication;
Cron: CronTable );
Daemon background execution program;
Ken about the system core;
Ipr about printers;
Mai1 email;
News about the news forum;
Syslog information about the system record itself;
User;
Uucp about UNIX mutual copy (UUCP ).
2. To what extent P is recorded
Table 1 lists different system conditions, which are prioritized.
| Table 1 |
For example, if you want the system to record events of the info level, the events of notice, err, warning, Crit, alert, and emerg above the info level will also be recorded. Combining the items 1 and 2 in the preceding statement with the decimal point is a complete writing of "what to record. For example, mail.info indicates general information about the email delivery system. Auth. emerg is serious information about system security. Ipr. none indicates not to record printer information (usually used in combination when there are multiple record conditions ). There are also three special symbols available:
Asterisk (*): represents all items in a specific item. For example, mail. * indicates that all emails are recorded to any degree. *. Info records all infn events.
Equal sign (=): indicates that only the current level is recorded, and the level on it is not recorded. For example, in the above example, when you write down the info level, the notice. err. warning, crit, alert, and emerg levels on the info level are also recorded. However, if you write = info, only the info level is recorded.
Exclamation point (!) : Do not record the current level and its level.
3. record storage location
Sysloqd provides the following methods for you to record system events:
General Files
This is the most common method. You can specify the file path and name, but the file name must start with the directory symbol. For example,/var/adm/maillog indicates that a file named maillog under/var/adm is to be recorded. If you do not have this file, the system will automatically generate one.
Specified terminal or other devices
You can also write system records to a terminal or device. If the system records are written to the terminal, the user who is currently using the terminal will directly see the system information on the screen (such as/dev/conso old or/dev/tty1, you can use a screen to display system information ). If you write system records to a printer (for example,/dev /! P0 )., Then you will have a long piece of paper full of system records, so that network intruders will not be able to modify logs to hide intrusion traces.
Specified remote host
If you do not record the system information on the local machine, you can write down the name of another host on the network and add the "@" symbol (for example, (@) ccunix1.variox.int) before the host name, but sysloqd must be available on the host you specified ). This prevents log files from being lost due to hard disk errors.
The above is how syslog records are written and recorded. You can record what you need as needed. However, these records are always appended. Unless you delete the files, these files will become larger and larger. Syslog device is a notable target for network attackers. You can modify logs to hide intrusion traces. Therefore, pay special attention to it. It is best to develop the habit of regularly checking the record files every week (or shorter time) and back up the expired record files according to the serial number or date. It will be easier to check them later. Do not record *. *. As a result, the file is too large and cannot be found immediately when you are looking for information. When someone is recording network logs, they need to record who else can ping his host. This not only reduces system efficiency but also increases disk usage.
How to configure the vro log function
First, perform the following operations on the UNIX host, and enter with Super User Registration:
Related Articles]
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
