Router Log analysis and setup

Logs are important for network security, and he records a variety of things that happen every day in the system, and you can use him to check for the cause of the error or the traces left by the attacker at the time of the attack. Routers are a variety of information transmission hub, is widely used in enterprises and institutions of the network construction, assume the local area network and the LAN and WAN connection of the task.

Cisco is a widely used router in many industry systems and has a very common application. The following is the author of the daily work in the accumulation of some of the Cisco router Log settings experience, these examples are in the practical application of debugging through and put into use for your reference.

Some important information about routers can be logged on the UNIX host of the internal network through the syslog mechanism. During the operation of the router, the router sends the log information including link building failure information, packet filtering information and so on, by logging into the log host, the network administrator can understand the log events, analyze the log files, and can help the administrator to locate, troubleshoot and manage the network security.

Understanding the Syslog Device

First, the syslog device, which is the standard UNIX tracking mechanism, allows syslog to record local events or to record events on another host over the network, and then write that information to a file or device or send a message to the user. The syslog mechanism is based mainly on two important files:/etc/syslogd (daemon) and/etc/syslog.conf configuration file, and syslogd control is done by/etc/syslog.conf. The syslog.conf file indicates the behavior of the SYSLOGD program that logs the log, and the program queries syslog.conf configuration files at startup. The file consists of a single entry for different programs or message classifications, each of which occupies one row. Provides a selection domain and an action field for each type of message. These fields are separated by tab (Note: You can only use the TAB key to separate, you cannot use the SPACEBAR), where the selection field indicates the type and priority of the message; The Action field indicates the action taken by the SYSLOQD when it receives a message that matches the selection criteria. Each option is made up of devices and priorities. That means the first column says "Under what circumstances" and "to what extent." Then use the TAB key to jump to the next column and continue to write "what to do after qualifying." When a priority is indicated, SYSLOGD records two messages with the same or higher priority. The action field for each row indicates where the selection should be sent when a given message is selected.

The first column contains what the situation is and how far the middle is separated by a decimal point. The detailed setting is as follows:

1. Under what circumstances is the record?

A variety of different situations are determined by the following woo-strings:

Auth on system security and user authentication;

Cron about System automatic sort execution (crontable);

Daemon on background implementation procedures;

Ken about the core of the system;

IPR about printers;

MAI1 about email;

News about the press discussion area;

Syslog regarding the system record itself;

User about the user;

UUCP about UNIX interlock (UUCP).

2. What is the level of record P

Table 1 is a variety of system conditions, sorted by priorities.


Table I

For example, if you want the system to record info level events, then notice, err, warning, crit, alert, Emerg, etc. above the info level will also be recorded together. Combining the 1 and 2 above with a decimal point is a complete "What to record" writing. For example, Mail.info represents general information about an e-mail delivery system. Auth.emerg is a very serious information about system security. Ipr.none indicates that information about the printer is not recorded (usually used in combination when there are multiple record conditions). There are three other special symbols to apply:

Asterisk (*): represents all items in a detail. For example, Mail.* said that as long as the mail, regardless of the extent to be recorded. And *.info will record all the INFN events.

Equal sign (=): Indicates that only the current level is recorded and the rank on it is not recorded. For example, the above example, usually write down the info level, will also be located in the info level above the notice.err.warning, Crit, Alert, Emerg and other grades also recorded. But if you write =info, you only have to record the info level.

Exclamation point (!): Indicates that you do not record the current level and the rank on it.

3, record the location of storage

SYSLOQD provides the following methods for recording events that occur on your system:

General documents

This is the most common way. You can specify the file path and file name, but you must start with the directory symbol "/" before the system will know it is a file. For example,/var/adm/maillog indicates that a file called Maillog is logged to the/var/adm below. If this file is not previously, the system will automatically generate one.

Designated terminals or other equipment

You can also write the system records to a terminal or device. If you write the system record to the terminal, the user who is currently using the terminal will see the system information directly on the screen (for example,/dev/conso old or/dev/tty1, you can take a screen to display system information). If you write system records to a printer (for example,/dev/!p0). , you will have a strip of paper full of system records so that network intruders cannot modify the log to hide the traces of the intrusion.

The specified remote host

If you do not record the system information on the local machine, you can write down the name of another host on the network, and then precede the host name with the "@" sign (for example (@) Ccunix1.variox.int, but you must have SYSLOQD on the host you specify). This prevents the log files from being lost due to hard disk errors.

The above is the record level of the syslog and record the way of writing, you can according to their own needs to record the content of their own needs. But these records are always appended, unless you delete the files themselves, otherwise these files will become larger. The syslog device is a significant target for a network attacker to hide the intrusion traces by modifying the logs, so we should pay special attention to them. It is best to develop a weekly (or shorter) routine to check the documentation regularly, and to back up the outdated records according to the serial number or date, which is easier to check later. Do not record the *.*, so no matter what is recorded, the result will cause the file is too large, to find information can not immediately find out. When someone logs a blog, he or she can ping his host to record it, which not only reduces system efficiency but also increases disk usage.

How to set up the router log function

First, do the following on a UNIX host and register it with a super User:

Where 168.1.1.2 is the IP address of the log host. Some of these operations on the router will be recorded in the two files Mail_debug and R2509_debug.