Logging on Cisco IOS Routers
Note |
From version 4.17, though Cisco Security Manager continues to support IOS features/functionality, it does not support any bug fixes or enhancements. |
Security Manager provides the following policies for configuring logging on a Cisco IOS router:
-
Syslog Logging Setup—Enable the syslog-logging feature, and define basic logging parameters. For more information, see Defining Syslog Logging Setup Parameters.
-
Syslog Servers—Define the remote servers to which syslog messages are sent. For more information, see Defining Syslog Servers.
-
NetFlow—Enable NetFlow logging by providing parameters and interfaces. See Defining NetFlow Parameters for more information.
Note |
We strongly recommend configuring a Network Time Protocol (NTP) policy on all routers on which logging is enabled. NTP synchronization provides accurate timestamps for syslog messages, which is essential for comparing logs on multiple devices. |
Defining Syslog Logging Setup Parameters
This procedure describes enabling syslog logging on the router, and defining which messages are sent to a syslog server. In addition, you can optionally define:
-
The source interface for all syslog messages sent from this device.
-
The messages that are saved to a local buffer.
-
An origin identifier added to each message.
-
A rate limit on the number of messages that can be sent.
Note |
To send syslog messages from the router to a syslog server, you must also define the IP address of the syslog server. For more information, see Defining Syslog Servers. |
Related Topics
Procedure
Step 1 |
Do one of the following to access the router’s Syslog Logging Setup page:
The Syslog Logging Setup page is displayed. See Table 1 for a description of the fields on this page. |
||
Step 2 |
Select Enable Logging to turn on the syslog logging feature. If this option is not selected, no log messages are created.
|
||
Step 3 |
(Optional) In the Source Interface field, enter the name of the interface or interface role whose address should be used as the source interface for all log messages sent to a syslog server; or click Select to select an interface role from a list or to create a new one. The source interface must have an IP address. This option is useful when the syslog server cannot reach the address from which the connection originated (for example, due to a firewall). If you do not enter a value in this field, the address of the outgoing interface is used. |
||
Step 4 |
(Optional) To send log messages to a syslog server:
|
||
Step 5 |
(Optional) To save log messages locally to a buffer on the router: |
||
Step 6 |
(Optional) Define a rate limit to prevent a flood of output messages: |
||
Step 7 |
(Optional) To add an origin identifier to the beginning of each syslog message: |
Defining Syslog Servers
This procedure describes how to define the servers to which the router should send syslog messages. When you define a syslog server, you can choose whether the logging messages it receives should be forwarded as plain text or in XML format.
If you define multiple syslog servers, logging messages are sent to all of them.
Before You Begin
-
Enable syslog logging and define basic logging parameters on the Syslog Logging Setup page. For more information, see Defining Syslog Logging Setup Parameters.
Related Topics
Procedure
Step 1 |
Do one of the following to access the router’s Syslog Servers page:
The Syslog Servers page is displayed. See Table 1 for a description of the fields on this page. |
||
Step 2 |
To define a server to receive syslog messages from this router, click the Add button below the table to open the Syslog Server dialog box. See Table 1 for more about this dialog box. |
||
Step 3 |
In the IP Address field, enter the address of the desired syslog server, or click Select to select a network/host object from a list or to create a new one. For more information, see Specifying IP Addresses During Policy Definition. |
||
Step 4 |
(Optional) Select Forward Messages in XML Format to forward received syslog messages in XML format instead of plain text. |
||
Step 5 |
Click OK to save your definition and close the dialog box. The syslog server you defined is displayed in the table.
|
Understanding Log Message Severity Levels
Syslog messages on Cisco IOS routers are classified into eight severity levels. Each severity level is identified by a number and a corresponding name. The lower the number, the greater the severity, as shown in the following table.
Level Number |
Level Name |
Description |
---|---|---|
0 |
emergency |
System unusable |
1 |
alert |
Immediate action needed |
2 |
critical |
Critical conditions |
3 |
errors |
Error conditions |
4 |
warnings |
Warning conditions |
5 |
notifications |
Normal but significant condition |
6 |
informational |
Informational messages only |
7 |
debugging |
Debug messages |
Related Topics
NetFlow on Cisco IOS Routers
Note |
From version 4.17, though Cisco Security Manager continues to support IOS features/functionality, it does not support any bug fixes or enhancements. |
The ability to characterize IP traffic and understand how and where it flows is critical for network availability, performance and troubleshooting. Monitoring IP traffic flows facilitates accurate capacity planning, and ensures that network resources are used appropriately in support of organizational goals.
NetFlow is a logging feature available on IOS devices for recording, caching and transmitting IP traffic-flow information on a per-interface basis. The basic output of NetFlow is a flow record, where a “flow” is defined as a unidirectional stream of packets between a given source and destination—both defined by a network-layer IP address and transport-layer source and destination port numbers.
On the IOS device, NetFlow consists of two key components—a NetFlow cache which stores IP flow data, and the NetFlow export mechanism that transmits the NetFlow records to a collection server for data reporting. Thus, when enabled, NetFlow records and caches statistics for incoming and outgoing traffic flows, periodically transmitting these records from the device to a NetFlow collector, in the form of User Datagram Protocol (UDP) datagrams.
Several different formats for the export packet, or flow record, have evolved as NetFlow has matured, and these formats are commonly referred to as the NetFlow version. These versions are well documented, and include versions 1, 5, 7, and 9. The most commonly used format is NetFlow version 5, but version 9 is the latest format and has some advantages for extensibility, security, traffic analysis and multicasting.
Security Manager currently supports Traditional NetFlow on IOS devices. Traditional NetFlow provides a fixed flow record, even for version 9, meaning the device will use certain flags and predefined record combinations in generating the flow. The device configuration settings define export destinations, export interface, and certain version-specific transmission options.
More About Traffic Flows and NetFlow
Each packet that passes into or out of a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity or “fingerprint,” and they define whether the packet is unique, or related to other packets.
All packets with the same source/destination IP address, source/destination ports, protocol interface, and class of service are grouped into a flow and the packets and bytes are tallied. This method of flow determination (or “fingerprinting”) is scalable because a large amount of network information can be condensed into a database of NetFlow information called the NetFlow cache.
In general, the NetFlow cache is constantly filling with flows, and software in the router or switch is searching the cache for flows that have terminated or expired, and these flows are exported to the NetFlow collector. (Unlike SNMP polling, NetFlow export periodically transmits information to the NetFlow collector.) The NetFlow collector has the job of assembling and organizing the exported flows to produce the real-time or historical reports used for traffic and security analysis.
NetFlow Summary
To summarize, the following steps outline NetFlow:
-
NetFlow is configured on the router or switch to capture IP traffic flows
-
Flow records are stored in the local NetFlow cache
-
Periodically, approximately 30 to 50 flow records are bundled together and exported to a NetFlow collector server
-
The collector software creates reports from the NetFlow data
Related Topics
Defining NetFlow Parameters
This procedure describes enabling NetFlow logging on the router.
Related Topics
Procedure
Step 1 |
To access the router’s NetFlow page, do one of the following:
The router’s NetFlow page is displayed. See NetFlow Policy Page for complete descriptions of the fields on this page. |
||||
Step 2 |
On the Setup tab of the NetFlow page, specify global NetFlow parameters for the router:
If BGP is configured on your network, you can include either origin or peer AS information in the NetFlow records. Choose origin-as or peer-as from the AS Type drop-down list. You can choose the blank entry to disable this option. Check Enable BGP Nexthop to include BGP next hop information in the flow caches. (Note that with version 5, this information is visible in the caches, but it is not exported.)
If BGP is configured on your network, you can include either origin or peer AS information in the NetFlow records. Choose origin-as or peer-as from the AS Type drop-down list. You can choose the blank entry to disable this option. Check Enable BGP Nexthop to include BGP next hop information in the flow records.
|
||||
Step 3 |
On the Interfaces tab, define the interfaces for which traffic flows are to be reported.
|