The network element must log all messages except debugging and send all log data to a syslog server.
Logging is a critical part of router security. Maintaining an audit trail of system activity logs (syslog) can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network. Syslog levels 0-6 are the levels required to collect the necessary information to help in the recovery process.
Configure the network device to log all messages except debugging and send all log data to a syslog server.
Cisco IOS routers and switches use level 6 (informational) when logging packets that are dropped via access control list. (%SEC-6-IPACCESSLOGNP: list 1 denied 0 184.108.40.206 -> 220.127.116.11, 1 packet). Hence, it is imperative that log messages at level 6 are captured for further analysis and incident reporting. However, these messages do not need to go to the console, but must go to the syslog server. To avoid being locked out of the console in the event of an intensive log message generation such as when a large number of packets are being dropped, you can implement any of the following: 1. Limit the amount of logging based on same packet matching via the access-list log-update threshold command. The configured threshold specifies how often syslog messages are generated and sent after the initial packet match on a per flow basis. 2. Rate-limit messages at specific severity levels destined to be logged at the console via logging rate-limit command. 3. Have only messages at levels 0-5 (or 0-4) go to the console and messages at level 0-6 go to the syslog server. The buffer could be set to notification level or altered to a different level when required (i.e. debugging). Following would be an example configuration: ! logging buffered 4096 informational logging console notifications … ! logging trap debugging logging host 18.104.22.168 ! The default state for logging is on and the default for the syslog server is informational (i.e. logging trap informational). Hence, the commands logging on and logging trap informational will not be shown via show run command. Hence, have the operator issue a show logging command to verify logging is on and the level for the syslog server (i.e. trap). R1#show logging Syslog logging: enabled (12 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) … Console logging: level notifications, 56 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level informational, 6 messages logged, xml disabled, filtering disabled … Trap logging: level informational, 73 message lines logged Logging to 22.214.171.124 (udp port 514, audit disabled, authentication disabled, encryption disabled, link up), 37 message lines logged, 0 message lines rate-limited, 0 message lines dropped-by-MD, xml disabled, sequence number disabled filtering disabled The table below lists the severity levels and message types for all log data. Severity Level Message Type 0 Emergencies 1 Alerts 2 Critical 3 Errors 4 Warning 5 Notifications 6 Informational 7 Debugging
Information Assurance Officer