Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
735
Views
0
Helpful
4
Replies

Auditing on Device

David Griffith
Level 1
Level 1

‎02-23-2012 07:54 AM

Hello....

I am currently setting up auditing on my router, but I want to do it correctly and safely since I do not want to overwhelm anything that could cause my router to fail, and therefore, customers go down and which could potentially be very serious in my circumstance.

In any event, I want to enable logging on all severity levels. I do not have a syslog server connected to my router, and I do not keep a standalone connected to my router 24/7; I guess I am logging on to the device the old fashion way until I receive services that will allow me to remotely connect to my router. Since my services and the tools I have are limited, I generally console in to the router to conduct any configuration changes necessary for troublshooting.

So daily, I am required to audit my device and store everything on file; I want all output to send to my buffer without overwhelming my device. After typing in the show memory free command, I see I have the following free space.

Processor :           1846163716

I/O:                       57924484

Transient               16749592

I have to review set to audit the majority of all logging levels..

My question, what will be a safe size to allocate all logging levels by exercising caution with the amount of free memory provided? I know my math, but I don't want to utilize all of my free space.

logging buffered #####  informational

logging buffered #####  notification

logging buffered ##### warnings

logging buffered ##### errors

logging buffered ##### critical

logging buffered ##### alerts

logging buffered #### emergencies.

Thanks again for taking time.

Cameron

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-23-2012 03:19 PM

If you use "logging buffered #####  informational" (severity level 6) it will include the other type of log events (levels 5 through 0) that you listed above.

Regarding the memory, if you're logging in daily to extract and clear the log, you can allocate a reasonable amount
(say 25% of free memory or even less) and then see if the buffer fills up that allocation. If you are getting more than the allocated 25% used by the logging, I'd say you very likely have a problem whose root cause should be addressed to remedy the number of log messages being generated. If that's not possible, then I'd say you have a good justification for an external syslog server.

0 Helpful

David Griffith
Level 1
Level 1
In response to Marvin Rhoads

‎02-24-2012 06:24 AM

hey Marvin...

Thanks for your response.

Are you saying "logging buffered informational will give me better results or enough of what I need to audit instead of "logging buffered ####### debugging" ?

For the memory-

Over time yesterday after posting this discussion, I did find as you mentioned in your response that a reasonable(safe) amount to allocate is 25%... After typing the #"dir" command, I received 64229376, so I multiplied of course by .25 and I got 16057344.

# logging buffered 16057344 informational

** that was the easy part :-) , but after typing

# default logging queue-limit

# sh run

the configuration had a statement "no logging queue-limit", So according to a Cisco support document I found, "by default logging queue-limit does queue messages as well", but after doing a sh run command, I see the statement displayed as "no logging queue-limit", so I said.. ok... what is a safe queue-limit size? Is it 100? ---Just making sure.

Also, how do I know if I am getting more than 25% allocated. I was afraid to apply the logging buffered ### informational command without setting the logging queue-limit to avoid any conflicts with the router. I did give it a test run, and within 3 minutes, I received over 80 messages.... I thinking. .that's going to consume a lot of paper to be stored... I am still searching if there would be a easier way to filter all of the levels.

so ... I guess.. my biggest test run is to find out how many messages(hours worth) can it store with the amount of memory allocated to be buffered. Unfortunately, it's Friday, so I guess I'll wait till Monday morning to give it a test run; then Tuesday, I'll extract the show logging command the next morning at the same time I kicked off the logging. Or.. may I ask, do you have any other suggestions? I am pushing to get funds so this place can have a syslog server; otherwise, this sure feels like I am going back to the stone age! lol!

Also, if the buffer fills up, will begin dropping packets one  by one begining with the oldest?

Thanks for taking time!

cameron

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to David Griffith

‎02-24-2012 07:58 AM

Cameron,

You didn't mention debug logging in your original post. I was only pointing out that once you add a given severity level type of "logging buffered" that it includes all the more severe levels.

Few people ever tweak the queue-limit in my experience. I'd level it alone unless you have reason to believe it's causing you problems.

When your logging buffer uses the allocated memory, it will drop the oldest messages as newer ones comes in.

A syslog server doesn't need to be anything fancy. An enterprising network admin can build one on a no name hand-me-down system running Linux.

0 Helpful

David Griffith
Level 1
Level 1

‎02-28-2012 01:13 PM

You're right.. Sorry... you're right.. lol I setted the buffered size to a number adequate to the amount of free memory(15% to be safe).. but I am still getting alot of dropped packets.. I checked my AcLS to ensure I wasn't logging permit statements; I had a few; so therefore, I removed the "log" statements after each permit statements. I a had a few by the way. In any event, because of the missed packets, I set the rate-limited to 50 except emergency. I guess I'll know how many packets were dropped or recorded from the time it was set till tomorrow morning. But I have a feeling with the amount of memory available and what was allocated, I don't think I'll get at least 12 hours worth of audit logs. I can see all of the packets denied. I can verify all logged messaged associated with ips in my block list and Bogon list; but I can't idenfity the severity levels. Sorry to sound unprepared or uneducated, but this is my first time to set up auditing on a router as oppossed to viewing it on a syslog server. I guess to sum it all up base on what I had mentioned earlier, after applying the show logging command, how can you dictate and identify each severity after typing a show logging command? Thanks for taking time! Cameron

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents