11-17-2013 09:55 PM
Can anyone help me how to monitoring syslog and users log (which command use specific user). if any software or hardware need for this purpose we will purchace it. note that our network running all cisco devices (router, switch, ASA etc) and more then 200 devices are in our network.
thanks.
11-17-2013 10:47 PM
Most Cisco devices use the syslog protocol to manage system logs and alerts. But unlike their PC and server counterparts, Cisco devices lack large internal storage space for storing these logs. To overcome this limitation, Cisco devices offer the following two options:
TIP
Before configuring a Cisco device to send syslog messages, make sure that it is configured with the right date, time, and time zone. Syslog data would be useless for troubleshooting if it shows the wrong date and time. You should configure all network devices to use NTP. Using NTP ensures a correct and synchronized system clock on all devices within the network. Setting the devices with the accurate time is helpful for event correlation.
To enable syslog functionality in a Cisco network, you must configure the built-in syslog client within the Cisco devices.
Cisco devices use a severity level of warnings through emergencies to generate error messages about software or hardware malfunctions. The debugging level displays the output of debug commands. The Notice level displays interface up or down transitions and system restart messages. The informational level reloads requests and low-process stack messages.
To configure a Cisco IOS-based router for sending syslog messages to an external syslog server, follow the steps in Table 4-11 using privileged EXEC mode.
Step | Command | Purpose |
1 | Router# configure terminal | Enters global configuration mode. |
2 | Router(config)# service timestamps type datetime [msec] [localtime] [show-timezone] | Instructs the system to timestamp syslog messages; the options for the type keyword are debug and log. |
3 | Router(config)#logging host | Specifies the syslog server by IP address or host name; you can specify multiple servers. |
4 | Router(config)# logging trap level | Specifies the kind of messages, by severity level, to be sent to the syslog server. The default is informational and lower. The possible values for level are as follows: Emergency: 0 Use the debug level with caution, because it can generate a large amount of syslog traffic in a busy network. |
5 | Router(config)# logging facility facility-type | Specifies the facility level used by the syslog messages; the default is local7. Possible values are local0, local1, local2, local3, local4, local5, local6, and local7. |
6 | Router(config)# End | Returns to privileged EXEC mode. |
7 | Router# show logging | Displays logging configuration. |
Note
When a level is specified in the logging trap level command, the router is configured to send messages with lower severity levels as well. For example, the logging trap warning command configures the router to send all messages with the severity warning, error, critical, and emergency. Similarly, the logging trap debug command causes the router to send all messages to the syslog server. Exercise caution while enabling the debug level. Because the debug process is assigned a high CPU priority, using it in a busy network can cause the router to crash.
Example 4-12 prepares a Cisco router to send syslog messages at facility local3. Also, the router will only send messages with a severity of warning or higher. The syslog server is on a machine with an IP address of 192.168.0.30.
Router-Dallas# Router-Dallas#config terminal Enter configuration commands, one per line. End with CNTL/Z. Router-Dallas(config)#logging 192.168.0.30 Router-Dallas(config)#service timestamps debug datetime localtime show-timezone msec Router-Dallas(config)#service timestamps log datetime localtime show-timezone msec Router-Dallas(config)#logging facility local3 Router-Dallas(config)#logging trap warning Router-Dallas(config)#end Router-Dallas#show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 79 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: disabled Trap logging: level warnings, 80 message lines logged Logging to 192.168.0.30, 57 message lines logged
To configure a Cisco CatOS-based switch for sending syslog messages to an external syslog server, use the privileged EXEC mode commands shown in Table 4-12.
Step | Command | Purpose |
1 | Switch>(enable) set logging timestamp {enable | disable} | Configures the system to timestamp messages. |
2 | Switch>(enable) set logging server ip-address | Specifies the IP address of the syslog server; a maximum of three servers can be specified. |
3 | Switch>(enable) set logging server severity server_severity_level | Limits messages that are logged to the syslog servers by severity level. |
4 | Switch>(enable) set logging server facility server_facility_parameter | Specifies the facility level that would be used in the message. The default is local7. Apart from the standard facility names listed in Table 4-1, Cisco Catalyst switches use facility names that are specific to the switch. The following facility levels generate syslog messages with fixed severity levels: 5: System, Dynamic-Trunking-Protocol, Port-Aggregation-Protocol, Management, Multilayer Switching 4: CDP, UDLD 2: Other facilities |
5 | Switch>(enable) set logging server enable | Enables the switch to send syslog messages to the syslog servers. |
6 | Switch>(enable) Show logging | Displays the logging configuration. |
Example 4-13 prepares a CatOS-based switch to send syslog messages at facility local4. Also, the switch will only send messages with a severity of warning or higher. The syslog server is on a machine with an IP address of 192.168.0.30.
Console> (enable) set logging timestamp enable System logging messages timestamp will be enabled. Console> (enable) set logging server 192.168.0.30 192.168.0.30 added to System logging server table. Console> (enable) set logging server facility local4 System logging server facility set toConsole> (enable) set logging server severity 4 System logging server severity set to <4> Console> (enable) set logging server enable System logging messages will be sent to the configured syslog servers. Console> (enable) show logging Logging buffered size: 500 timestamp option: enabled Logging history size: 1 Logging console: enabled Logging server: enabled {192.168.0.30} server facility: LOCAL4 server severity: warnings(4 Current Logging Session: enabled Facility Default Severity Current Session Severity ------------- ----------------------- ------------------------ cdp 3 4 drip 2 4 dtp 5 4 dvlan 2 4 earl 2 4 fddi 2 4 filesys 2 4 gvrp 2 4 ip 2 4 kernel 2 4 mcast 2 4 mgmt 5 4 mls 5 4 pagp 5 4 protfilt 2 4 pruning 2 4 radius 2 4 security 2 4 snmp 2 4 spantree 2 4 sys 5 4 tac 2 4 tcp 2 4 telnet 2 4 tftp 2 4 udld 4 4 vmps 2 4 vtp 2 4 0(emergencies) 1(alerts) 2(critical) 3(errors) 4(warnings) 5(notifications) 6(information) 7(debugging) Console> (enable)
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html
You can get a free copy of Syslog server from here
http://www.kiwisyslog.com/free-edition.aspx
Hope it helps!!
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: