Today, we will study the interest of centralized logs and especially how to do it for Cisco Systems (router, switch…). You will as well find the procedure from the command line as Cisco to send some or all of your logs to a remote server. Anyway, in this tutorial we are assuming you already have an operational log server.
First, we must understand what can bring the centralization of logs in architecture and specifically for network elements. Centralization may have several benefits, but its main function is to be able to recover a history of events that occurred on a machine or on an entire network when machines are no longer available.
This can be useful, for example, a hacking attempt have driven machine damage or destructed the logs or if equipment fault occurs. The centralization of logs will then allow us to trace the events that led to the unavailability of the machine. On the other hand, centralization of logs may have a goal of control and supervision. One can indeed want to centralize the logs of a set of machines for better monitoring, indexing or the graph in a system as Kibana.
1) Since the configuration is present on the command line, we will start by opening a terminal. Once on it, we will change the mode as enable:
2) It is important to note that the timestamp, i.e. the time that will be exported logs is of particular importance in the system of centralized logs. It makes it possible to accurately trace logs across multiple machines. This is why the first thing to do is put our machine on the right date and at the right time.
clock set 20:11:00 November 25 2015
3) We will then change the mode configuration to set sending logs.
4) We start by activating the timestamp of the logs:
5) Then configures various parameters to the sending of logs, it starts with the remote server IP:
6) Then you can specify the log facility that will allow us, on the remote server, sort the logs, for example:
logging facility local5
Also an important thing to do is to configure the log-level from which one will take care to send the logs. For various reasons such as performance, you may not want to send all logs to the remote server then we will choose to send logs from a certain level of criticality. Generally, there are these log levels:
* 7 – debugging
* 6- informational
* 5 – notifications
* 4 – warnings
* 3 – errors
* 2 – critical
* 1 – alerts
* 0 – emergencies
You will understand the log level “0” is the most critical case and “7” is the most talkative if many logs are produced. As part of the tutorial, we will for instance send logs of 6-0, so we set the value to “informational”:
logging trap informational
Our Cisco system will now begin to send its logs to the remote server. With this configuration we can now summarize by returning mode enable and then entering “show logging”.
Now that we have configured our Cisco router to send logs to the remote log server must be known to set apart these logs. In Rsyslog, system used in the tutorial on the centralization of logs we mentioned above, go the file “/etc/rsyslog.conf” and add the following line to all incoming logs in log-facility 4 are place in a specific file. For example:
Then we restart this service:
service rsyslog restart
We now need to test our export log Cisco, cause of event logging. Then we will see the file configured in Rsyslog to receive files log-facility 4 logs of our Cisco Router.