Logging on Cisco IOS Routers
Security Manager provides the following policies for configuring logging on a Cisco IOS router:
Note We strongly recommend configuring a Network Time Protocol (NTP) policy on all routers on which logging is enabled. NTP synchronization provides accurate timestamps for syslog messages, which is essential for comparing logs on multiple devices.
Defining Syslog Logging Setup Parameters
This procedure describes enabling syslog logging on the router, and defining which messages are sent to a syslog server. In addition, you can optionally define:
- The source interface for all syslog messages sent from this device.
- The messages that are saved to a local buffer.
- An origin identifier added to each message.
- A rate limit on the number of messages that can be sent.
Note To send syslog messages from the router to a syslog server, you must also define the IP address of the syslog server. For more information, see Defining Syslog Servers.
Related Topics
Step 1 Do one of the following to access the router’s Syslog Logging Setup page:
- (Device view) Select Platform > Logging > Syslog Logging Setup from the Policy selector.
- (Policy view) Select Router Platform > Logging > Syslog Logging Setup from the Policy Type selector. Select an existing policy or create a new one.
The Syslog Logging Setup page is displayed. See Table 65-2 for a description of the fields on this page.
Step 2 Select Enable Logging to turn on the syslog logging feature. If this option is not selected, no log messages are created.
Tip To use the device’s default logging settings, or to restore the default settings, simply select Enable Logging, ensure all other fields are blank, then click Save. The default settings vary by device. See your router documentation for more details.
Step 3 (Optional) In the Source Interface field, enter the name of the interface or interface role whose address should be used as the source interface for all log messages sent to a syslog server; or click Select to select an interface role from a list or to create a new one. The source interface must have an IP address.
This option is useful when the syslog server cannot reach the address from which the connection originated (for example, due to a firewall). If you do not enter a value in this field, the address of the outgoing interface is used.
Step 4 (Optional) To send log messages to a syslog server:
a. Select Enable Trap. This option is selected by default.
b. Select a value from the Trap Level list. All messages of this severity or greater (that is, having the same or a lower severity-level number) are sent to the syslog server; messages of a lesser severity are ignored. For more information about severity levels, see Table 65-1.
Step 5 (Optional) To save log messages locally to a buffer on the router:
a. Select Enable Buffer. This option is selected by default.
b. Enter the Buffer Size in bytes.
c. Select the lowest severity level for messages to be saved to the buffer. All messages of that severity level or greater are saved to the buffer.
d. Select Use XML Format to save messages in XML format. (You can configure both the regular buffer and the XML buffer in the same policy.) If you select this option, enter the size of the XML buffer in bytes.
Note Make sure not to make buffers so large that the router runs out of memory for other tasks. If this happens, deployment may fail.
Step 6 (Optional) Define a rate limit to prevent a flood of output messages:
a. Select Enable Rate Limit. This option is selected by default.
b. Enter the maximum number of messages that can be sent per second.
c. Select the severity levels to exclude from the rate limit. For example, if you select 2 (critical), all syslog messages of severity levels 0-2 are sent to the syslog server regardless of the defined rate limit.
d. Select All Messages to apply the rate limit to all syslog messages except console messages (and excepting those severity levels specifically excluded above).
e. Select Console Messages to apply the rate limit to console messages only.
Note If you enable rate limiting without specifying any options, the default settings (10 messages per second, applied to console messages only) are applied.
Step 7 (Optional) To add an origin identifier to the beginning of each syslog message:
a. Select the type of origin ID to send—the IP address of the router, its host name, or a text string that you provide.
b. If you select String, enter the desired text in the field provided. Spaces are permitted.
The origin identifier is useful for identifying the source of syslog messages in cases where you send output from multiple devices to a single syslog server.
Note The origin identifier is not added to messages sent to local destinations, such as the buffer, the console, and the monitor.
Defining Syslog Servers
This procedure describes how to define the servers to which the router should send syslog messages. When you define a syslog server, you can choose whether the logging messages it receives should be forwarded as plain text or in XML format.
If you define multiple syslog servers, logging messages are sent to all of them.
Before You Begin
Related Topics
Step 1 Do one of the following to access the router’s Syslog Servers page:
- (Device view) Select Platform > Logging > Syslog Servers from the Policy selector.
- (Policy view) Select Router Platform > Logging > Syslog Servers from the Policy Type selector. Select an existing policy or create a new one.
The Syslog Servers page is displayed. See Table 65-3 for a description of the fields on this page.
Step 2 To define a server to receive syslog messages from this router, click the Add button below the table to open the Syslog Server dialog box. See Table 65-4 for more about this dialog box.
Step 3 In the IP Address field, enter the address of the desired syslog server, or click Select to select a network/host object from a list or to create a new one. For more information, see Specifying IP Addresses During Policy Definition.
Step 4 (Optional) Select Forward Messages in XML Format to forward received syslog messages in XML format instead of plain text.
Step 5 Click OK to save your definition and close the dialog box. The syslog server you defined is displayed in the table.
Note To edit a syslog server, select it from the table, then click Edit. To remove a syslog server, select it, then click Delete.
Understanding Log Message Severity Levels
Syslog messages on Cisco IOS routers are classified into eight severity levels. Each severity level is identified by a number and a corresponding name. The lower the number, the greater the severity, as shown in the following table.
Table 65-1 Syslog Message Severity Levels
|
|
|
0 |
emergency |
System unusable |
1 |
alert |
Immediate action needed |
2 |
critical |
Critical conditions |
3 |
errors |
Error conditions |
4 |
warnings |
Warning conditions |
5 |
notifications |
Normal but significant condition |
6 |
informational |
Informational messages only |
7 |
debugging |
Debug messages |
Related Topics
NetFlow on Cisco IOS Routers
The ability to characterize IP traffic and understand how and where it flows is critical for network availability, performance and troubleshooting. Monitoring IP traffic flows facilitates accurate capacity planning, and ensures that network resources are used appropriately in support of organizational goals.
NetFlow is a logging feature available on IOS devices for recording, caching and transmitting IP traffic-flow information on a per-interface basis. The basic output of NetFlow is a flow record, where a “flow” is defined as a unidirectional stream of packets between a given source and destination—both defined by a network-layer IP address and transport-layer source and destination port numbers.
On the IOS device, NetFlow consists of two key components—a NetFlow cache which stores IP flow data, and the NetFlow export mechanism that transmits the NetFlow records to a collection server for data reporting. Thus, when enabled, NetFlow records and caches statistics for incoming and outgoing traffic flows, periodically transmitting these records from the device to a NetFlow collector, in the form of User Datagram Protocol (UDP) datagrams.
Several different formats for the export packet, or flow record, have evolved as NetFlow has matured, and these formats are commonly referred to as the NetFlow version. These versions are well documented, and include versions 1, 5, 7, and 9. The most commonly used format is NetFlow version 5, but version 9 is the latest format and has some advantages for extensibility, security, traffic analysis and multicasting.
Security Manager currently supports Traditional NetFlow on IOS devices. Traditional NetFlow provides a fixed flow record, even for version 9, meaning the device will use certain flags and predefined record combinations in generating the flow. The device configuration settings define export destinations, export interface, and certain version-specific transmission options.
More About Traffic Flows and NetFlow
Each packet that passes into or out of a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity or “fingerprint,” and they define whether the packet is unique, or related to other packets.
All packets with the same source/destination IP address, source/destination ports, protocol interface, and class of service are grouped into a flow and the packets and bytes are tallied. This method of flow determination (or “fingerprinting”) is scalable because a large amount of network information can be condensed into a database of NetFlow information called the NetFlow cache.
In general, the NetFlow cache is constantly filling with flows, and software in the router or switch is searching the cache for flows that have terminated or expired, and these flows are exported to the NetFlow collector. (Unlike SNMP polling, NetFlow export periodically transmits information to the NetFlow collector.) The NetFlow collector has the job of assembling and organizing the exported flows to produce the real-time or historical reports used for traffic and security analysis.
NetFlow Summary
To summarize, the following steps outline NetFlow:
- NetFlow is configured on the router or switch to capture IP traffic flows
- Flow records are stored in the local NetFlow cache
- Periodically, approximately 30 to 50 flow records are bundled together and exported to a NetFlow collector server
- The collector software creates reports from the NetFlow data
Related Topics
Defining NetFlow Parameters
This procedure describes enabling NetFlow logging on the router.
Related Topics
Step 1 To access the router’s NetFlow page, do one of the following:
- (Device view) Select Platform > Logging > NetFlow from the Policy selector.
- (Policy view) Select Router Platform > Logging > NetFlow from the Policy Type selector. Select an existing policy or create a new one.
The router’s NetFlow page is displayed. See NetFlow Policy Page for complete descriptions of the fields on this page.
Step 2 On the Setup tab of the NetFlow page, specify global NetFlow parameters for the router:
- Primary Destination – Choose IP Address or Hostname from this list to enable NetFlow collection and to specify how the primary NetFlow collector will be defined. You can choose the blank entry to disable this option.
– IP Address – Enter the IP address of the device hosting the primary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector (port numbers can range from 1 to 65535)
– Hostname – Enter the fully qualified domain name of the device hosting the primary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector (port numbers can range from 1 to 65535)
- Redundant Destination – Choose IP Address or Hostname from this list to specify how the back-up NetFlow collector will be defined. You can choose the blank entry to disable this option.
– IP Address – Enter the IP address of the device hosting the secondary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector (port numbers can range from 1 to 65535)
– Hostname – Enter the fully qualified domain name of the device hosting the secondary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector (port numbers can range from 1 to 65535)
Note If you define a Primary and a Redundant Destination, flow data is transmitted to both.
- Source Interface – Specify the router interface through which flow data will be transmitted to the collector destination(s).
- Version – Define the record format to be used for flow data by choosing the appropriate NetFlow version number from this drop-down list. You can choose the blank entry to disable this option.
– 1 – The original record format. No additional parameters are required.
– 5 – The most widely adopted format; includes Border Gateway Protocol (BGP) autonomous system (AS) information and flow sequence numbers.
If BGP is configured on your network, you can include either origin or peer AS information in the NetFlow records. Choose origin-as or peer-as from the AS Type drop-down list. You can choose the blank entry to disable this option.
Check Enable BGP Nexthop to include BGP next hop information in the flow caches. (Note that with version 5, this information is visible in the caches, but it is not exported.)
– 9 – The most-recent, template-based version; not yet fully supported.
If BGP is configured on your network, you can include either origin or peer AS information in the NetFlow records. Choose origin-as or peer-as from the AS Type drop-down list. You can choose the blank entry to disable this option.
Check Enable BGP Nexthop to include BGP next hop information in the flow records.
Note AS information collection is resource intensive, especially for origin-as. If you are not interested in monitoring peering arrangements, disabling AS collection may improve performance.
Step 3 On the Interfaces tab, define the interfaces for which traffic flows are to be reported.
- To add an interface, click the Add Row button to open the Add NetFlow Interface Settings dialog box. This dialog box is described in Adding and Editing NetFlow Interface Settings.
- To edit an existing interface, select the appropriate entry in the Interfaces table and then click the Edit Row button to open the Edit NetFlow Interface Settings dialog box (described in Adding and Editing NetFlow Interface Settings).
- To delete an existing interface, select that entry in the Interfaces table and then click the Delete Row button, and then confirm the deletion.
Note You can disable NetFlow data collection on an interface without deleting it. Refer to Adding and Editing NetFlow Interface Settings for more information.