Login | Register   
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Ensure Network Safety with Centralized Logging : Page 3

Virus definitions often can't keep up with the rapid proliferation of Windows-based worms, letting them slip under your radar. How can you keep your network safe? Use the access lists on your routers along with a centralized logging database to help you quickly find and isolate infected hosts.


advertisement
Configure Your Router Base
Before you can get started, there are some basic things you need to configure on your routers. Keep in mind that this only outlines a basic NTP configuration. Also, I have my clocks set within a few seconds of each other, however, this may not be acceptable for your needs.

Make sure that your routers can freely access your NTP server by allowing any access that's required through any firewalls existing on your network. To configure your router to use ntp, go into configure mode on your router and type:

RouterA#config t Enter configuration commands, one per line. End with CNTL/Z. RouterA(config)#ntp server 10.0.37.15 RouterA(config)#end

At this point, 'show ntp status' will show the status of the NTP synchronization:


RouterA#sh ntp status Clock is synchronized, stratum 3, reference is 10.0.37.15 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18 reference time is C44215A4.FC1FC6D7 (13:14:12.984 UTC Tue May 4 2004) clock offset is 0.0982 msec, root delay is 46.88 msec root dispersion is 20.89 msec, peer dispersion is 0.08 msec

Type 'sh clock' at the prompt, and the time in UTC will be shown:

RouterA#sh clock 13:16:13.344 UTC Tue May 4 2004

Ideally, there should be at least two NTP servers on your network so that the NTP clients can figure out how far off they may be.

The network that I support spans many timezones, so it's easier for me to have everything in a single timezone, and I chose UTC for that timezone. If you prefer to use a different time zone, use this command to set it:

RouterA#config t Enter configuration commands, one per line. End with CNTL/Z. RouterA(config)#clock timezone EST -5 ! set your timezone in UTC -x or +x hours above. I'm in US EST, so that's ! my timezone. RouterA(config)#clock summer-time EDT recurring ! We do daylight savings time, so I'm configuring that as well.

Now when I type 'sh clock', I'm shown my current local time:

RouterA#sh clock 09:23:00.968 EDT Tue May 4 2004

By default, Cisco routers use the router's uptime to display network events, instead of ‘real’ time. This makes it somewhat difficult to use the syslog facilities, because it’s hard to determine how long ago certain events occurred. To fix this, configure the router to use timestamps instead of router uptime:

RouterA#config t Enter configuration commands, one per line. End with CNTL/Z. RouterA(config)#service timestamps debug datetime msec localtime show-timezone RouterA(config)#service timestamps log datetime msec localtime show-timezone RouterA(config)#end

Another nice feature is the local buffering of logs. By default, only a few lines are buffered, and having more data immediately available is helpful in diagnosing network problems:

RouterA#config t Enter configuration commands, one per line. End with CNTL/Z. RouterA(config)# logging buffered 9128 debugging RouterA(config)#end

Now, if you type 'show log' at the prompt, you should see the last configuration. Type 'copy run start' at the prompt, and the 'show log,' and the timestamps should be shown for save event:

RouterA#copy run start Destination filename [startup-config]? Building configuration... [OK] RouterA#sh log Syslog logging: enabled (10 messages dropped, 2 messages rate-limited, 0 flushe) Console logging: level debugging, 49 messages logged, xml disabled Monitor logging: level debugging, 0 messages logged, xml disabled Buffer logging: level debugging, 49 messages logged, xml disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational, 49 message lines logged Log Buffer (9128 bytes): ...cut... May 4 09:21:08.109 EDT: %SYS-5-CONFIG_I: Configured from console by console May 4 09:22:59.992 EDT: %SYS-5-CONFIG_I: Configured from console by console

There is some more configuring to be done later, but for now, this sets everything up. Copy the configuration to each router from which you plan on centralizing the syslogs.



Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap