Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > logging switches

Thread Tools

logging switches

Posts: n/a
What is the recommended way to logging cisco switches for all logs

Reply With Quote
Walter Roberson
Posts: n/a
In article <ee9cq1$5mn$(E-Mail Removed)>, tony <(E-Mail Removed)> wrote:
>What is the recommended way to logging cisco switches for all logs

Depends on your requirements.

For most people, it's just setting up "logging host", set a logging
level, and enable logging; the result will be sent via UDP syslog on
the designated host, which would write the entry to a file.
Sophisticated syslog daemons can choose output filenames based upon
various parameters in the message, and possibly even trigger actions
(e.g., page someone) if a serious problem is detected. Along these
lines, "logging facility" can make it easier to distinguish between
various hosts.

For some people, UDP syslog is not sufficient, under the theory that
an event that goes unlogged might well be the attacking event, if the
attacker has provoked turning off the logs. Turning off the logs can
often be provoked by flooding the device with innocent-looking requests,
probably all with forged addresses: when the disk fills up, it stops
logging. Or if events come in too quickly (fast attacker) then
UDP syslog might get lost in the network traffic, or UDP syslog
writes might get throttled by the device to prevent internal
network congestion.

For such people, some devices allow logging via TCP syslog: a TCP
connection is formed to the logger, and no further traffic is permitted
through the security boundary until the TCP connection sends back an
acknowledgement that the event was logged.

Or some locations dump all the events to a printer, or to a
tamper-proof write-once unit, in case court-evidence quality logging
is necessary.

For most locations, the difficulty is not in getting events logged:
the difficulty is in making sense of what got logged, especially
correlating events and detecting intrusion attempt patterns.
Even just post facto policy violation analysis requires some good
data mining if you are logging hundreds of thousands of events
per day per security gateway...
Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco Switches vs HP ProCurve Switches Greg Cisco 5 07-01-2013 01:48 AM
switches, spanning tree question regarding designated ports and switches Cisco 1 12-30-2008 01:24 AM
logging buffered vs. logging history Christian Roos Cisco 4 02-05-2006 10:55 PM
native vlan mismatch on 2 2924 switches w/ only 1 vlan defined (same on both switches) avraham shir-el Cisco 4 07-20-2004 08:08 AM
[java.util.logging] logging only to _one_ file Stefan Siegl Java 0 08-27-2003 12:29 PM