Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Management Workshop intERlab at AIT Thailand March 11-15, 2008 Log management.

Published byWilfred Haynes Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Management Workshop intERlab at AIT Thailand March 11-15, 2008 Log management."— Presentation transcript:

1 Network Management Workshop intERlab at AIT Thailand March 11-15, 2008 Log management

2 Log management and monitoring ■ What is log management and monitoring ? ■ It's about keeping your logs in a safe place, putting them where you can easily inspect them with tools ■ Keep an eye on your log files ■ They tell you something important... ● Lots of things happen, and someone needs to keep an eye on them... ● Not really practictal to do it by hand!

3 Log management and monitoring ■ On your routers and switches ● Sep 1 04:40:11.788 INDIA: %SEC-6-IPACCESSLOGP: list 100 denied tcp 79.210.84.154(2167) -> 169.223.192.85(6662), 1 packet ● Sep 1 04:42:35.270 INDIA: %SYS-5-CONFIG_I: Configured from console by pr on vty0 (203.200.80.75) ‏ ● %CI-3-TEMP: Overtemperature warning ● Mar 1 00:05:51.443: %LINK-3-UPDOWN: Interface Serial1, changed state to down ■ On your servers as well ● Aug 31 17:53:12 ubuntu nagios2: Caught SIGTERM, shutting down... ● Aug 31 19:19:36 ubuntu sshd[16404]: Failed password for root from 169.223.1.130 port 2039 ssh2

4 Log management ■ First, need to centralize and consolidate log files ■ Log all messages from routers, switches and servers to a single machine – a logserver ■ All logging from network equipment and UNIX servers is done using syslog ■ Windows can be configured to use syslog as well, with some tools ■ Log locally, but also to the central server

5 Centralized logging Local disk server syslog routerswitch Syslog storage Syslog server

6 Configuring centralized logging ■ Cisco equipment ● Minimum:  logging ip.of.log.host ■ UNIX host ● Edit /etc/syslog.conf ● Add a line ”*.*@ip.of.log.host” ● Restart syslogd ■ Other equipments have similar options ● Options to control facility and level

7 Receiving the messages ■ Identify the facility that the SENDING host or device will send their message on ■ Reconfigure syslogd to listen to the network (on Ubuntu/Debian: add ”-r” to /etc/defaults/syslogd ■ Add an entry to syslogd indicating where to write messages: ● local7.*/var/log/routers ■ Create the file: ● touch /var/log/routers ■ Restart syslogd ● /etc/init.d/sysklogd restart

8 Syslog basics ■ UDP protocol, port 514 ■ Syslog messages contain: ● Facility: AuthLevel:Emergency(0) Authpriv|Alert(1) Console|Critical(2) Cron|Error(3) Daemon|Warning(4) Ftp|Notice(5) Kern|Info(6) LprMail|Debug(7) News Ntp | SecuritySyslog UserUUCP Local0...Local7

9 Sorting logs ■ Using facility and level, sort by category into different files ■ With tools like syslog-ng, sort by host, date,... automatically into different directories ■ Grep your way through the logs. ■ Use standard UNIX tools to sort, and eliminate, things you want to filter out: ● egrep -v '(list 100 denied|logging rate- limited)' mylogfile ● Is there a way to do this automatically ?

10 SWATCH ■ Simple Log Watcher ● Written in Perl ● Monitors log files, looking for patterns (”regular expressions”) to match in the logs ● Perform a given action if the pattern is found

11 Sample config ■ watchfor /%LINK-3-UPDOWN/ mail addresses=inst,subject=Link updown throttle 1:00 watchfor /%SEC-6-IPACCESSLOGP/ exec /usr/bin/echo $* >> /tmp/accesslist.log watchfor /%SYS-5-CONFIG/ mail addresses=inst,subject=Configuration of router

12 References ■ http://www.loganalysis.org/ ■ Syslog NG ● http://www.balabit.com/network-security/syslog-ng/ ■ Windows Event Log to Syslog: ● https://engineering.purdue.edu/ECN/Resources/Docum ents/UNIX/evtsys ■ SWATCH log watcher ● http://swatch.sourceforge.net/ ● http://www.loganalysis.org/sections/signatures/log -swatch-skendrick.txt ● http://www.loganalysis.org/ ● http://sourceforge.net/docman/display_doc.php?doci d=5332&group_id=25401

13 Questions ? ?

Download ppt "Network Management Workshop intERlab at AIT Thailand March 11-15, 2008 Log management."

Similar presentations

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.

Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.
ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.

ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.
Network Management Workshop intERlab at AIT Thailand March 11-15, 2008 Network Operations and Network Management.

Network Management Workshop intERlab at AIT Thailand March 11-15, 2008 Network Operations and Network Management.
Syslog and log files1-1 Syslog and Log Files  From logfiles, you can find m important information m History m Errors/warnings  Logging policies m Reset.

Syslog and log files1-1 Syslog and Log Files  From logfiles, you can find m important information m History m Errors/warnings  Logging policies m Reset.
Syslogd Tracking system events. Log servers Applications are constantly encountering events which should be recorded –users attempt to login with bad.

Syslogd Tracking system events. Log servers Applications are constantly encountering events which should be recorded –users attempt to login with bad.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
© 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir CCNP-SWITCHING 300-115 Mohamed Samir YouTube channel Double.

© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING Mohamed Samir YouTube channel Double.
NOC TOOLS syslog AfNOG 2009 - Cairo, SI-E, 2 of 5 Sunday Folayan.

NOC TOOLS syslog AfNOG Cairo, SI-E, 2 of 5 Sunday Folayan.
AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.

AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.
Maintaining Host Security Logs.  Security logs are invaluable for verifying whether the host's defenses are operating properly.  Another reason to maintain.

Maintaining Host Security Logs.  Security logs are invaluable for verifying whether the host's defenses are operating properly.  Another reason to maintain.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
System Administration: Linux Track 2 Workshop June 2010 Pago Pago, American Samoa.

System Administration: Linux Track 2 Workshop June 2010 Pago Pago, American Samoa.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
New SA Training Topic 9: Logging, Monitoring, and Performance  Logging  Windows – “Auditing”  Linux – syslog  Monitoring  MRTG  Big Brother  Performance.

New SA Training Topic 9: Logging, Monitoring, and Performance  Logging  Windows – “Auditing”  Linux – syslog  Monitoring  MRTG  Big Brother  Performance.
NMS Labs Mikko Suomi LAB1 Choose SNMP device managment software Features: –Gives Nice overview of network –Bandwith monitoring –Multible.

NMS Labs Mikko Suomi LAB1 Choose SNMP device managment software Features: –Gives Nice overview of network –Bandwith monitoring –Multible.
Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.

Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.
7 November 2005 Sebastian Büttrich ItrainOnline MMTK www.itrainonline.org 1 Linux logging and logfiles monitoring with swatch Sebastian Büttrich, wire.less.dk.

7 November 2005 Sebastian Büttrich ItrainOnline MMTK 1 Linux logging and logfiles monitoring with swatch Sebastian Büttrich, wire.less.dk.
1. 2 Device management refers to the IDS Sensor's ability to dynamically reconfigure the filters and access control lists (ACL) on a router, switch, and.

1. 2 Device management refers to the IDS Sensor's ability to dynamically reconfigure the filters and access control lists (ACL) on a router, switch, and.

Similar presentations

Ads by Google