Presentation is loading. Please wait.

Presentation is loading. Please wait.

These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

Published byReynold Leo Jacobs Modified over 8 years ago

Similar presentations

Presentation on theme: "These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)"— Presentation transcript:

1 These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Log Management Network Management & Monitoring

2 Log Management and Monitoring What is log management and monitoring? Keeping your logs in a secure place where they can be easily inspected. Watching your log files. They contain important information: –Lots of things happen and someone needs to review them. –It’s not practical to do this manually.

3 Log Management and Monitoring On your routers and switches S ep 1 04:40:11.788 INDIA: %SEC-6-IPACCESSLOGP: list 100 denied tcp 79.210.84.154(2167) -> 169.223.192.85(6662), 1 packet S ep 1 04:42:35.270 INDIA: %SYS-5-CONFIG_I: Configured from console by pr on vty0 (203.200.80.75) % CI-3-TEMP: Overtemperature warning M ar 1 00:05:51.443: %LINK-3-UPDOWN: Interface Serial1, changed state to down S ep 1 04:40:11.788 INDIA: %SEC-6-IPACCESSLOGP: list 100 denied tcp 79.210.84.154(2167) -> 169.223.192.85(6662), 1 packet S ep 1 04:42:35.270 INDIA: %SYS-5-CONFIG_I: Configured from console by pr on vty0 (203.200.80.75) % CI-3-TEMP: Overtemperature warning M ar 1 00:05:51.443: %LINK-3-UPDOWN: Interface Serial1, changed state to down A ug 31 17:53:12 ubuntu nagios3: Caught SIGTERM, shutting down... A ug 31 19:19:36 ubuntu sshd[16404]: Failed password for root from 169.223.1.130 port 2039 ssh2 A ug 31 17:53:12 ubuntu nagios3: Caught SIGTERM, shutting down... A ug 31 19:19:36 ubuntu sshd[16404]: Failed password for root from 169.223.1.130 port 2039 ssh2 And, your servers

4 Centralize and consolidate log files Send all log messages from your routers, switches and servers to a single node – a log server. All network hardware and UNIX/Linux servers can be monitored using some version of syslog. Windows can, also, use syslog with extra tools. Save logs locally, but, also, save them to a central log server. Log Management

5 router switch Syslog storage syslog server Centralized logging

6 Cisco hardware –At a minimum: logging ip.of.logging.host Unix and Linux nodes –In /etc/syslog.conf, add: *.*@ip.of.log.host –Restart syslogd Other equipment have similar options –Options to control facility and level Configuring centralized logging

7 Identify the facility that the equipment is going to use to send its messages. Reconfigure syslogd to listen to the network.  Ubuntu: add ” -r ” to /etc/defaults/syslogd Add an entry to syslodg where messages are going to be written: local7.*/var/log/routers Create the file touch /var/log/routers Restart syslogd /etc/init.d/syslogd restart Receiving syslog messages

8 Uses UDP protocol, port 514 Syslog message have two attributes (in addition to the message itself): FacilityLevel AuthSecurity|Emergency(0) AuthprivUser|Alert(1) ConsoleSyslog|Critical(2) CronUUCP|Error(3) DaemonMail|Warning(4) FtpNtp|Notice(5) KernNews|Info(6) Lpr|Debug(7) Local0...Local7| Syslog basics

9 Using facility and level you can group by category in distinct files. With software such as syslog-ng you can group by machine, date, etc. automatically in different directories. You can use grep to review logs. You can use typical UNIX tools to group and eliminate items that you wish to filter: egrep -v '(list 100 denied|logging rate-limited)' mylogfile Is there a way to do this automatically? Grouping logs

10 Simple Log Watcher –Written in Perl –Monitors logs looking for patterns using regular expressions. –Executes a specific action if a pattern is found. –Can be any pattern and any action. –Defining the patterns is the hard part. SWATCH

11 ignore /things to ignore/ watchfor /NATIVE_VLAN_MISMATCH/ mail=root,subject=VLAN problem threshold type=limit,count=1,seconds=3600 watchfor /CONFIG_I/ mail=root,subject=Router config threshold type=limit,count=1,seconds=3600 ignore /things to ignore/ watchfor /NATIVE_VLAN_MISMATCH/ mail=root,subject=VLAN problem threshold type=limit,count=1,seconds=3600 watchfor /CONFIG_I/ mail=root,subject=Router config threshold type=limit,count=1,seconds=3600 Sample configuration What are these? What does it mean?

12 http://www.loganalysis.org/ Syslog NG –http://www.balabit.com/network-security/syslog-ng/ Windows Event Log a Syslog: –https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys SWATCH log watcher –http://swatch.sourceforge.net/ –http://www.loganalysis.org/sections/signatures/log-swatch- skendrick.txt –http://www.loganalysis.org/ –http://sourceforge.net/docman/display_doc.php?docid=5332&group _id=25401 References

13 http://www.crypt.gen.nz/logsurfer http://sial.org/howto/logging/swatch/ http://www.occam.com/sa/CentralizedLogging2009.pdf http://ristov.users.sourceforge.net/slct/ References cont.

14 ? Questions?

Download ppt "These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)"

Similar presentations

© 2003, Cisco Systems, Inc. All rights reserved..

© 2003, Cisco Systems, Inc. All rights reserved..
Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
1 Passwords and Banners Cisco Devices Packet Tracer.

1 Passwords and Banners Cisco Devices Packet Tracer.
Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.

Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.
ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.

ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.
Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.

Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
CIS 193A – Lesson3 Vigilance! Logging & Monitoring Syslog Logrotate Logwatch Accounting.

CIS 193A – Lesson3 Vigilance! Logging & Monitoring Syslog Logrotate Logwatch Accounting.
Implementing a Highly Available Network

Implementing a Highly Available Network
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.

1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim 04.19.2010.

CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim
Implementing a Secure Console Server The Cyclades Project Co-Op Summer 2003 by Robert Perriero.

Implementing a Secure Console Server The Cyclades Project Co-Op Summer 2003 by Robert Perriero.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
NOC TOOLS syslog AfNOG 2009 - Cairo, SI-E, 2 of 5 Sunday Folayan.

NOC TOOLS syslog AfNOG Cairo, SI-E, 2 of 5 Sunday Folayan.
1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.

1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.
AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.

AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.
Network Management Workshop intERlab at AIT Thailand March 11-15, 2008 Log management.

Network Management Workshop intERlab at AIT Thailand March 11-15, 2008 Log management.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
M ONITORING SERVER PERFORMANCE Unit objectives Use Task Manager to monitor server performance and resource usage Use Event Viewer to identify and troubleshoot.

M ONITORING SERVER PERFORMANCE Unit objectives Use Task Manager to monitor server performance and resource usage Use Event Viewer to identify and troubleshoot.

Similar presentations

Ads by Google