|
0:00:14
|
In our next section for system management, we're going to talk
|
|
0:00:16
|
about logging with syslog
|
|
0:00:19
|
where by default, the logging process should be enabled
|
|
0:00:22
|
with the logging on and we can verify this by the show
|
|
0:00:26
|
log output, so up to this point we've seen a lot of different
|
|
0:00:30
|
examples with this where we are doing debugging to both the
|
|
0:00:34
|
console and the log buffer whether we're sending our
|
|
0:00:37
|
regular syslog messages to the console and the buffer and we have a
|
|
0:00:41
|
couple of other destinations that are significant here
|
|
0:00:44
|
where the logging monitor is going to control when we are
|
|
0:00:48
|
telnetted into the router or SSHed into the router
|
|
0:00:51
|
or attached to the aux port what particular log messages
|
|
0:00:55
|
or debugs are we going to get
|
|
0:00:57
|
then SNMP trapping and also some platforms support logging
|
|
0:01:03
|
directly to flash. Now regardless what the particular destination
|
|
0:01:06
|
is, each of them individually are going to have what is
|
|
0:01:09
|
known as the logging severity level.
|
|
0:01:13
|
The severity is a level that is zero through seven
|
|
0:01:16
|
where seven is the most inclusive that means all the messages zero through seven.
|
|
0:01:23
|
If we're logging at level three, it means we're logging 0, 1, 2 and 3
|
|
0:01:27
|
where seven is our debugging, so our debug IP packet or debug
|
|
0:01:33
|
IP routing and then zero is only the most critical alarms for the
|
|
0:01:40
|
particular device which is basically like a network down type of
|
|
0:01:44
|
emergency log. Now the reason that this is significant to know
|
|
0:01:48
|
what the different logging levels are is that we can
|
|
0:01:52
|
control them on a per destination basis.
|
|
0:01:55
|
So when we look at the show log output
|
|
0:01:59
|
it says, 'The console logging right now is running debugging.'
|
|
0:02:03
|
which means that this is level 7
|
|
0:02:06
|
The monitor is running 7
|
|
0:02:08
|
which means that if we were to telnet into Router 4 here
|
|
0:02:12
|
and issue determinal monitor command, we would start to
|
|
0:02:16
|
receive the debug messages
|
|
0:02:18
|
but right now the log buffer is not receiving anything.
|
|
0:02:23
|
So if I want messages to go to the buffer, I would have to
|
|
0:02:27
|
specify that individual method. Now each of these options are
|
|
0:02:31
|
going to be controlled with the logging command globally
|
|
0:02:34
|
where again, logging is normally on. For the console we are logging
|
|
0:02:39
|
at level 7 which is debugging.
|
|
0:02:44
|
And we can see what the particular names correspond
|
|
0:02:46
|
to the messages, so zero is an emergency basically the system is
|
|
0:02:51
|
unusable, seven is the debug message. This is anything like
|
|
0:02:57
|
I mentioned debug IP packet, debug IP routing that we are manually issuing.
|
|
0:03:02
|
For level 6, these are informational messages.
|
|
0:03:05
|
Level 5 is the notification, so things like a link up down event
|
|
0:03:10
|
or an OSPF neighbor or a BGP neighbor
|
|
0:03:13
|
any time we see the log message and towards the
|
|
0:03:17
|
left of the output, it's going to show us
|
|
0:03:20
|
what is the particular number.
|
|
0:03:22
|
So in this case, we change the configuration. This is a severity 5
|
|
0:03:28
|
notification that says there was a change in the configuration
|
|
0:03:31
|
it was configured by the console or from the console by
|
|
0:03:34
|
console, so this is my particular user. Some of the other specific
|
|
0:03:38
|
options that we can change would be the trap level.
|
|
0:03:43
|
So this is when we are logging to a remote syslog server
|
|
0:03:47
|
we would say logging followed by the IP address.
|
|
0:03:52
|
And logging trap debugging would be to send all messages
|
|
0:03:55
|
zero through seven to the syslog server where by default
|
|
0:03:59
|
we're going to login informational which is level 6
|
|
0:04:03
|
Now the logging facility mechanism controls what is the
|
|
0:04:08
|
particular format that the log message is being sent in.
|
|
0:04:12
|
There's two particular reasons that you would want to change
|
|
0:04:14
|
this. One is that based on the syslog server itself what particular
|
|
0:04:19
|
formats that it is going to allow inbound or if it
|
|
0:04:23
|
supports multiple facilities
|
|
0:04:26
|
we can use this as a filter for one type of device logs versus another.
|
|
0:04:34
|
So we could say for example that on our routers in the network
|
|
0:04:37
|
we wanted to use the logging facility local 1, but on the switches
|
|
0:04:43
|
we're going to use logging facility local 2
|
|
0:04:45
|
so then when we're actually sorting through our syslogs
|
|
0:04:48
|
on the server, we could say show me only local 2 facility
|
|
0:04:52
|
which would be the switches or show me only local 1 which is
|
|
0:04:55
|
going to be the routers.
|
|
0:04:57
|
So it's a way that we can filter their particular logs
|
|
0:05:01
|
and also the specific format of how the log is going to be generated.
|
|
0:05:08
|
There's also a couple different ways that we can generate the logs
|
|
0:05:11
|
with time stamping either based on the uptime which is
|
|
0:05:15
|
since the last reload, how long has the router currently
|
|
0:05:18
|
been booted or the local time which is based on the clock.
|
|
0:05:25
|
So previously, you saw in a lot of examples I turned time stamping off
|
|
0:05:29
|
for the logs which is no service timestamp log
|
|
0:05:34
|
then separately for the debugs as well.
|
|
0:05:36
|
So if I say no service timestamp, that's going affect both of them.
|
|
0:05:42
|
We could do this on a per millisecond basis as well
|
|
0:05:46
|
also we can include what the local time zone is, what the
|
|
0:05:50
|
particular local time is also to the year.
|
|
0:05:55
|
We could also specify that we want to enable line numbers
|
|
0:06:05
|
for the logs which would be the logging...
|
|
0:06:15
|
let's see is this the logging count?
|
|
0:06:25
|
No it's not the logging count. Let's take a look at the documentation.
|
|
0:06:28
|
This would be under the network management
|
|
0:06:33
|
then system monitoring and logging.
|
|
0:06:37
|
What I want to see is the line numbers.
|
|
0:06:42
|
System monitoring and logging -- actually that is not syslog
|
|
0:06:48
|
that's CPU threshold notification, memory threshold notification
|
|
0:06:52
|
I believe this is going to be under configuration fundamentals.
|
|
0:06:57
|
So you'll see some of the network management topics are under
|
|
0:07:00
|
the network management configuration guide itself.
|
|
0:07:03
|
Some of these are going to be under system management
|
|
0:07:05
|
and then configuration fundamentals
|
|
0:07:08
|
where this would be, so let's work back from
|
|
0:07:12
|
the master index based on this.
|
|
0:07:16
|
So let's go to the main documentation page
|
|
0:07:20
|
to IOS, regular IOS
|
|
0:07:25
|
12.4, 12.4 T
|
|
0:07:29
|
release and general information, master index
|
|
0:07:32
|
for commands, then I want the logging command.
|
|
0:07:42
|
We'll say logging buffered, this is under network management.
|
|
0:07:48
|
So it should be under this network management.
|
|
0:08:15
|
Here we go. Troubleshooting and fault management.
|
|
0:08:18
|
And I want to see the...
|
|
0:08:55
|
It's possible this particular version doesn't support it.
|
|
0:09:11
|
Service
|
|
0:09:14
|
there we go. Service sequence numbers. That's what I'm looking for.
|
|
0:09:17
|
So with this feature here every time we generate a log message
|
|
0:09:21
|
it's going to have a line number on it.
|
|
0:09:23
|
The reason typically you would want to do this is to make sure
|
|
0:09:26
|
that in some sort of -- in case where you need to sort
|
|
0:09:30
|
through your logs for a security breach, you want to make sure
|
|
0:09:35
|
that people aren't actually deleting the logs out of the server itself.
|
|
0:09:40
|
So with the sequence numbers on for every log message that
|
|
0:09:42
|
you generate, the sequence number is going to increment
|
|
0:09:45
|
then you would simply know based on the line numbers
|
|
0:09:48
|
if there's a missing number, then the logs have been tampered with.
|
|
0:09:54
|
So this is another way that you can figure out some of the
|
|
0:09:58
|
different services on the routers for either the IP services
|
|
0:10:02
|
or system management type section. If you look at
|
|
0:10:04
|
the service command followed by the question mark
|
|
0:10:10
|
things like the hide telnet addresses.
|
|
0:10:14
|
So if I said service hide telnet addresses
|
|
0:10:19
|
then I were to telnet to 150.28.1.1
|
|
0:10:24
|
notice here that it says here trying, but it doesn't
|
|
0:10:26
|
say the particular address.
|
|
0:10:32
|
This is where the small services would be as well.
|
|
0:10:35
|
The things like the TCP and UDP echo, the finger, day, time,
|
|
0:10:42
|
character generator those type of things.
|
|
0:10:46
|
Service nagle this is a TCP optimization that is used
|
|
0:10:51
|
when you have very small TCP packets like in the
|
|
0:10:54
|
case of telnet that the payload is very small in typically every time
|
|
0:10:59
|
you type a character, it's going to generate one TCP packet
|
|
0:11:05
|
so if I'm telnetting into the router, I hit a, that's one packet
|
|
0:11:08
|
I hit b, that's another one.
|
|
0:11:10
|
So the problem is that when you're using telnet for
|
|
0:11:13
|
TCP connections, it's very inefficient since the packets are
|
|
0:11:19
|
or each of the characters are separate packets
|
|
0:11:21
|
where service nagle is a compression that tries to
|
|
0:11:24
|
group the characters together inside the same payload
|
|
0:11:27
|
before they're actually sent over the link.
|
|
0:11:31
|
So if you're doing a lot of remote management through
|
|
0:11:33
|
telnet and SSH, then generally it's a good idea to turn the nagle compression on.
|
|
0:11:42
|
So a lot of this stuff is pretty self-explanatory once you
|
|
0:11:44
|
try it out. The problem again like any of these features
|
|
0:11:47
|
unless you spend time to go through the documentation to look
|
|
0:11:50
|
at that, then you're definitely going to have trouble figuring
|
|
0:11:53
|
out basing the question what are they even asking me to do
|
|
0:11:56
|
in the first place.
|
|
0:12:00
|
Now some of these other minor topics would be how to control
|
|
0:12:04
|
access to the router through telnet which again we
|
|
0:12:07
|
talked about during security where under the vty line
|
|
0:12:10
|
this is going to be controlled by the transport input
|
|
0:12:13
|
where transport input is telnet by default.
|
|
0:12:16
|
If I wanted to turn telnet off, I would say no transport input
|
|
0:12:21
|
telnet or transport input ssh which means to allow ssh only
|
|
0:12:27
|
and not telnet. The access class is going to affect any
|
|
0:12:32
|
of the transport mechanisms whether we're doing telnet
|
|
0:12:35
|
and SSH and the rotary command under the vty line can change the port
|
|
0:12:42
|
number that the router is listening at.
|
|
0:12:45
|
So if I were to say under the vty line, line vty 0 4
|
|
0:12:54
|
rotary
|
|
0:12:59
|
let's say rotary 12
|
|
0:13:03
|
now the router is going to be listening at
|
|
0:13:10
|
port 3012
|
|
0:13:15
|
this is regular telnet
|
|
0:13:18
|
and I believe it's going to listen at 5012
|
|
0:13:22
|
and a 7012 as well.
|
|
0:13:33
|
For SSH this is going to be off by default where typically
|
|
0:13:37
|
for remote management you would want to be using SSH
|
|
0:13:40
|
as opposed to telnet because telnet is clear text not only the
|
|
0:13:44
|
payload, but also the authentication itself
|
|
0:13:47
|
where SSH is doing encryption of the authentication and of the actual
|
|
0:13:53
|
payloads of the packets.
|
|
0:13:57
|
To enable SSH, the only thing we need to do is generate an
|
|
0:13:59
|
RSA key, so in the router we would say crypto key generate
|
|
0:14:07
|
crypto key generate rsa
|
|
0:14:10
|
It needs to be at least 712 for SSH version 2
|
|
0:14:17
|
and notice it says 'please define a domain name'
|
|
0:14:20
|
because we need a fully qualified domain name in order to
|
|
0:14:23
|
bind to the certificate which is basically is our RSA key.
|
|
0:14:28
|
So I'll say IP domain name is ine. com
|
|
0:14:33
|
crypto key generate rsa
|
|
0:14:35
|
RSA it's going to ask my how long do I want the key
|
|
0:14:38
|
I'll say 768
|
|
0:14:44
|
and now SSH is enabled.
|
|
0:14:48
|
So as long as regular vty access is enabled to the device
|
|
0:14:51
|
I should be able to SSH in
|
|
0:14:55
|
so on Router 4 if I were to say username cisco password cisco
|
|
0:15:01
|
then from anywhere else, I could use the SSH client
|
|
0:15:06
|
where I would say ssh with the login cisco to 150.28.4.4
|
|
0:15:15
|
password cisco
|
|
0:15:31
|
let's see... ssh -l is the login cisco
|
|
0:15:42
|
150.28.4.4
|
|
0:15:54
|
and I may have the username information wrong, let me
|
|
0:15:56
|
reset this on Router 4
|
|
0:16:07
|
actually what I need to do here is say login local
|
|
0:16:11
|
so I'm now checking the username database.
|
|
0:16:15
|
Say line vty 0 4
|
|
0:16:20
|
login local
|
|
0:16:23
|
and no rotary that'll remove the port number change that I had
|
|
0:16:27
|
before. Now on Router 1 we will ssh in with that particular
|
|
0:16:32
|
login
|
|
0:16:36
|
and now we have access to Router 4, so basically the same thing is telnet from
|
|
0:16:40
|
this point out. The key is that the both the authentication
|
|
0:16:44
|
and the actual payload is encrypted
|
|
0:16:49
|
and to support version 2, we need to make sure that
|
|
0:16:51
|
the key length is at least 768
|
|
0:16:55
|
so by default, since it's using 512 when we say
|
|
0:16:59
|
crypto key generate rsa, it asks for 512 by default
|
|
0:17:02
|
it means that SSH version 2 is not going to be supported.
|
|
0:17:06
|
So you could use version 1, but version 2 is more secure
|
|
0:17:09
|
because it's using longer key lengths.
|
|
0:17:13
|
Now again, if I wanted to disable telnet on the router
|
|
0:17:17
|
then I would need to turn the transport input off for that.
|
|
0:17:23
|
So under line vty 0 4
|
|
0:17:28
|
if I said a transport
|
|
0:17:38
|
let's do this locally from 4
|
|
0:17:43
|
line vty 0 4
|
|
0:17:45
|
transport input is ssh
|
|
0:17:48
|
so this means now the router is denying it telnet access
|
|
0:18:02
|
which we can see with the connection refused message.
|
|
0:18:08
|
It does still accept SSH though.
|
|
0:18:12
|
So in addition to changing the access methods to the router
|
|
0:18:15
|
whether we're doing telnet or SSH, whether this is local
|
|
0:18:19
|
login or going to AAA
|
|
0:18:21
|
you also want to be aware of what the different system
|
|
0:18:23
|
banners do. Now you don't necessarily need to memorize
|
|
0:18:27
|
what are all the differences between the banners and what
|
|
0:18:30
|
the order they show up in
|
|
0:18:31
|
because you could either reference this from documentation
|
|
0:18:34
|
under the configuration fundamentals or you
|
|
0:18:38
|
could simply configure the different banners and
|
|
0:18:41
|
forget what is the order that they show up in.
|
|
0:18:44
|
So if I were to go to Router 5 let's say
|
|
0:18:49
|
and I want to configure the banner for the exec process
|
|
0:18:53
|
I'll say 'this is the exec banner'
|
|
0:18:58
|
for banner login 'login banner'
|
|
0:19:04
|
banner message of the day 'motd banner'
|
|
0:19:10
|
So now once I log in
|
|
0:19:12
|
if I were to say under line vty 0 4
|
|
0:19:16
|
login local
|
|
0:19:18
|
username cisco password cisco
|
|
0:19:22
|
once I telnet into Router 5
|
|
0:19:26
|
it shows me that the message of the day banner appears first
|
|
0:19:30
|
then the login banner
|
|
0:19:33
|
once I actually start the exec process, then the exec banner should show up.
|
|
0:19:38
|
So the key is that the message of the day is going to come up
|
|
0:19:41
|
regardless of whether I'm actually asking for login information.
|
|
0:19:46
|
The login banner is only going to come up if I'm actually trying to
|
|
0:19:48
|
login to the exec process.
|
|
0:19:54
|
Then the fourth one, the incoming banner, this would be for
|
|
0:19:56
|
reverse telnet, so for example on your access server if you want
|
|
0:20:00
|
a different banner on one line versus another
|
|
0:20:03
|
you could set what the incoming banner is.
|
