Friday, June 8, 2018

Viewing System Logs (Syslogs)

Syslog is a standard for logging and is designed to allow logs to be created on an endpoint server, system, or device, and then bestored locally or sent to a central server or storage system. Because syslog is a standardized format, logs sent in syslog format can be more readily analyzed by log analysis packages. However, there is no required standard for content for the actual log message itself, requiring analysis tools to have plug-ins, modules, or rules designed to handle syslog data from each vendor or device that they analyze.

Syslog contains specific codes to provide information about the program that logs a given message (the facility); the severity level of the message, from level 7 debugging messages to level 0
emergency messages; and of course, the actual message that is being sent.


You can view system logs on a Windows machine (in this case a Windows 2012 Server) by typing on the Search bar: event > click Event Viewer.


You'll see different types of logs under Event Viewer such as Windows logs for Application, Security Setup, System, etc.



Double-click a specific log to view more details. In this case I went to Windows Logs > Security.
 


To view System logs in a Linux (in this case on Ubuntu) click on Search (topmost icon) > type log > click System log
 


It will open syslog by default. You can click on the other log types: auth.log (authentication log), dpkg.log (package manager) and Xorg.0.log (server log).





You can view system logs on a network device by issuing the show logging or show log command. The syslog are stored in a buffer memory and will be lost if the device reboots. Below are the show log output from a Cisco router, switch and ASA firewall in my lab.


R1#show logging
Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

    Console logging: level debugging, 23 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 23 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (8192 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level informational, 26 message lines logged
        Logging Source-Interface:       VRF Name:

Log Buffer (8192 bytes):

*Feb 21 11:14:47.803: %IFMGR-7-NO_IFINDEX_FILE: Unable to open nvram:/ifIndex-table No such file or directory
*Feb 21 11:15:04.839: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Feb 21 11:15:04.847: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Feb 21 11:15:04.855: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Feb 21 11:15:04.863: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
*Feb 21 11:15:05.791: %SYS-5-CONFIG_I: Configured from memory by console
*Feb 21 11:15:06.159: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
*Feb 21 11:15:06.163: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
*Feb 21 11:15:06.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down
*Feb 21 11:15:06.319: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)M11, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 16-Oct-16 07:53 by prod_rel_team
*Feb 21 11:15:06.347: %SNMP-5-COLDSTART: SNMP agent on host R1 is undergoing a cold start
*Feb 21 11:15:06.463: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Feb 21 11:15:06.467: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Feb 21 11:15:07.799: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Feb 21 11:15:07.811: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Feb 21 11:15:07.839: %LINK-5-CHANGED: Interface FastEthernet1/1, changed state to administratively down
*Feb 21 11:15:25.487: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
*Feb 21 11:15:39.299: %SYS-5-CONFIG_I: Configured from console by console
*Feb 21 11:17:06.147: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Feb 21 11:17:07.147: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
*Feb 21 11:17:07.687: %SYS-5-CONFIG_I: Configured from console by console
*Feb 21 11:17:08.975: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
*Feb 21 11:17:09.975: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up


SW1#show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

Active Message Discriminator:
EXCESS    severity group drops    6
          msg-body       drops    EXCESSCOLL

No Inactive Message Discriminator.

    Console logging: level debugging, 62 messages logged, xml disabled,
                     filtering disabled, discriminator(EXCESS),
                     0 messages rate-limited, 1366 messages dropped-by-MD
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 1428 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled
    Trap logging: level informational, 1428 message lines logged
        Logging Source-Interface:       VRF Name:
         
Log Buffer (50000 bytes):
*Feb 18 02:36:10.265: %LINK-5-CHANGED: Interface Ethernet2/3, changed state to administratively down
*Feb 18 02:36:11.270: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet2/3, changed state to down
*Feb 18 02:36:25.809: %LINK-3-UPDOWN: Interface Ethernet2/3, changed state to up
*Feb 18 02:36:27.820: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet2/3, changed state to up
*Feb 18 02:36:29.510: %SYS-5-CONFIG_I: Configured from console by console
*Feb 18 02:47:00.774: %LINK-5-CHANGED: Interface Ethernet1/1, changed state to administratively down
*Feb 18 02:47:01.778: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/1, changed state to down
*Feb 18 02:47:02.886: %SYS-5-CONFIG_I: Configured from console by console
*Feb 18 02:47:03.810: %LINK-3-UPDOWN: Interface Ethernet1/1, changed state to up
*Feb 18 02:47:05.819: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/1, changed state to up
*Feb 18 10:34:34.974: %LINK-5-CHANGED: Interface Ethernet1/3, changed state to administratively down
*Feb 18 10:34:35.979: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/3, changed state to down
*Feb 18 10:34:38.116: %SYS-5-CONFIG_I: Configured from console by console
*Feb 18 10:34:39.212: %LINK-3-UPDOWN: Interface Ethernet1/3, changed state to up
*Feb 18 10:34:40.216: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/3, changed state to up
*Feb 19 12:19:39.277: %SYS-5-CONFIG_I: Configured from console by console
*Feb 19 12:20:49.850: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/1, changed state to up
*Feb 19 13:12:48.851: %AMDP2_FE-6-EXCESSCOLL: Ethernet3/3 TDR=0, TRC


ciscoasa# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level informational, 22 messages logged
    Trap logging: disabled
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: disabled
%ASA-5-111008: User 'enable_15' executed the 'logging buffered 6' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'logging buffered 6'
%ASA-5-111005: console end configuration: OK
%ASA-5-111007: Begin configuration: console reading from terminal
%ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'configure terminal'
%ASA-5-111008: User 'enable_15' executed the 'interface GigabitEthernet 2' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'interface GigabitEthernet 2'
%ASA-5-111008: User 'enable_15' executed the 'shutdown' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'shutdown'
%ASA-4-411002: Line protocol on Interface GigabitEthernet2, changed state to down
%ASA-4-411003: Interface GigabitEthernet2, changed state to administratively up
%ASA-5-111008: User 'enable_15' executed the 'no shutdown' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'no shutdown'
%ASA-4-411001: Line protocol on Interface GigabitEthernet2, changed state to up
%ASA-4-411004: Interface GigabitEthernet2, changed state to administratively down
%ASA-5-111008: User 'enable_15' executed the 'shutdown' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'shutdown'
%ASA-4-411002: Line protocol on Interface GigabitEthernet2, changed state to down
%ASA-5-111005: console end configuration: OK


The Cisco ASA firewall has a graphical user interface (GUI) called Adaptive Security Device Manager (ASDM). To view real-time firewall syslogs, go to Monitoring > Logging > Real-Time Log Viewer > View.



You can click Pause to temporarily stop generating real-time syslogs. Click on a specific log to view more info under Syslog Details.


It's a best practice to send syslogs to a remote syslog server. I used a Kiwi Syslog Server which is free (for 14 days) in my lab. You need to configure the device to send its syslogs to the syslog server's IP address by issuing the command logging host <SYSLOG IP ADDRESS>.

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#logging ?
  Hostname or A.B.C.D  IP address of the logging host
  alarm                Configure syslog for alarms
  buffered             Set buffered logging parameters
  buginf               Enable buginf logging for debugging
  cns-events           Set CNS Event logging level
  console              Set console logging parameters
  count                Count every log message and timestamp last occurance
  delimiter            Append delimiter to syslog messages
  discriminator        Create or modify a message discriminator
  dmvpn                DMVPN Configuration
  esm                  Set ESM filter restrictions
  exception            Limit size of exception flush output
  facility             Facility parameter for syslog messages
  filter               Specify logging filter
  history              Configure syslog history table
  host                 Set syslog server IP address and parameters
  message-counter      Configure log message to include certain counter value
  monitor              Set terminal line (monitor) logging parameters
  on                   Enable logging to all enabled destinations
  origin-id            Add origin ID to syslog messages
  persistent           Set persistent logging parameters
  policy-firewall      Firewall configuration
  queue-limit          Set logger message queue size
  rate-limit           Set messages per second limit
  reload               Set reload logging level
  server-arp           Enable sending ARP requests for syslog servers when
                       first configured
  source-interface     Specify interface for source address in logging
                       transactions
  trap                 Set syslog server logging level
  userinfo             Enable logging of user info on privileged mode enabling

R2(config)#logging host ?
  Hostname or A.B.C.D  IP address of the syslog server
  ipv6                 Configure IPv6 syslog server

R2(config)#logging host 192.168.1.50
R2(config)#log
*Feb 25 20:19:53.650: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.50 port 514 started - CLI initiated
R2(config)#end         
R2#
*Feb 25 20:20:25.414: %SYS-5-CONFIG_I: Configured from console by console


Just follow the Kiwi Syslog Server installation wizard.



No comments:

Post a Comment