Once the AP or bridge is configured and initialized, one item that an
administrator will want to enable is the system log capabilities. Logging
offers several benefits. The administrator can use the information in a log to
tell whether the AP or bridge is working properly or whether it has been
compromised. In some cases, logging can show what types of probes or attacks
are being attempted against the device or the protected network. Logging can be
achieved via local logging, syslog, or SNMP.
Configuring logging should be done carefully. The logs should be sent to a
designated log host. A log host is a dedicated computer whose only job is to
store logs. The log host should be connected to a trusted or protected network,
or an isolated interface. Harden the log host by removing all unnecessary
services and accounts. Set the level of logging on the device to one that meets
the needs of the security policy, and expect to modify the log settings as the
network evolves. The logging level may need to be modified based on how much of
the log information is useful. The following two areas should be logged:
- Matches to filter rules that deny access
- Changes to the AP or bridge configuration
Logs must be reviewed regularly. Periodic checks of the logs will
provide administrators with the normal behavior of the network. A sound
understanding of normal operation and its reflection in the logs will help
identify abnormal or attack conditions.
Accurate timestamps are
important to logging. Other than configuring NTP on the AP or bridge, direct
the logging host to the reliable timeservers and include a timestamp in each
log message. This will allow the administrator to trace network attacks more
credibly. Finally, consider sending the logs to write-once media or to a
dedicated printer to deal with worst-case scenarios such as compromise of the
log host.
By default, the AP or bridge sends the output from system
messages and debug privileged EXEC commands to a logging process. The logging
process controls the distribution of logging messages to various destinations,
such as the logging buffer, terminal lines, or a syslog server, depending on
the configuration. The process also sends messages to the console.
When
the logging process is disabled, messages are sent only to the console. The
messages are sent as they are generated, so message and debug output are
interspersed with prompts or output from other commands. Messages are displayed
on the console after the process that generated them has finished.
The
severity level of the messages can be set to control the type of messages
displayed on the console and each of the destinations. Log messages can be
timestamped or set the syslog source address to enhance real-time debugging and
management.
System messages can be accessed by using the access point
command-line interface (CLI) or by saving them to a properly configured syslog
server. The access point software saves syslog messages in an internal buffer.
System messages can be monitored remotely by accessing the AP through
Telnet/SSH/HTTP or by viewing the logs on a syslog or snmp server. Events
appear on the Summary Status page or the Event Log page of the AP
–
. A
description of the event details are shown in Figure
.
System
log messages can contain up to 80 characters and a percent sign (%), which
follows the optional sequence number or timestamp information, if configured.
Messages are displayed in this format:
seq no:timestamp:
%facility-severity-MNEMONIC: description
The part of the
message preceding the percent sign depends on the setting of the
service sequence-numbers, service timestamps log
datetime, service timestamps log datetime [localtime]
[msec] [show-timezone], or service timestamps log
uptime global configuration command.
The level of messages
can be set from 0 – 7
. The default
system message logging configuration is shown in Figure
.