System Message Logging
Overview

Once the AP or bridge is configured and initialized, one item that an administrator will want to enable is the system log capabilities. Logging offers several benefits. The administrator can use the information in a log to tell whether the AP or bridge is working properly or whether it has been compromised. In some cases, logging can show what types of probes or attacks are being attempted against the device or the protected network. Logging can be achieved via local logging, syslog, or SNMP.

Configuring logging should be done carefully. The logs should be sent to a designated log host. A log host is a dedicated computer whose only job is to store logs. The log host should be connected to a trusted or protected network, or an isolated interface. Harden the log host by removing all unnecessary services and accounts. Set the level of logging on the device to one that meets the needs of the security policy, and expect to modify the log settings as the network evolves. The logging level may need to be modified based on how much of the log information is useful. The following two areas should be logged:

  • Matches to filter rules that deny access
  • Changes to the AP or bridge configuration

Logs must be reviewed regularly. Periodic checks of the logs will provide administrators with the normal behavior of the network. A sound understanding of normal operation and its reflection in the logs will help identify abnormal or attack conditions.

Accurate timestamps are important to logging. Other than configuring NTP on the AP or bridge, direct the logging host to the reliable timeservers and include a timestamp in each log message. This will allow the administrator to trace network attacks more credibly. Finally, consider sending the logs to write-once media or to a dedicated printer to deal with worst-case scenarios such as compromise of the log host.

By default, the AP or bridge sends the output from system messages and debug privileged EXEC commands to a logging process. The logging process controls the distribution of logging messages to various destinations, such as the logging buffer, terminal lines, or a syslog server, depending on the configuration. The process also sends messages to the console.

When the logging process is disabled, messages are sent only to the console. The messages are sent as they are generated, so message and debug output are interspersed with prompts or output from other commands. Messages are displayed on the console after the process that generated them has finished.

The severity level of the messages can be set to control the type of messages displayed on the console and each of the destinations. Log messages can be timestamped or set the syslog source address to enhance real-time debugging and management.

System messages can be accessed by using the access point command-line interface (CLI) or by saving them to a properly configured syslog server. The access point software saves syslog messages in an internal buffer. System messages can be monitored remotely by accessing the AP through Telnet/SSH/HTTP or by viewing the logs on a syslog or snmp server. Events appear on the Summary Status page or the Event Log page of the AP . A description of the event details are shown in Figure .

System log messages can contain up to 80 characters and a percent sign (%), which follows the optional sequence number or timestamp information, if configured. Messages are displayed in this format:

seq no:timestamp: %facility-severity-MNEMONIC: description

The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command.

The level of messages can be set from 0 – 7 . The default system message logging configuration is shown in Figure .


Web Links