1. Keeping your logs central + backed up

2. Monitoring your logs regularly

3. Filter your logs for important stuff

• Important for you might be something different then for other people/the vendor

• Most of the time, you want to keep some data for searching through, but be notified of some logs immediately

Centralize logs

• Syslog server collects all logs, splits them up in files, but groups several devices in files

• All routers/switches and Unix boxes can use Syslog, Windows can with extra tools

• Uses UDP Port 514 by default, some implementations can do TCP

• Because UDP is unreliable, best to keep local logs as well – in times of failures, you might not be able to send out messages

Syslog packet format

• Syslog protocol is very simple: PRI, HEADER, MSG

• PRI: Severity and Facility

o Severities: Emergency(0), Alert(1), Critical(2), Error(3), Warning(4), Notice(5), Info(6), Debug(7)

o Facilities: Kern, User, Mail, Daemon, Auth, Syslog, Lpr, News, Uucp, Cron, Authpriv, Ftp, Local0-7

• HEADER: Timestamp and Hostname

• MSG: The real message

• Packet must be <1024 bytes

Reading / sorting logs

• You can add more complicated rules to add one logfile per router/day or similar. You can split up by facilities

• Many people use standard UNIX tools, like grep and sed to filter out log messages they might like or not like and then watch the files (with tail -f)
tail -f mylogfile | egrep -v “(list 337 denied|rate-limited)”

www.bestitdocuments.com