index_107
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
107
For best security, set up both syslog logging and console logging. In a network
where SNMP management is already deployed, enable SNMP trap logging also.
SNMP and the related RMON facility are discussed in more detail in the next sub-
section.
The descriptions below recommend logging configuration settings, for additional
information about Cisco logging command and facilities, consult the
Troubleshooting Commands section of the Cisco IOS Configuration Fundamentals
Command Reference.
Setting up Console and Buffered Logging
To turn on console logging, use the commands shown below. This example sets the
logging level for the console to level 5.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z
Central(config)# ! set console logging to level 5 (notify)
Central(config)# logging console notification
Central(config)# logging on
Central(config)# exit
Central#
This example sets the console message level to 5, notifications, which means that
important messages will appear on the console, but access list log messages will not.
Use the command logging console info to see all informational messages
including access list log messages. Use the command logging console debug to
see ALL messages on the console.
For buffered and other forms of persistent logs, recording the time and date of the
logged message is very important. Cisco routers have the ability to timestamp their
messages, but it must be turned on explicitly. As a rule of thumb, your log buffer
size should be about 16 Kbytes; if your router has more than 16 Mbytes of RAM,
then you can set the log size to 32 or 64 Kbytes. The example below shows how to
turn on buffered logging, how to enable time stamps, and how to view the buffered
log.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z
Central(config)# ! Set a 16K log buffer at information level
Central(config)# logging buffered 16000 information
Central(config)# ! turn on time/date stamps in log messages
Central(config)# service timestamp log date msec local show-timezo
Central(config)# exit
Central#
Central# show logging
Syslog logging: enabled (0 messages dropped,1 flushes,0 overruns)
Console logging: level notifications, 328 messages logged
Buffer logging: level informational, 1 messages logged
Trap logging: level debugging, 332 message lines logged
Logging to 14.2.9.6, 302 message lines logged