index_110
Router Security Configuration Guide
UNCLASSIFIED
110
UNCLASSIFIED
Version 1.0g
The example below shows how to configure the router Central, shown in the figure
above, to load informational severity and above (level 6) messages to the syslog
server, using syslog facility local6 and the correct network interface.
Central#
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# logging trap information
Central(config)# logging 14.2.9.6
Central(config)# logging facility local6
Central(config)# logging source-interface eth 0/1
Central(config)# exit
Central# show logging
Syslog logging: enabled (0 messages dropped, 11 flushes, 0
overruns)
Console logging: level notifications, 35 messages logged
Monitor logging: level debugging, 35 messages logged
Buffer logging: level informational, 31 messages logged
Logging to 14.2.9.6, 28 message lines logged
Log Buffer (16000 bytes):
.
.
Central#
It is important to configure the syslog server to store router messages in their own
file. Configuration file syntax for syslog servers is uniform for all Unix and Linux
syslog servers; the configuration file is almost always /etc/syslog.conf. The example
below shows the syslog configuration line for saving Centrals messages into a file.
# Save router messages to routers.log
local6.debug /var/log/routers.log
Additional Issues for Syslog Logging
For a router whose security is critical, such as a border router on the Internet, it is
best to configure two syslog servers. At least one of the two syslog servers logs
should be backed up to permanent storage (CD-R or tape).
In cases where a router is protecting an enclave from an outside network (e.g. a
filtering router connected to the Internet), set up access lists to reject syslog traffic
from the outside network. Syslog uses UDP port 514. For the example shown in the
figure above, an access list entry for the router Central could look something like
this:
access-list 120 deny udp any 14.2.0.0 0.0.255.255 eq syslog
For more information on access lists, consult Section 4.3.
In a situation where a sizable set of routers and other devices are sending messages to
the same syslog server, separate the devices into 2-5 populations with similar duties.
Use a separate syslog facility name for each population. For example, local6 for
boundary filtering routers, local5 for internal routers, and local4 for internal switches