HostedDB - Dedicated UNIX Servers
index_110
Router Security Configuration Guide UNCLASSIFIED 110 UNCLASSIFIED Version 1.0g The example below shows how to configure the router Central, shown in the figure above, to load informational severity and above (level 6) messages to the syslog server, using syslog facility local6 and the correct network interface. Central# Central# config t Enter configuration commands, one per line.  End with CNTL/Z. Central(config)# logging trap information Central(config)# logging 14.2.9.6 Central(config)# logging facility local6 Central(config)# logging source-interface eth 0/1 Central(config)# exit Central# show logging Syslog logging: enabled (0 messages dropped, 11 flushes, 0 overruns)     Console logging: level notifications, 35 messages logged     Monitor logging: level debugging, 35 messages logged     Buffer logging: level informational, 31 messages logged         Logging to 14.2.9.6, 28 message lines logged Log Buffer (16000 bytes):   .    . Central# It is important to configure the syslog server to store router messages in their own file.  Configuration file syntax for syslog servers is uniform for all Unix and Linux syslog servers; the configuration file is almost always /etc/syslog.conf.  The example below shows the syslog configuration line for saving Central’s messages into a file. # Save router messages to routers.log local6.debug                       /var/log/routers.log    Additional Issues for Syslog Logging   For a router whose security is critical, such as a border router on the Internet, it is best to configure two syslog servers.  At least one of the two syslog servers’ logs should be backed up to permanent storage (CD-R or tape).    In cases where a router is protecting an enclave from an outside network (e.g. a filtering router connected to the Internet), set up access lists to reject syslog traffic from the outside network.  Syslog uses UDP port 514.  For the example shown in the figure above, an access list entry for the router Central could look something like this: access-list 120 deny udp any 14.2.0.0 0.0.255.255 eq syslog For more information on access lists, consult Section 4.3. In a situation where a sizable set of routers and other devices are sending messages to the same syslog server, separate the devices into 2-5 populations with similar duties.   Use a separate syslog facility name for each population.  For example, local6  for boundary filtering routers, local5 for internal routers, and local4  for internal switches