Professional Documents
Culture Documents
• All displaying messages on networking devices are called 'Syslog Messages' (System Log
Messages).
• Cisco IOS can send the messages to anyone currently logged in to the device (display on Console
Messages) and can also store the message (Local Buffer / Syslog Server) so that a user can later
look at the messages.
• By default, IOS shows log messages to console users for all severity levels of messages. (Show
to Console Users) That default happens because of the default (logging console) global
configuration command.
Router(config)#logging console
Router#show logging
• IOS defines the format of log messages. The message begins with some data fields about the
message, followed by some text more easily read by humans.
5 (Severity Level)
• Severity Levels are configured with Level Number (0 to 7) or Severity Name (debugging).
• Severity Levels are selected with ranges, which means logging trap 4 defined log levels from
0 to 4 (IOS logged all levels starting from Emergencies + Alerts + Critical + Errors + Warnings) .
Router(config)#logging trap 4
Router(config)#logging monitor 4
• Facility can be protocol or service or utility, etc.. Cisco IOS has more than 500 facilities.
IP
OSPF
SYS Operating System
IP Security (IPSec)
Route Switch Processor (RSP)
Interface
• For Telnet and SSH users, the device requires a two-step process before the user sees the
messages.
that tells IOS to enable the sending of log messages to all logged users. (Including
Telnet & SSH Users)
that default configuration is not enough to allow the user to see the log messages.
2. The user must also issue the (terminal monitor) EXEC command during the login session,
that tell IOS that this terminal session would like to receive log messages.
• IOS would be useful to keep a copy of the log messages for later review, so IOS provides three
primary methods to keep a copy.
1. Buffer Logging
2. Syslog Server Logging
3. Persistent Logging
Buffer Logging
• IOS can store copies of the log messages in RAM by (logging buffered) global configuration
command and can also reviewed with (show logging) command.
• It can also deleting all current logged messages via (clear logging) command or reboot router.
Router(config)#logging buffered
Router#show logging
• All devices store their Syslog messages centrally to server called Syslog Server.
• The Syslog protocol is supported by a wide range of devices and can be used to log different
types of events.
• Windows-based servers don’t support Syslog natively, but a large number of third-party tools
make it easy to collect Windows Event Log or IIS data and forward it to a Syslog server.
○ Typically, most Syslog servers have a couple of components that make this possible.
1. Syslog Listener
A Syslog server needs to receive messages sent over the network. A listener process
gathers syslog data sent over UDP port 514.
UDP messages aren’t acknowledged or guaranteed to arrive, so be aware that some
network devices will send Syslog data via TCP 1468 to ensure message delivery.
2. Database
Large networks can generate a huge amount of Syslog data. Good Syslog servers
will use a database to store syslog data for quick retrieval.
Default Cisco IOS Severity Levels for Syslog Server Logging is Lev 6 (Informational)
Router(config)#logging 192.168.1.100 or
Router(config)#logging trap 4
Router#show logging
Enabling Date Time Format (Timestamp) on Syslog Messages saving Syslog Server
• Normally, when enable logging to a remote server, that server will see the source of the
message as being the router’s nearest interface.
• The source interface command specifies which interface IP address will be used as the source IP
address of the syslog packets.
• UDP Port 161 is used for Polling and UDP Port 162 is used for Traps
• In every 5 Minutes, SNMP Server send request message to SNMP Client (Router) and SNMP
Client (Router) reply with value. This process is called SNMP Polling and work with UDP Port
161. In Polling process, SNMP Client (Router) doesn't need ip address of SNMP Server because
Server request (first).
• If something changes in SNMP Client (Router), SNMP Client (Router) send notificiation message
to SNMP Server. This process is called SNMP Traps and work with UDP Port 162. In Traps
process SNMP Client (Router) required not only authentication configuration but also required ip
address of SNMP Server.
• SNMP Manager
• SNMP Agent
• MIB
• OID
SNMP Manager
• The computer that run SNMP Manager is also called Network Management Station (NMS).
SNMP Agent
• Software running on managed devices that understands the information in the MIB.
• Each device has MIB for respond request messages and collect self information.
• Hierarchical Database of variables that describe conditions on a devices (ex. Interface Status).
• MIB is a collection of device capable OID (variables) that describe information for device status.
• Device information such as Counters, Status, Paramenters, etc.. are called variables. In IOS
version 15.4 there are over 7000 variables on router.
• Depending on devices, MIB can be different from each devices. MIB' OIDs can also implemented
by vendors and can download for specific device.
• Device MIB variables are query by SNMP Manager using Get/Poll Message.
• When query, All OIDs in MIB respond or Pre-configured OIDs only respond. Respond OIDs can be
configured with Manually on device or Remote with SNMP Manager using Set Message.
• SNMP Server query information by using OID and SNMP Client detect type of information by
decoding OID value.
Get / Poll
Get Next
GetBulk
Get Respond
Set
Traps
Inform
Get / Poll
○ Used to request information from the agent
Get Next
○ Also request next information from the agent
GetBulk
○ The GETBULK operation is normally used for retrieving large amount of data, particularly
from large tables.
○ Requests a range of information categories
Get Respond
○ Used by agent to respond Get Request Message and Get Next Request Messages.
Traps
○ Sent from the agent to the manager to inform about a condition.
○ Send without acknowledgement.
Inform
○ Available only version 2 and later.
○ Same as traps except that the manager needs to acknowledge receipt.
○ Inform also sent from agent to the manager to inform about a condition but only difference
is Inform message need acknowledgement from manager.
○ If an acknowledgement isn't received another inform will be sent.
SNMP Version 1
SNMP Version 2c
SNMP Version 3
SNMP Version 1
• Get Request, Get Next Request, Set Request, Get Respond, Trap Messages are used.
○ Community String Value and Type need to same on both SNMP Server and Client.
○ If using RO community string, information Read Only. Only Get Messages are used.
○ If using RW community string, SNMP Server (Manager) can read/write settings on SNMP
Client (Agent). Both Get Messages and Set Messages will used.
○ Doesn't have Security (Community String used Plain Text Communication) (including
password)
• SNMP version2 have two new types of Messages: GetBulk Message and Inform Message
Router#show snmp
• SNMPv3 does way with communities and replace them with the following features:
Message Integrity
This mechanism applied to all SNMPv3 Messages, which confirm messages has been
chaned during transmit.
Authentication
Optional Feature that add authentication with both a username and password.
Password are sent via hashing method.
Encryption
Optional Feature that encrypts the contents of SNMPv3 Messages.
SNMPv3 Changes
SNMP View
Manually Customized View Configuration on Device with OID.
SNMP Group
Create SNMP Group for spcific users and views.
SNMP User
Configured SNMP viewable User with Authentication (User Name and Password).
for <MIB Family Name> check out OID on 'Cisco SNMP Object Navigator'.
MIB Family Name is case sensitive. ifIndex (I = Cap)
• SNMPv3 uses three security levels for integrity, authentication and encryption configuration.
Router(config)#snmp-server user Aung Group1 v3 auth sha Acisco priv des56 Ecisco
Verifying SNMPv3