NTP Syslog SNMP Page 1

NTP Syslog SNMP Page 2

NTP Syslog SNMP Page 3
NTP Syslog SNMP Page 4
NTP Syslog SNMP Page 5
NTP Syslog SNMP Page 6
NTP Syslog SNMP Page 7
NTP Syslog SNMP Page 8
NTP Syslog SNMP Page 9
NTP Syslog SNMP Page 10
System Message Logging (Syslog)

• All displaying messages on networking devices are called 'Syslog Messages' (System Log
Messages).

• Syslog enabled devices to report error and notification.

• RFC 3164 and RFC 5234 defined Syslog Protocol

• Syslog Messages Transfer over UDP Port 514

• Cisco IOS can send the messages to anyone currently logged in to the device (display on Console
Messages) and can also store the message (Local Buffer / Syslog Server) so that a user can later
look at the messages.

• By default, IOS shows log messages to console users for all severity levels of messages. (Show
to Console Users) That default happens because of the default (logging console) global
configuration command.

Router(config)#logging console

NTP Syslog SNMP Page 11

Verifying Console Logging Enabled / Disabled State

Router#show logging

Enabling and Disabling Console Logging

Router(config)#logging console (Enabled Console Logging)

Router(config)#no logging console (Disabled Console Logging)

Cisco Device Logging Types

Console Logging for Console Syslog Messages

Monitor Logging for Remote Acccess Telnet / SSH Syslog Messages

Buffer Logging for Local Buffer Syslog Messages Storing

Exception Logging Limit amount of Logging Buffer Size

Persistent Logging Syslog Writing into Flash (HDD)

NTP Syslog SNMP Page 12

Syslog Message Format

• IOS defines the format of log messages. The message begins with some data fields about the
message, followed by some text more easily read by humans.

*Dec 18 17:10:15.079: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,

changed state to down

000011: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down

*Dec 18 17:10:15.079 (A Timestamp) or 000011 (Sequence Number)

%LINEPROTO (Facility on the router)

5 (Severity Level)

UPDOWN (mnemonic for message)

Line protocol on Interface FastEthernet0/0, changed state to down (Description of Message)

NTP Syslog SNMP Page 13

Severity Level
• Every Syslog messages contains a severity level.
• Severity Levels sense of the importance of each message, IOS assigns each message with a
severity level.
• There are 8 Levels of Syslog Messages ( 8 Severity Levels),

 Smaller numerical levels are the more critical alarms.

 Default Cisco IOS Severity Levels for all messages types is Lev 7 (debugging)

 Debugging also saved protocol debugging messages.

Configuring Severity Levels

• Severity Levels are configured with Level Number (0 to 7) or Severity Name (debugging).

• Severity Levels are selected with ranges, which means logging trap 4 defined log levels from
0 to 4 (IOS logged all levels starting from Emergencies + Alerts + Critical + Errors + Warnings) .

 (logging monitor <Level>) to define Console Logging Level

 (logging buffered <Level>) to define Buffered Logging Level

 (Logging trap <Level>) to define Syslog Server Logging Level

Router(config)#logging trap 4

Router(config)#logging trap warnings

Router(config)#logging monitor 4

Router(config)#logging buffered debugging

NTP Syslog SNMP Page 14

Syslog Facilities

• Every Syslog messages contain Service Identifier called 'Syslog Facilities'.

• Facility is a service provided by IOS for various functionning.

• Facility can be protocol or service or utility, etc.. Cisco IOS has more than 500 facilities.

• Common Syslog facillities are;

 IP
 OSPF
 SYS Operating System
 IP Security (IPSec)
 Route Switch Processor (RSP)
 Interface

NTP Syslog SNMP Page 15

Logging Syslog Messages on Remote Access Users

• For Telnet and SSH users, the device requires a two-step process before the user sees the
messages.

1. First, IOS has another global configuration setting (logging monitor)

 that tells IOS to enable the sending of log messages to all logged users. (Including
Telnet & SSH Users)

 that default configuration is not enough to allow the user to see the log messages.

2. The user must also issue the (terminal monitor) EXEC command during the login session,

 that tell IOS that this terminal session would like to receive log messages.

Router(config)#logging monitor (Enabled Remote Logging)

Router#terminal monitor (Logging Enabled on Telnet / SSH)

NTP Syslog SNMP Page 16

Storing Syslog Messages for Later Review

• IOS would be useful to keep a copy of the log messages for later review, so IOS provides three
primary methods to keep a copy.

1. Buffer Logging
2. Syslog Server Logging
3. Persistent Logging

Buffer Logging

• IOS can store copies of the log messages in RAM by (logging buffered) global configuration
command and can also reviewed with (show logging) command.

• Buffer Logging default Severity Level = debugging (Level 0 to 7)

• Default Logging Buffer Size (4096 bytes)

• It can also deleting all current logged messages via (clear logging) command or reboot router.

(logging buffered) or -Enable Buffered Logging

(logging buffered level-name | level-number) -Set Displayed Message Levels

Router(config)#logging buffered

Router#show logging

NTP Syslog SNMP Page 17

Syslog Server Logging

• All devices store their Syslog messages centrally to server called Syslog Server.

• The Syslog protocol is supported by a wide range of devices and can be used to log different
types of events.

• Windows-based servers don’t support Syslog natively, but a large number of third-party tools
make it easy to collect Windows Event Log or IIS data and forward it to a Syslog server.

Syslog Server Components

○ Typically, most Syslog servers have a couple of components that make this possible.

1. Syslog Listener
 A Syslog server needs to receive messages sent over the network. A listener process
gathers syslog data sent over UDP port 514.
 UDP messages aren’t acknowledged or guaranteed to arrive, so be aware that some
network devices will send Syslog data via TCP 1468 to ensure message delivery.

2. Database
 Large networks can generate a huge amount of Syslog data. Good Syslog servers
will use a database to store syslog data for quick retrieval.

3. Management and filtering software (Filtering, Management, Report)

 Because of the potential for large amounts of data, it can be cumbersome to find
specific log entries when needed.
 The solution is to use a syslog server that both automates part of the work, and
makes it easy to filter and view important log messages.
 Syslog servers should be able to generate alerts, notifications, and alarms in
response to select messages – so that administrators know as soon as a problem
occurs and can take swift action!

NTP Syslog SNMP Page 18

Best 15 Syslog Servers (Free / Commercial)

1. SolarWinds Kiwi Syslog Server (FREE DOWNLOAD)

2. Paessler PRTG (FREE TRIAL)
3. Event Log Analyzer
4. WhatsUp Syslog Server
5. Syslog Watcher
6. Fastvue Syslog
7. The Dude
8. Nagios Log Server
9. Icinga 2
10. Visual Syslog Server
11. Syslog-NG
12. NxLog
13. Logstash
14. Graylog
15. TFTPD32

Syslog Server Configuration on Packet Tracer

1. IP Assign on Server (also Default Gateway)

2. Services Tab > Syslog > On

Syslog Server Configuration on Real PC

• By using Kiwi Syslog Server (Evaulation Version) or

• By using Solarwinds NPM

1. Download and Install > Run …

NTP Syslog SNMP Page 19

Configuring Syslog Server on Cisco Device

 Default Cisco IOS Severity Levels for Syslog Server Logging is Lev 6 (Informational)

Router(config)#logging <SyslogServerIPAddress> (Server IP Configured)

Router(config)#logging 192.168.1.100 or

Router(config)#logging host 192.168.1.100

Router(config)#logging trap <LevelNumber>/<Name> (Defined Severity Level)

Router(config)#logging trap 4

Router(config)#logging trap warnings

Verifying Syslog Server Configuration

Router#show logging

Enabling Date Time Format (Timestamp) on Syslog Messages saving Syslog Server

• By default, Timestamp is not included in Syslog Messages saving on Server.

Router(config)#service timestamps log datetime msec

R1(config)#no service timestamps (Disabling)

NTP Syslog SNMP Page 20

Enabling / Disabling Sequence Number

• By default, Sequence Number is not included in Syslog Messages saving on Server.

• Timestamp and Sequence Number can configured in sametime.

Router(config)#service sequence-numbers (Enabling)

Router(config)#no service sequence-numbers

Logging source-interface Command or Syslog Packet Source Address

• Normally, when enable logging to a remote server, that server will see the source of the
message as being the router’s nearest interface.

• The source interface command specifies which interface IP address will be used as the source IP
address of the syslog packets.

Router(config)#logging source-interface <Interface>loopback0

Router(config)#logging source-interface loopback0

NTP Syslog SNMP Page 21

SNMP

• Simple Network Management Protocol

• Application Layer Protocol (ISO Standard)

• SNMP send data over UDP Port (161 & 162)

• UDP Port 161 is used for Polling and UDP Port 162 is used for Traps

• In every 5 Minutes, SNMP Server send request message to SNMP Client (Router) and SNMP
Client (Router) reply with value. This process is called SNMP Polling and work with UDP Port
161. In Polling process, SNMP Client (Router) doesn't need ip address of SNMP Server because
Server request (first).

• If something changes in SNMP Client (Router), SNMP Client (Router) send notificiation message
to SNMP Server. This process is called SNMP Traps and work with UDP Port 162. In Traps
process SNMP Client (Router) required not only authentication configuration but also required ip
address of SNMP Server.

NTP Syslog SNMP Page 22

SNMP Terms

• SNMP Manager
• SNMP Agent
• MIB
• OID

SNMP Manager

• Software running on a computer that collects agent information.

• SNMP Manager Software (Cisco Prime Infrastructure, The Dude, etc..)

• The computer that run SNMP Manager is also called Network Management Station (NMS).

• Single network can has more than one managers.

SNMP Agent

• Software running on managed devices that understands the information in the MIB.

• Each device has MIB for respond request messages and collect self information.

• By default, Cisco IOS disabled as SNMP Agent.

• Enabling with snmp-server command.

NTP Syslog SNMP Page 23

MIB

• MIB (Management Information Based)

• Hierarchical Database of variables that describe conditions on a devices (ex. Interface Status).

• MIB is a collection of device capable OID (variables) that describe information for device status.

• All SNMP Agents have MIB Database (Library of OIDs).

• Device information such as Counters, Status, Paramenters, etc.. are called variables. In IOS
version 15.4 there are over 7000 variables on router.

• Depending on devices, MIB can be different from each devices. MIB' OIDs can also implemented
by vendors and can download for specific device.

• Default configuration allowed all OIDs in Device' MIB. (By Default)

• Device MIB variables are query by SNMP Manager using Get/Poll Message.

• When query, All OIDs in MIB respond or Pre-configured OIDs only respond. Respond OIDs can be
configured with Manually on device or Remote with SNMP Manager using Set Message.

NTP Syslog SNMP Page 24

OID
• OID (Object Identifier)

• Polling process uses OID to query information.

• OID is just standard number like 1.3.1.2.6.2.4.1.52.1.6.738.1.0

• SNMP Server query information by using OID and SNMP Client detect type of information by
decoding OID value.

• OID is hierarchical tree structure and ISO Standard.

• http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en (Cisco SNMP Object

Navigator)

NTP Syslog SNMP Page 25

SNMP Messages

Get / Poll
Get Next
GetBulk
Get Respond
Set
Traps
Inform

Get / Poll
○ Used to request information from the agent

Get Next
○ Also request next information from the agent

GetBulk
○ The GETBULK operation is normally used for retrieving large amount of data, particularly
from large tables.
○ Requests a range of information categories

Get Respond
○ Used by agent to respond Get Request Message and Get Next Request Messages.

NTP Syslog SNMP Page 26

Set
○ Used to set MIB variables on agent.
○ Set Messages are sent by SNMP Server (Manager) to change devices information (Device
MIB Variables).

Traps
○ Sent from the agent to the manager to inform about a condition.
○ Send without acknowledgement.

Inform
○ Available only version 2 and later.
○ Same as traps except that the manager needs to acknowledge receipt.
○ Inform also sent from agent to the manager to inform about a condition but only difference
is Inform message need acknowledgement from manager.
○ If an acknowledgement isn't received another inform will be sent.

NTP Syslog SNMP Page 27

SNMP version differences

• There are 3 Versions of SNMP,

SNMP Version 1

SNMP Version 2c

SNMP Version 3

SNMP Version 1

• RFC 1157 (Older Version) (Not used anymore)

• Poll/Get the whole tree (Not just specific OID)

• Get Request, Get Next Request, Set Request, Get Respond, Trap Messages are used.

• SNMPv1 defined clear-text passwords called 'Community String'

○ Two types of community string (RO and RW)

○ Community String Value and Type need to same on both SNMP Server and Client.

○ If using RO community string, information Read Only. Only Get Messages are used.

○ If using RW community string, SNMP Server (Manager) can read/write settings on SNMP
Client (Agent). Both Get Messages and Set Messages will used.

○ Doesn't have Security (Community String used Plain Text Communication) (including
password)

NTP Syslog SNMP Page 28

SNMP Version 2c

• Original SNMPv2 did not include communities but SNMPv2C included.

• SNMP Version 2C is only standardized Version.

• RFC 1441 (SNMPv2) / RFC 1901-1908 (SNMP v2C)

• Most commonly used (because of complexity of version 3)

• Poll/Get the single value (specific OID)

• SNMP version2 have two new types of Messages: GetBulk Message and Inform Message

• Community String (Still using community string as SNMPv1)

NTP Syslog SNMP Page 29

SNMP Version 2c Client Configuration

Router(config)#snmp-server community <string> ro <IPv4 ACL or IPv6 ACL> [Read Only]

 [Enabling SNMP Agent]

 <string> is a password because it matches on both Server and

Clients.

Router(config)#snmp-server community cisco ro or

Router(config)#snmp-server community cisco ro 100 [100 is ACL]

Router(config)#snmp-server community <string> rw <ACL,IPv4&IPv6 ACL> [Read Write]

Router(config)#snmp-server community cisco rw ipv6 SNMPSecure [SNMPSecure ACL]

Router(config)#snmp-server contact <string>

Router(config)#snmp-server contact Nyi Nyi +95 09799606899 [Content Person]

Router(config)#snmp-server location Switch Closet [Device Location Description]

Router(config)#snmp-server chassis-id <string>

SNMP Version 2c Notification (Traps/Inform) Configuration

Router(config)#snmp-server host <ServerIPAddress> <trap or inform> version <2c> <string>

 <string> is also called notification community string

Router(config)#snmp-server host 192.168.1.101 trap version 2c cisco

Router(config)#snmp-server host 192.168.1.101 version 2c cisco

(Version 2c default is trap)

Router(config)#snmp-server enable traps [Trap Enabled]

NTP Syslog SNMP Page 30

SNMPv2c Restrict Query Reply with ACL (Specified SNMP Server with ACL)

○ Access List Configuration on Device with SNMP

Router(config)#ip access-list standard SecureSNMP

Router(config-std-nacl)#permit host 192.168.1.101

Router(config)#snmp-server community <string> <ro/rw> <ACLNumber/Name>

Router(config)#snmp-server community cisco ro SecureSNMP

Verifying SNMPv2c Client Configuration

Router#show snmp

Router#show snmp community

Router#show snmp host

Router#show snmp location

NTP Syslog SNMP Page 31

NTP Syslog SNMP Page 32
SNMP Version 3

• RFC 3410 to 3415 (SNMP v3)

• Newer Version (some devices doesn't support Version 3)

• Poll/Get the single value (specific OID)

• More secure than SNMPv1 and SNMPv2c

• SNMPv3 does way with communities and replace them with the following features:

 Message Integrity
 This mechanism applied to all SNMPv3 Messages, which confirm messages has been
chaned during transmit.

 Authentication
 Optional Feature that add authentication with both a username and password.
 Password are sent via hashing method.

 Encryption
 Optional Feature that encrypts the contents of SNMPv3 Messages.

SNMPv3 Changes

 SNMP View
 Manually Customized View Configuration on Device with OID.

 SNMP Group
 Create SNMP Group for spcific users and views.

 SNMP User
 Configured SNMP viewable User with Authentication (User Name and Password).

NTP Syslog SNMP Page 33

Creating SNMPv3 View

• Default View is All OIDs (v1default)

• Customize All OIDs is (iso) (MIB Family Name = iso)
• Customize Interface All Status (ifIdex)
• Customize Interface All Information (ifEntry)

snmp-server view <ViewName> <MIBFamilyName or OID Value> <incl/excl>

 <ViewName> Customize View Name

 for <MIB Family Name> check out OID on 'Cisco SNMP Object Navigator'.
MIB Family Name is case sensitive. ifIndex (I = Cap)

 <incl/excl> (included = Can View) (excluded = Can't View)

snmp-server view <ViewName> <MIBFamilyName or OID Value> <incl/excl>

Router(config)#snmp-server view Interface_State 1.3.6.1.2.1.2.2.1.1 included

Router(config)#snmp-server view Interface_State ifIndex included

Router(config)#snmp-server view All_View iso included

NTP Syslog SNMP Page 34

SNMP Version 3 Security Levels

• SNMPv3 uses three security levels for integrity, authentication and encryption configuration.

Creating SNMPv3 Group

• SNMPv3 uses groups for management of Users and Customized Views.

• snmp-server group command to create group.

snmp-server group <groupname> <version> <AuthType> <read | write | access>

<viewName>

Router(config)#snmp-server group G1 v3 noauth (Default ReadOnly View = All OIDs)

Router(config)#snmp-server group G1 v3 noauth MyView1 access 90

(Custom Create View with ACL 90)

Router(config)#snmp-server group G1 v3 auth write v1default (v1default = All OIDs)

NTP Syslog SNMP Page 35

Creating SNMPv3 User

snmp-server user <UserName> <GroupName> <Version> auth <auth_type> <auth_password> priv

<encryptiontype> <encryptionPassword>

Router(config)#snmp-server user Aung Group1 v3 auth sha Acisco priv des56 Ecisco

Verifying SNMPv3

Router#show snmp user

Router#show snmp group

Router#show snmp view

Router#show snmp host

NTP Syslog SNMP Page 36

SNMP Version 3 Notification (Traps/Inform) Configuration

snmp-server host <ServerAddress> v3 traps <noauth|auth|priv> <username>

[Traps Conf, Default is Traps]

snmp-server host <ServerAddress> v3 inform <noauth|auth|priv> <username>

[Inform Conf]

Router(config)#snmp-server host 192.168.1.100 v3 noauth Youdda2

Router(config)#snmp-server host 192.168.1.100 v3 inform auth Youdda1

NTP Syslog SNMP Page 37

SNMP Network Monitor Systems / Applications

• SolarWinds Network Performance Monitor (FREE TRIAL)

• Paessler PRTG Network Monitor (FREE TRIAL)
• SysAid Monitoring
• Kaseya Network Monitor
• OpManager
• Atera
• Spiceworks Network Monitor (Free)
• Pulseway IT Management Software
• LogicMonitor
• Event Sentry
• Ipswitch WhatsUp Gold
• The Dude (https://www.mikrotik.com/thedude) (Free)

NTP Syslog SNMP Page 38