Send Cisco logs to a remote machine
Learn the commands you need to deal with Cisco router logs and use rsyslog to receive them on a remote Linux PC
This article will show you the steps and the commands you need to execute to set up both a Cisco ADSL router and a Linux machine so that the Cisco router sends its log messages to the Linux machine and the Linux machine accepts and keeps them stored in a log file. The Linux machine is located on the internet, but it could be on your LAN – it doesn’t matter.
For the purposes of this article, a Cisco 877W ADSL router was used. The Linux machine wasrunning Debian 7 with rsyslog and the Cisco router was running Cisco IOS Version 12.4(15)T10.
You will need administrative privileges on both the Cisco and the Linux machine because you are going to make changes to the Cisco configuration, alter a Linux system configuration file and restart a Linux service. The whole process will not take more than half an hour, but you should remember that when dealing with critical equipment you should always ‘measure twice and cut once’.
Step by Step
Set up the Cisco ADSL router
You must be very careful while entering IOS commands, especially if you are unfamiliar with Cisco IOS. The Tab key autocompletes IOS commands and the ? key shows all the available options.
Cisco routers send syslog messages to their logging server with a default facility of local7, but it is never a bad idea to hard-code it by using the logging facility local7 command (other valid values are local0, local1, local2, local3, local4, local5 and local6). The logging trap notifications command defines the logging level. The specified logging level creates a relatively low level of traffic without overlooking very important or critical information.
Examine open TCP ports on the Linux machine
While making changes to the rsyslog service is not difficult, there is always a possibility of unintentionally opening unwanted ports to potential attackers. To prevent this, you should run Nmap before making any changes, to check the open TCP ports of the Linux machine.
You should do the same after finishing the process and if you get the same results, then you can be sure that nothing was opened by mistake and your Linux system is as secure as it was beforehand.
cCheck open UDP ports
By default, rsyslog uses UDP port 514 to get log messages from machines other than localhost, but you’ll have to check if it is already set up to do so. It takes Nmap about 16 minutes to finish the full UDP port scan, but it’s worth it! As you can see, rsyslog is configured to listen to localhost only – the Nmap output confirmed it by showing nothing about UDP port 514. The default rsyslog configuration is strict for security reasons. Don’t forget – you should always check your servers for unnecessary open ports using Nmap.
Run tcpdump to catch UDP traffic
There is always a possibility of something going wrong. One major issue is that you cannot be sure if a given problem was caused by an error in the Cisco config, the Linux config or both. In that case, you can do some debugging using the handy tcpdump utility. As rsyslog is a UDP service that listens to port 514, you should run tcpdump ‘udp port 514′ to test if there is any network traffic for the rsyslog service on the Linux machine.
Note: You need a service process to actually get the incoming traffic for UDP port 514.
The rsyslog service
The rsyslog service replaces and improves the original UNIX syslog service. Its configuration file is /etc/rsyslog.conf and you should have root privileges to make changes to it. The available logging facilities are…
kern: Messages from the system kernel.
auth: Messages about authentication and authorisation.
daemon: Messages related to system service processes.
mail: Messages related to the mail system.
lpr: Messages related to printing.
user: General messages from user processes.
cron: Messages related to the cron service.
local0-local7: Custom logging messages.
Note: Sometimes rsyslog delays saving the log messages to their corresponding file.
Making changes to /etc/rsyslog.conf
For the rsyslog service to listen to UDP port 514, you have to add the following lines:
$ModLoad imudp $UDPServerAddress 188.8.131.52 $UDPServerRun 514
For saving all incoming local7 logging data in a separate file, you should add the following line at the end of the /etc/rsyslog.conf file:
Do not forget to execute the following command for the cisco.log file to be created:
# touch /var/log/cisco.log
You should now restart the rsyslog service for changes to take effect. On a Debian 7 machine, you can restart the service as follows:
# service rsyslog restart
Examining open UDP ports on the Linux machine after making the changes
After restarting rsyslog you have to make sure that UDP port 514 is now open. You also have to make sure that you did not open any other ports by mistake. The output of the Nmap utility showed that everything is as desired.
Without the rsyslog properly configured to listen to the required UDP port, the Linux machine would have discarded all network packets coming from the Cisco router.
Note: rsyslog can also run via TCP, but this is not the desired configuration for accepting Cisco log messages.
Taking things further
After making sure that everything works fine as far as your router is concerned, you should execute write memory on your Cisco router. This command saves the current Cisco configuration, so make sure that the configuration you are saving is correct. If you forget to save your configuration, you will have to setup your router again after a Cisco reboot.
You can manually reboot a Cisco machine by executing the reload command.
The IP address of the used Linux rsyslog server is 184.108.40.206 – you should use your own IP address – and is passed to the Cisco router using the logging 220.127.116.11 command.
The allowed Cisco logging levels are emergencies, alerts, critical, errors, warnings, notifications, informational and debugging. You should choose what fits your purposes better.
If you are sending the log information on a server that is located outside you local network, you may need to type logging source-interface Dialer 1 (or use another Cisco interface) instead of logging source- interface VLan 1 depending on your network configuration and the type of the Cisco router.
Once you see tcpdump capturing network data, you can be sure that the Cisco setup is fine.
The /var/log/cisco.log file
The /var/log/cisco.log file is a regular UNIX text log file. It stores all local7 log messages, as was specified inside the /etc/rsyslog.conf file.
You should watch it using the usual UNIX method: tail -f /var/log/cisco.log. The file will contain info similar to the following:
Jul 9 14:50:26 ppp-2-86-8-218.home. otenet.gr 3116: Jul 9 11:50:25.565: %SEC- 6-IPACCESSLOGNP: list 23 permitted 0 18.104.22.168 -> 0.0.0.0, 14 packets
Jul 9 18:19:30 ppp-2-86-8-218.home.otenet. gr 3118: Jul 9 15:19:29.799: %SEC_LOGIN- 4-LOGIN_FAILED: Login failed [user: hacker] [Source: 192.168.1.10] [localport: 22] [Reason: Login Authentication Failed] at 17:19:29 utc Tue Jul 9 2013
Jul 9 18:42:15 ppp-2-86-8-218.home.otenet. gr 3125: Jul 9 15:42:14.300: *** Not encrypted dot1x packet from 40b3.95b5.da7d has been discarded
Jul 11 10:20:53 ppp-2-86-8-218.home.otenet. gr 4059: Jul 11 07:20:52.008: %LINEPROTO- 5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down
Jul 12 10:14:45 ppp-2-86-30-207.home. otenet.gr 63: Jul 12 07:14:44.110: %DOT11- 6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 40b3.95b5.da7d Reason: Sending station has left the BSS SSID[HomeNet]
Basic Cisco IOS commands
The configure terminal command takes a Cisco device into configuration mode. After executing it, you should carefully type your commands. The show version command displays general information about a Cisco router.
You should make sure that your Cisco configuration contains the following two commands that allow the logging of both
successful and failed logins:
login on-failure log login on-success log
The show logging command displays the addresses and levels associated with the current logging setup and it is very handy when setting up IOS logging.
Why this is useful?
As you can see from the cisco.log log file, there are attempts from unknown internet hosts (22.214.171.124 and 126.96.36.199) to log into the Cisco router using usernames such as lara, root, zznode and jira.
If a given IP address is trying all the time to hack into your router, you can either create an Access Control List (ACL) to permanently deny access to it or contact the owner of the IP – an ISP, a university or company – and inform an administrator about the hacking attempts.
What is next?
As you saw, the most usual username that hackers try is root, so do not name your Cisco administrator root. Also, the username that we used (mtsouk) did not come up at all, so it is rather safe – naturally, choose your own.
If you want to go further, you can write your own scripts that examine log files and automatically send the kind of information you want right to your mailbox.
You should not forget to rotate the cisco. log file. You should put an entry for it inside the /etc/logrotate.d/rsyslog file. The rsyslog service has many capabilities that become apparent when you start exploring it.