Good logging is important for real-time incident detection and after-the-fact auditing. By religiously watching your log file, you will often get warnings that an outage is about to occur or that an attacker is analyzing your network for vulnerabilities. This allows you to take action to correct or prevent the problem. Log files also provide an audit trail for determining what went wrong or what an attacker accomplished.
Logging is a balance between collecting as much useful information as possible and not collecting so much information that it overwhelms you. An administrator overwhelmed by log files will ignore them until after an incident occurs. This negates the first benefit of log files—early warning. Many network administrators keep the default logging setting on routers and never take advantage of all of the additional information that can be logged. The rest of this chapter covers the logging capabilities of Cisco routers and discusses how to avoid being overwhelmed by your log files.
To achieve maximum benefit from log files, you must monitor them regularly. On systems of medium importance, log review can be done daily with the results emailed to the administrator. On highly secure systems, log analysis is often done in real time with the results sent to a pager.
Numerous commercial and public domain software packages can help you analyze your log files. Use them. These packages automate the process of analyzing log files by filtering ...