|
Home > Archive > CCNP > August 2001 > Best method of logging
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Best method of logging
|
|
| beenframed 2001-08-21, 12:15 pm |
| I want be able to log events on hardware at a remote location. Cisco routers, pix and switches. What are my options here? I know logging takes up precious cpu cycles but I need to be able to look at some logs if something goes wrong.
Would a Windows server setup to syslog all the events be my best option?
Also does anyone know of a third party software that can help me out, maybe with logging and advanced features like emailing me when I certain error or threshold is met on the cisco hardware.
Thanks,
bf | |
| MadChef 2001-08-21, 3:17 pm |
| Syslogging consumes fewer resources than anything besides logging to the internal buffer. Unless you feel like periodically telnetting to every device in your network to read the logs, syslog is the way to go. There are a number of free syslog utilities available for windows. One is bundled with a tftp server & client from 3Com. I like it for general troubleshooting when I log everything to my laptop. One from www.kiwi-enterprises.com has a number of additional features. If you pay their inexpensive shareware price you can get things like email notification as well as I remember.
My preferred method of permanently syslogging stuff is to use a un*x of some sort (linux and FreeBSD do exceptionally well) to do the logging. Then you can use all the wonderful unix utilities to parse your logs for interesting stuff. A co-worker wrote a simple cgi script that does a tail on the syslog and writes to an html page on the fly. You could easily write a script to grep for certain expressions in your log or logs. A script called pixlog.pl does handy things for parsing pix logs and generating relatively pretty web pages.
On the very opposite end of the spectrum you can buy Private-I from www.opensystems.com. It's feature rich and it's licensed by the number of devices you have logging to it. It's kind of expensive, but you can download a trial edition.
MadChef | |
| beenframed 2001-08-21, 6:04 pm |
| So would you say that having logging turned on permanently and writing to a syslog server, won't seriousily degrade my devices' overall performance? or is it to much of an overhead?
thanks for your suggestions.
bf | |
| Retired-Mod 2001-08-22, 3:29 am |
| It's a must do for any network of size for a couple of reasons. As MadChef says you don't want to have to log on every router each day (I have about 300 in my network) and another good reason is that if a router crashes you lose all the local info or if you log a lot of dialup crud the log fills rapidly so you may miss valuable errors or indications of a problem. With the logging server all that good stuff is saved for ya. Of course you must then learn how to parse (filter) it for the info you want to see and that can be a pain for pinheads like me that can't even get CTL^x to work consistantly!
Retired | |
| MadChef 2001-08-22, 4:53 am |
| quote:
Originally posted by beenframed
So would you say that having logging turned on permanently and writing to a syslog server, won't seriousily degrade my devices' overall performance? or is it to much of an overhead?
It's not too much overhead. Even when logging at the informational level the router isn't sending that much information. The only time you're likely to see logging make an impact on performance is when you set logging to debugging (very handy to troubleshoot information from multiple sources at once) and send a BUNCH of debugging information to the server. And I'm not talking about doing a debug isdn q931. You need to do something like debug ip pack to make it choke.
I usually leave my logging set at either notification or informational levels because I find those to be of the most use.
MadChef | |
|
| not to mention on PIX, there is no logging capabilities you have to dump to external syslog. And let me tell you if any of you got hit with code red you know the advantages of syslog. Without it you have no idea what traffic is hitting your PIX and whats going on inside or outside of your network as it relates to firewalls.
I have used PrivateI. its pretty simple and easy to use, you can download a free copy from their site and check it out for 30 days. I suggest you do it, just to see whats actually happening on your firewalls. | |
| doctorcisco 2001-08-24, 9:59 am |
| quote:
Originally posted by beenframed
Also does anyone know of a third party software that can help me out, maybe with logging and advanced features like emailing me when I certain error or threshold is met on the cisco hardware.
Thanks,
bf
I haven't set it up, but there's a freeware package out there called MRTG (MultiRouter Traffic Grapher) that gathers interface utilization stats with SNMP and crunches the results to nifty near-realtime graphs you can view with a web browser.
Interestingly, with a bit of work, it can be used to obtain and graph ANY SNMP variable on ANY device the same way ... such as error rates on serial interfaces, NT/Novell/Unix server performance, etc etc etc.
http://www.hse.k12.in.us/wok/MRTG/mrtg1.htm
and
www.mrtg.org
would be two good places to start if you're curious. It's been ported to NT, but its roots (and probably a lot of the MANY user-contributed tweaks, add-ons, and customizations) are Linux.
HTH,
doctorcisco | |
| MadChef 2001-08-24, 12:20 pm |
| Doing basic MRTG stuff works great with Perl for Win32 on NT. The place where you tend to have difficulties, as the good doctor correctly pointed out, is with other perl modules and scripts that don't run correctly under NT. But as far as pulling SNMP info (mostly used to track interface usage) and sticking it in web pages, you'll find that it works very well under NT. It's a good compliment for your syslog server.
While you're at it, take a look at Big Brother at bb4.com. While I've run MRTG on Win32 and linux, I've never run Big Brother on anything but linux but there is is a newly ported server for Win32. It dovetails very nicely with MRTG.
MadChef | |
| beenframed 2001-08-24, 12:34 pm |
| Gents,
Thanks for all of you valuable input on this thread. I have set up the Kiwi Sys logger, and have downloaded everything for MRTG and have started to set it up.
I am also going to trial private I. PrivateI looks like a program with a very rich feature set. If I can trial and like it I think I can get the money to purchase it.
Thanks,
bf |
|
|
|
|