CBAC would not be much good if it worked, but you didn't know what it was doing. Cisco has enabled CBAC to generate alerts and to also send inspection information to a syslog server. CBAC generates alerts in real time and can alert a system administrator to possible suspicious activity. Alerts can be enabled globally and on a per-application basis. The inspection information that CBAC sends to a syslog server, called audit trails , includes the IP addresses of the source and destination of a packet; the source port and destination ports of a packet; and statistical data, such as bytes and time stamping. Logging to a Syslog ServerIt is a good security practice to record various log messages that you can review at a later time and that you can use evidence for criminal and civil litigation. CBAC has two commands that enable the logging of inspection details, and they are discussed in the section "Audit Trails and Alerts," later in this chapter. Types of Syslog SystemsSyslog servers can run on various operating-system platforms. There are also a number of freeware syslog servers available. Simply do a search on the Internet to find a syslog server that meets your organization's needs. Syslog Severity LevelsSyslog messages are logged based on a configurable severity level from 0 to 7. The lower the number, 0 being the lowest , the higher the criticality of the message. Further, you configure severity levels to limit the level of log messages displayed. For instance, if you configure a severity level of 2, then level 0, level 1, and level 2 severity messages are logged. If you configure a severity level of 7, then level 0 to level 7 messages are logged. The default severity level depends on the destination of the logging message. If you log to the router's console, the default level is 7 (debugging). If you send log messages to a syslog server, the default level is 6 (informational). Components of a Syslog MessageA syslog message has three main parts :
|