Analyzing Router Logs

Compared to other log files you will look at in this chapter, router logs tend to contain only the most basic information about network traffic. That makes sense because routers are typically processing high volumes of traffic and only examine the most basic characteristics of packets and connections when making routing decisions. However, this doesn't mean that router logs are not valuable; on the contrary, they can be extremely helpful in identifying certain types of activity, such as unauthorized connection attempts and port scans. Although the focus in this section will be on Cisco router logs, we will also briefly look at what information other routers log, which tends to be roughly the same.

Cisco Router Logs

In Chapter 2, "Packet Filtering," we discussed Cisco routers in depth, including how their logging capabilities can be configured. All Cisco routers use the same basic log file format. The following is an entry from a Cisco router log:

[View full width]
 Jan 28 03:15:26 [10.20.30.40] 265114: %SEC-6-IPACCESSLOGP: list 105 denied tcp 172.30.128 .12(1947) -> 10.20.1.6(80), 1 packet 

The format of the log entries requires a bit of explanation. After starting with a date and timestamp, the entry lists the router IP address and the message sequence number. The next entry, %SEC-6-IPACCESSLOGP, requires a bit more explanation. The SEC-6 indicates that this is a security-related entry of severity level 6; the IPACCESSLOGP refers to the specific message type. The remaining fields are the ACL that matched this activity, the action performed, the IP protocol, the source IP address, the TCP source port, the destination IP address, the TCP destination port, and the number of packets. (Cisco routers use a similar format for UDP and ICMP packets.)

Note

If you're already familiar with Cisco router logs, you might look at this example and think that the format doesn't match your Cisco router's logs. That's entirely possible; aspects of the log format are configurable. For example, many logs contain an additional time value that indicates the router uptime. Some logs also have a GMT offset value at the end of each entry.

As you can see, only the most basic information is logged. In this example, you know the IP addresses and the TCP ports that were used, but that's about it. This entry tells us that an attempt to initiate a connection to port 80 on host 10.20.1.6 was blocked. Port 80 is most commonly used for HTTP.

By itself, this router log entry doesn't give us much information, just that someone probably tried to connect to the host for HTTP and that the router blocked the connection. However, think about what it would mean if you saw thousands of entries like this one in your router log, each one targeting TCP port 80 on a different destination host. Then, based on these log entries alone, you would have strong reason to believe that someone was scanning your entire network, looking for web servers.

Other Router Logs

Other brands of routers tend to log approximately the same information that Cisco routers do. Some routers may also log a few additional fields that are helpful in performing analysis, such as the size of each packet and the TCP flags that were set (if applicable). In most cases, though, you will not have that additional information in router logsjust the most fundamental characteristics of the packets.

Although all your router logs will contain important information, the most significant logs to check are probably from your border routers. If a border router denies a request from an external host, only that router can contain a corresponding log entry; devices that are further inside your network will never see the traffic. Therefore, that router's log is the only place you can see evidence of the denied request. Border router logs are a rich source of information on failed scans, probes, and attacks that never reach other areas of your network. Your network firewall logs are another great source of intrusion data.