1
00:00:09,930 --> 00:00:16,100
In the end of the last section we talked about event monitoring with operating system logs.

2
00:00:16,270 --> 00:00:21,790
In this section we are going to look at different types of data that can be collected from a network

3
00:00:22,030 --> 00:00:26,360
for security investigations and troubleshooting.

4
00:00:27,310 --> 00:00:34,980
In addition to operating system logging there is network logging network logs are generated on devices

5
00:00:34,980 --> 00:00:38,820
like routers switches and firewalls.

6
00:00:38,940 --> 00:00:47,460
These logs provide information on network events such as firewall rule blocks resource issues in device

7
00:00:47,460 --> 00:00:50,250
configuration changes.

8
00:00:50,280 --> 00:00:56,190
So if I want to find out why the network is slow or if there was a security event then I could use these

9
00:00:56,190 --> 00:00:58,680
logs to possibly find out what happened.

10
00:01:00,580 --> 00:01:04,390
Network logs are classified based on severe cities.

11
00:01:04,570 --> 00:01:07,050
For example if a firewall reboot.

12
00:01:07,360 --> 00:01:14,860
It may be classified as an emergency but if a VPN user logged in that would be considered to be an informational

13
00:01:14,950 --> 00:01:15,470
log.

14
00:01:17,930 --> 00:01:25,190
For logging to be a reliable monitoring resource you must have accurate time if an event occurs at 1

15
00:01:25,190 --> 00:01:31,280
am on my system but my log shows that it happened at 3 am because the device this time was inaccurate

16
00:01:31,790 --> 00:01:38,360
then it would be impossible to investigate an incident accurate time can be achieved by having network

17
00:01:38,360 --> 00:01:47,990
devices synchronize their time by using the A.P. protocol with a.p client devices receive accurate time

18
00:01:48,020 --> 00:01:51,280
updates from anti-peace servers.

19
00:01:51,710 --> 00:01:53,810
So you can see a.p in action.

20
00:01:53,840 --> 00:02:01,280
I log into the core switch in the lab so you can see its current time compared to my computer time as

21
00:02:01,280 --> 00:02:06,050
well as its a.p status and settings.

22
00:02:06,200 --> 00:02:09,260
So here is my core switch in the lab.

23
00:02:09,260 --> 00:02:18,890
If I run the command show clock I can see that the time matches my accurate computer time.

24
00:02:19,060 --> 00:02:26,080
I could mentally set my time on my network devices but of course if they were to reboot or were down

25
00:02:26,080 --> 00:02:30,760
for a certain period of time they would slowly drift away from having accurate time.

26
00:02:30,760 --> 00:02:33,570
Especially with spring forward and fall back changes.

27
00:02:33,760 --> 00:02:42,820
So in my router configuration I have added anti-peace server destination so I have the switch requesting

28
00:02:43,000 --> 00:02:48,100
time updates from these four a.p servers out on the Internet.

29
00:02:48,280 --> 00:02:58,250
So if I don't show anti-B status I can see that my clock is synchronized and then TB server it's currently

30
00:02:58,250 --> 00:03:04,010
seeking to is that this IP address so I don't have to worry about anything.

31
00:03:04,020 --> 00:03:12,150
I know that when I look at my log on my course which is always going to match when the event occurred.

32
00:03:13,390 --> 00:03:18,790
So you can see I have some local logs on this course which now with local logging you're always going

33
00:03:18,790 --> 00:03:25,780
to have a limitation on how much logging information you can store locally on the device.

34
00:03:25,780 --> 00:03:31,810
So best practice with logging not only for network troubleshooting but even more so for security is

35
00:03:31,810 --> 00:03:39,820
to say when you're logging information to an external logging server I actually have a logging application

36
00:03:39,820 --> 00:03:41,920
running on my computer here.

37
00:03:41,920 --> 00:03:43,060
So what I'll do.

38
00:03:43,510 --> 00:03:52,630
Assign logging information from this course switch to my local computer which in the real world you

39
00:03:52,630 --> 00:03:55,490
would normally have a dedicated logging server.

40
00:03:55,510 --> 00:04:00,760
I would recommend using a computer like I am I just want to show you what it looks like to see a logging

41
00:04:00,760 --> 00:04:05,110
application on an external logging server.

42
00:04:05,680 --> 00:04:07,920
So here is my sis log server application.

43
00:04:08,080 --> 00:04:15,390
I'm going to generate some logging information on my switch or go to configuration mode and I will shut

44
00:04:15,390 --> 00:04:19,730
down the interface on my lap switch.

45
00:04:20,740 --> 00:04:31,370
So I'll shut down port 14 since it's not being used but still we get analog so as you can see on my

46
00:04:31,370 --> 00:04:40,130
X10 turn logging server it showed that my user account logged in and ran the shut down command line

47
00:04:40,640 --> 00:04:42,530
interface 114.

48
00:04:42,950 --> 00:04:50,180
So as you can see having an external database of auditing information can be very useful so if somebody

49
00:04:50,180 --> 00:04:58,850
logged in to my switch that wasn't me I could look at my log server and see what time they logged in

50
00:04:58,940 --> 00:05:05,630
and what user account they used depending on how the logging server is configured you could see logs

51
00:05:05,660 --> 00:05:12,150
from over a year's time depending on how far you had to go back in time for a security investigation.