Lesson 14 - NTP and Syslog Services
Lesson 14 - NTP and Syslog Services
My previous three posts were a humble attempt to show you some real life networking issues and how to go about them using the skills described so far.
In this lesson I would like to present two services that are extremely important in management of your switches and routers: Network Time Protocol, and Syslog Services. Even though you will not find them in CCNA curriculum, it is good idea to know what is their role and how to quickly configure them on your devices.
System Messages
If you work as a network admin, it is critical that you collect and analyze system messages sent by switches and routers. IOS can send those important messages to the console port 0 by default. You can store them in the switch or router's memory but they will be purged if you have power outage or reboot your device. Also, memory will store as many of them, and then it will begin to overwrite the oldest ones. We need to redirect them to an external server. One of the popular services used to collect system messages is called: Syslog Server. If you are Window user you must probably pay for such server software (although KIWI server used to be freeware, but I don't know if it still free software). Unix and Linux have this service installed by default. All you have to do is to set it up correctly, so it accepts messages from external clients.
If you want to check how to do it using Ubuntu Linux distribution, please refer to my small Ubuntu notepad at: http://ubuntu-garage.blogspot.com/2010/09/ubuntu-syslog-server.html
System messages have the different levels of severity as shown below.
As you see, the lower the number the higher severity the level is. I'm sure I don't have to tell you that the levels 0-3 will need your special attention, do I?
System Logging Message takes the following format:
timestamp%<facility>-<severity>-<mnemonic>: <message-text>
Take a look at such message as sent by IOS (Pic. 1)
Network Time Protocol (NTP)
All messages should carry a time stamp. The time of an event allows administrator to see when things went hairy and correlate them with other events that might follow. The problem is that low-end Cisco devices do not keep the date and time like computers do. In order for them to keep the track of time you must either manually set the clock with 'clock' command or synchronize their time with some external sources. The first method is not recommended as after reboot, a router or switch loses its time. That is why the second method is recommended using NTP protocol.
It is not my intention to give you an in-depth description of NTP and syslog services. Instead, I would like to draw your attention to those services and show you how to set it up quickly.
NTP server information:
NTP Server IP = 10.1.1.1
NTP Password = S3cr3t!!!
NTP MD5 Key = 1
Step 1
Create MD5 key 1 to authenticate with the NTP server.
Step 2
Enable authentication for NTP.
Step 3
Tell the router which key our router trusts (we have only one but may use more in the future). We do not want to accidentally synchronize the time with same 'fake' server.
Step 4
Finally, configure IP address of the NTP server and specify which key to use for authentication.
In case you did not use authentication (not recommended), you would be typing in the step 4 line without the 'key 1' argument.
Verification
Notice!
It is recommended that you initially set the clock manually before you allow NTP synchronization. Big time gap between your router and the NTP server clocks, will make synchronization extremely long process.
Step 1 - Check the status of NTP
Clock is synchronized, stratum 5, reference is 10.1.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0001 Hz, precision is 2**18
reference time is D04096A6.9715EE2B (14:03:18.590 UTC Sun Sep 19 2010)
clock offset is -7.9613 msec, root delay is 3.83 msec
root dispersion is 14.74 msec, peer dispersion is 6.74 msec
R1#
Step 2 (optional) - Check NTP association.
address ref clock st when poll reach delay offset disp
*~10.1.1.1 127.127.7.1 4 9 64 377 5.6 4.22 13.4
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
R1#
Step 3 (optional) - Check NTP association details.
Syslog Server Configuration
Syslog Server Information:
IP address = 192.168.1.2
Facility = Local7
R1 Configuration:
From now on, all system messages are going to be sent to syslog server with ip address 192.168.1.2.
In this lesson I would like to present two services that are extremely important in management of your switches and routers: Network Time Protocol, and Syslog Services. Even though you will not find them in CCNA curriculum, it is good idea to know what is their role and how to quickly configure them on your devices.
System Messages
If you work as a network admin, it is critical that you collect and analyze system messages sent by switches and routers. IOS can send those important messages to the console port 0 by default. You can store them in the switch or router's memory but they will be purged if you have power outage or reboot your device. Also, memory will store as many of them, and then it will begin to overwrite the oldest ones. We need to redirect them to an external server. One of the popular services used to collect system messages is called: Syslog Server. If you are Window user you must probably pay for such server software (although KIWI server used to be freeware, but I don't know if it still free software). Unix and Linux have this service installed by default. All you have to do is to set it up correctly, so it accepts messages from external clients.
If you want to check how to do it using Ubuntu Linux distribution, please refer to my small Ubuntu notepad at: http://ubuntu-garage.blogspot.com/2010/09/ubuntu-syslog-server.html
System messages have the different levels of severity as shown below.
0 - Emergency - System-unusable messages
1 - Alert - Take immediate action
2 - Critical - Critical condition
3 - Error - error message
4 - Warning - warning message
5 - Notice - normal but significant condition
6 - Informational - information message
7 - Debug - debug messages and log FTP commands and WWW URLs
1 - Alert - Take immediate action
2 - Critical - Critical condition
3 - Error - error message
4 - Warning - warning message
5 - Notice - normal but significant condition
6 - Informational - information message
7 - Debug - debug messages and log FTP commands and WWW URLs
As you see, the lower the number the higher severity the level is. I'm sure I don't have to tell you that the levels 0-3 will need your special attention, do I?
System Logging Message takes the following format:
timestamp%<facility>-<severity>-<mnemonic>: <message-text>
Take a look at such message as sent by IOS (Pic. 1)
Pic. 1 - IOS Syslog Message Example.
All messages should carry a time stamp. The time of an event allows administrator to see when things went hairy and correlate them with other events that might follow. The problem is that low-end Cisco devices do not keep the date and time like computers do. In order for them to keep the track of time you must either manually set the clock with 'clock' command or synchronize their time with some external sources. The first method is not recommended as after reboot, a router or switch loses its time. That is why the second method is recommended using NTP protocol.
It is not my intention to give you an in-depth description of NTP and syslog services. Instead, I would like to draw your attention to those services and show you how to set it up quickly.
NTP server information:
NTP Server IP = 10.1.1.1
NTP Password = S3cr3t!!!
NTP MD5 Key = 1
Step 1
Create MD5 key 1 to authenticate with the NTP server.
R1(config)#ntp authentication-key 1 md5 S3cr3t!!!
Step 2
Enable authentication for NTP.
R1(config)#ntp authenticate
Step 3
Tell the router which key our router trusts (we have only one but may use more in the future). We do not want to accidentally synchronize the time with same 'fake' server.
R1(config)#ntp trusted-key 1
Step 4
Finally, configure IP address of the NTP server and specify which key to use for authentication.
R1(config)#ntp server 10.1.1.1 key 1
In case you did not use authentication (not recommended), you would be typing in the step 4 line without the 'key 1' argument.
Verification
Notice!
It is recommended that you initially set the clock manually before you allow NTP synchronization. Big time gap between your router and the NTP server clocks, will make synchronization extremely long process.
Step 1 - Check the status of NTP
R1#show ntp status
Clock is synchronized, stratum 5, reference is 10.1.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0001 Hz, precision is 2**18
reference time is D04096A6.9715EE2B (14:03:18.590 UTC Sun Sep 19 2010)
clock offset is -7.9613 msec, root delay is 3.83 msec
root dispersion is 14.74 msec, peer dispersion is 6.74 msec
R1#
Step 2 (optional) - Check NTP association.
R1#show ntp association
address ref clock st when poll reach delay offset disp
*~10.1.1.1 127.127.7.1 4 9 64 377 5.6 4.22 13.4
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
R1#
Step 3 (optional) - Check NTP association details.
R1#show ntp association detail
10.1.1.1 configured, authenticated, our_master, sane, valid, stratum 4
ref ID 127.127.7.1, time D04097CC.0209500C (14:08:12.007 UTC Sun Sep 19 2010)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 377, sync dist 10.239
delay 7.72 msec, offset 5.1799 msec, dispersion 6.35
precision 2**24, version 3
org time D04097E6.97A012CA (14:08:38.592 UTC Sun Sep 19 2010)
rcv time D04097E6.98D73524 (14:08:38.597 UTC Sun Sep 19 2010)
xmt time D04097E6.905799B4 (14:08:38.563 UTC Sun Sep 19 2010)
filtdelay = 33.02 7.72 15.73 22.32 5.65 27.62 23.62 15.66
filtoffset = 11.77 5.18 13.89 23.08 4.22 7.94 12.65 3.32
filterror = 0.02 0.99 1.97 2.94 3.92 4.90 5.87 6.85
ref ID 127.127.7.1, time D04097CC.0209500C (14:08:12.007 UTC Sun Sep 19 2010)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 377, sync dist 10.239
delay 7.72 msec, offset 5.1799 msec, dispersion 6.35
precision 2**24, version 3
org time D04097E6.97A012CA (14:08:38.592 UTC Sun Sep 19 2010)
rcv time D04097E6.98D73524 (14:08:38.597 UTC Sun Sep 19 2010)
xmt time D04097E6.905799B4 (14:08:38.563 UTC Sun Sep 19 2010)
filtdelay = 33.02 7.72 15.73 22.32 5.65 27.62 23.62 15.66
filtoffset = 11.77 5.18 13.89 23.08 4.22 7.94 12.65 3.32
filterror = 0.02 0.99 1.97 2.94 3.92 4.90 5.87 6.85
Syslog Server Configuration
Syslog Server Information:
IP address = 192.168.1.2
Facility = Local7
R1 Configuration:
R1(config)#logging host 192.168.1.2
R1(config)#logging facility local7
From now on, all system messages are going to be sent to syslog server with ip address 192.168.1.2.
Comments