Analyzing Syslog Data

Configuring the routers to export syslog data is one step. The next step is to store the data, analyze it, and use it in day-to-day operations. Interface status, security alerts, and debugging problems are some of the most common events that ISPs monitor from the collected syslog data (an example of the output from the collected syslog data is in Figure 1-3). Some use custom-written Perl scripts to create simple reports. Others use more sophisticated software to analyze the syslog data and create HTML reports, graphs, and charts.

Table 1-4 is a list of known available software that analyzes syslog data. Even if you are going to write your own scripts, it's worth checking out the commercial packages to see what can be done with syslog data.

Table 1-4. Software That Analyzes Syslog Data

Cisco Resource Manager

http://www.cisco.com/warp/public/cc/pd/wr2k/rsmn/index.shtml

Private I

http://www.opensystems.com/index.asp

Crystal Reports

http://www.seagatesoftware.com/crystalreports/

Netforensics

http://www.netforensics.com/

One item to remember with the ISP's syslog infrastructure is this: Time synchronization is critical! To compare logs from two routers in different parts of the network, the time on them must be synchronized with that on the syslog server. Hence, the ISP must take the effort to deploy NTP in its network, ensuring that the entire network and systems infrastructure are in time sync.

Network Time Protocol

Time synchronization across the ISP's network is one of those least talked about yet critical pieces of the network. Without some mechanism to ensure that all devices in the network are synchronized to exactly the same time source, functions such as accounting, event logging, fault analysis, security incident response, and network management would not be possible on more than one network device. Whenever an ISP's system or network engineer needs to compare two logs from two different systems, each system needs a frame of reference to match the logs. That frame of reference is synchronized time.

The Network Time Protocol (NTP) is probably the most overlooked configuration feature on an ISP's network. NTP is a hierarchical protocol designed to synchronize the clocks on a network of computing and communication equipment. It is a dynamic, stable, redundant protocol used to keep time synchronized between network devices to a granularity of 1 ms. First defined in RFC 958, NTP has since been modified to add more redundancy and security. Other RFCs for time synchronization include the following:

• RFC 1128, "Measured Performance of the Network Time Protocol in the Internet System," 1989

• RFC 1129, "Internet Time Synchronization: The Network Time Protocol," 1989

• RFC 1165, "Network Time Protocol (NTP) over the OSI Remote Operations Service," 1990

• RFC 1305, "Network Time Protocol (Version 3) Specification," 1992 (draft standard)

• RFC 2030, "Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6, and OSI," 1996 (informational)

An NTP network usually gets its time from an authoritative time source, such as a radio clock, a global positioning system (GPS) device, or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is hierarchical, with different time servers maintaining authority levels. The highest authority is Stratum 1. Levels of authority then descend from 2 to a maximum of 16. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of one another.

Was this article helpful?

0 0

Post a comment