Packet Tracer - Logging from Multiple Sources

Objectives
Part 1: Use syslog to capture log files from multiple network devices
Part 2: Observe AAA user access logging
Part 3: Observe NetFlow information

Background / Scenario
In this activity, you will use Packet Tracer to view network data generated by syslog, AAA, and NetFlow.

Instructions

Part 1: View Log Entries with Syslog

Step 1: The syslog Server
Syslog is a messaging system designed to support remote logging. Syslog clients send log entries to a syslog
server. The syslog server concentrates and stores log entries. Packet Tracer supports basic syslog
operations and can be used f or demonstration. The network includes a syslog server and syslog clients. R1,
R2, Core Switch, and the Firewall are syslog clients. These devices are conf igured to send their log entries to
the syslog server. The syslog server collects the log entries and allows them to be read.
Log entries are categorized by seven severity levels. Lower levels represent more serious events. The levels
are: emergencies (0), alerts (1), critical (2), errors (3), warnings (4), notif ications (5), inf ormational (6), and
debugging (7). Syslog clients can be conf igured to ship log entries to syslog servers based on the severity
level.
a. Click the Syslog Server to open its window.
b. Select the Services tab and select SYSLOG f rom the list of services shown on the lef t.
c. Click On to turn on the Syslog service.
d. Syslog entries coming f rom syslog clients will be shown in the window on the right. Currently, there are no
entries.
e. Keep this window open and visible and move on to Step 2.

Step 2: Enable Syslog.

The devices are already conf igured to send log messages to the syslog server, but Packet Tracer only
supports the logging f or the debugging severity level with syslog. Because of that, we must generate debug
level messages (level 7) so they can be sent to the syslog server.
a. Click R1 > CLI tab.
b. Press Enter to get a command prompt and enter the command enable.
c. Enter the command debug eigrp packets to enable EIGRP debugging. The command line console will
immediately f ill with debug messages.
d. Return to the Syslog Server window. Verif y that log entries appear on the syslog server.
e. Af ter a f ew messages have been logged, click the radio button to turn the syslog service Off.

© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 3 www.netacad.com
Packet Tracer - Logging from Multiple Sources

Question:

What is some of the inf ormation that is included in the syslog messages that are being displayed by the
Syslog Server?
Type your answers here.

f. Close the R1 device window.

Part 2: Log User Access

Another important type of log relates to user access. Having records of user logins is crucial f or
troubleshooting and traf f ic analysis. Cisco IOS supports Authentication, Authorization and Accounting (AAA).
With AAA, it is possible not only to delegate the user validation task to an external server b ut also to log
activities.
TACACS+ is a protocol designed to allow remote authentication through a centralized server.
Packet Tracer of f ers basic AAA and TACACS+ support. R2 is also conf igured as a TACACS+ server. R2 will
ask the server if that user is valid by verif ying username and password, and grant or deny access based on
the response. The server stores user credentials and is also able to log user login transactions. Follow the
steps below to log in to R2 and display the log entries related to that lo gin:
a. Click the Syslog Server to open its window.
b. Select the Desktop tab and select AAA Accounting. Leave this window open.
c. Click R2 > CLI.
d. Press Enter to get a command prompt. R2 will ask f or username and password bef ore granting access to
its CLI. Enter the f ollowing user credentials: analyst and cyberops as the username and password,
respectively.
e. Return to the Syslog Server’s AAA Accounting Records window.
Question:

What inf ormation is in the log entry?

Type your answers here.

f. On R2, enter the logout command.

Question:

What happened in the AAA Accounting window?

Type your answers here.

Part 3: NetFlow and Visualization

In the topology, the Syslog server is also a NetFlow collector. The f irewall is conf igured as a NetFlow
exporter.
a. Click the Syslog Server to bring up its window. Close the AAA Accounting Records window.
b. From the Desktop tab, select Netflow Collector. The NetFlow collector services should be turned on.
c. From any PC, ping the Corp Web Server at 209.165.200.194. Af ter a brief delay, the pie chart will update
to show the new traf f ic f low.

© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 3 www.netacad.com
Packet Tracer - Logging from Multiple Sources

Note: The pie charts displayed will vary based on the traf f ic on the network. Other packets f lows , such as
EIGRP-related traf f ic, are being sent between devices. NetFlow is capturing these packets and exporting
statistics to the NetFlow Collector. The longer NetFlow is allowed to run on a network, the more traf f ic
statistics will be captured.

Reflection
While the tools presented in this activity are usef ul, each one has its own service and may need to run on
totally dif ferent devices. A better way, explored later in the course, is to have all the logging inf ormation be
concentrated under one tool, allowing f or easy cross -ref erence and powerf ul search capabilities. Security
inf ormation and event management (SIEM) platf orms can gather log f iles and other inf ormation f rom diverse
sources and integrate the inf ormation f or access by a single tool.
End of document

© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 3 www.netacad.com