cislog report output

DEBUG

Report Summary

Individual Category Reports

• Traceback/Process messages are serious error conditions and they should be investigated as soon as possible. Ideally, there should not be any messages logged in this category. These generally indicate serious hardware or software problems.

• MALLOC failure messages indicate that the system failed to allocate memory for a process or operation and should be investigated as soon as possible. Ideally, there should not be any messages logged in this category. These generally indicate insufficient memory installed on the device, a memory leak condition or overload (possibly due to attack, but also possibly from increasing offered load conditions).

• The device was restarted or reloaded by request. These messages indicates that someone or an automated management process intentionally rebooted the system. Unless maintenance is being done, these messages should be rare. Unauthorized reboots should be investigated as soon as possible.

• CPU hog messages indicate that a process on the device did not relinquish the processor in a timely fashion and should be investigated as soon as possible. Ideally there should not be any messages in this category. These generally indicate an overload condition in the process identified in the log message.

• OSPF adjancency messages are generated whenever an OSPF neighbor to the reporting device has changed. These are often as a result of a change in physical link status between neighbors. In a stable environment, ideally there should not be any messages in this category.

• cislog does not interpret all possible log categories. In order to present some useful info on unknown categories, this report will list the top types of uncategorized messages. Often this category is useful in spotting problems not caught by the known categories. Cisco uses a standard message category prefix of the following format:


• %FACILITY-SEVERITY-MNEMONIC: Message text

FACILITY consists of two or more upper case letters that indicate the the facility to which the message refers. This is not be confused with the term facility used with syslog configuration, but rather it is just an identifying process on the cisco device.
• SEVERITY is a value of 0 to 7 inclusive. The lower the number, the more serious the situation is considered.
• MNEMONIC is a code that uniquely identifies the message and the following message text.

• Device login ACL deny messages indicate the top source IPs that were denied a login prompt to the device. Large numbers of attempts from any particular IP may represent a concerted effort to gain access to a device or simply a host that is performing scanning for open remote login ports.

• Device login ACL permit messages show the top source IPs that have passed a device login ACL and presented a login prompt. Depending on how the ACL is setup, it may also include the permitted packets for the login session. This report may be useful as a check to verify where remote logins are coming from and how often.

• The interface ACL deny reports identify ACLs, source IPs, protocols and ports that were mostly actively logged by devices. These reports provide an audit of hosts that are hitting ACLs and are being logged by devices.

• The interface ACL permit reports identify ACLs, source IPs, protocols and ports that were most actively logged by devices. These reports provide an audit of hosts that pass ACLs and are being logged by devices.

• The port security violation messages indicate when a switch is seeing too many source MAC addresses per individual switch port. Ideally there should not be any of these messages logged in this category. These messages may indicate a MAC spoofing attack or misconfigured edge hosts (such as a bridging loop). These messages will only be seen if the port security feature of cisco switches is in use. It is not on by default.

• The RSHELL command attempt messages indicate that a host attempted to connect to a router through the rshell TCP port 514. Ideally there should not be any messages logged in this category. These messages often indicate a source host running network/host scanning software.

• The device configured messages indicate that the device's configuration may have changed. This message is logged when anyone enters configuration mode on the device and may not indicate that the configuration has actually changed. These messages should only be logged when authorized staff are performing maintenance on devices.

• The link up/down messages indicate that a physical link state has transitioned between up and down. These messages should not be logged on a stable network, but may occur with some frequency if end host link status is being logged. A substantial number of message for any one host or port may indicate a (flapping) problem that should be investigated.

• The line protocol up/down messages indicate that a data link or layer 3 protocol on the interface has transitioned between up and down. These messages should not be logged on a stable network, but may occur with some frequency if end hosts or network connections are frequently mobile. A substantial number of messages for any one link may indicate a (flapping) problem that should be investigated.

• The runtime diag link flap messages indicate that a port or device on the end of the port may be faulty. Ideally no messages should be logged in this category, otherwise investigation may be warranted if messages continue.

• The runtime diag address flap messages indicate that a MAC address is being relearned between one or more switch ports. Ideally no messages should be logged in this category. This message is often indicative of a spanning tree loop inserted into the network.

• The link error messages indicate that a switch port is seeing excessive errors. Ideally no messages should be logged in this category. This message often indicates a duplex mismatch between the ends of the link.

• The link change messages indicate that an interface has changed between an up and down state. This message is typically seen when an administrator manually takes an interface out of service or puts one into service. Ideally these messages should be rare in a stable environment.

• The PAGP from/to STP message indicates that a port has left or joined the spanning tree. Excessive messages from a single port may indicate a connectivity problem, otherwise small numbers of these messages may be normal.

• The Mcast rx join range message indicates that a host issued a IGMP report for a IP multicast group address in the 224.0.0.0 - 224.0.0.255 range. This group range is local network control block and generally reserved for functions such as routing protocols. Ideally no messages in this category should be logged.

• The Mcast rx IGMP report message is used by IGMP snooping switches indicating that a particular host issued a IGMP report for a particular group. This message may be used to audit active multicast groups and members.

• The Traffic w/ mcast src addr message indicates that a switch has detected a source generating frames with a multicast or broadcast address as the source MAC address. Ideally no messages in this category should be logged. This message indicates a host that is probably fundamentally broken or there is traffic being crafted by a traffic generator or spoofing tool.

• The unknown message type is a log message that is believed not to be a properly formatted Cisco log message. If unknown message count is greater than zero, it may indicate that the report is being run against logs that include non-Cisco log messages. These messages can be displayed by enabling the DEBUG parameter.

Hourly Log Distribution

DEBUG summary

cislog homepage