Solved

Alert message in Cisco router

Posted on 2006-11-01
41
1,969 Views
Last Modified: 2013-11-29
Hello !!

Can someone explain me the error message below :

22:51:46: %FW-4-ALERT_ON: getting aggressive, count (109/500) current 1-min rate: 501
22:52:52: %FW-4-ALERT_OFF: calming down, count (1/400) current 1-min rate: 269

This is the message I receive on the console when I am logged on to router.

Best regards
Steve_I
0
Comment
Question by:Steve_I
  • 25
  • 15
41 Comments
 
LVL 7

Expert Comment

by:instillmotion
ID: 17850753
"Denial-of-Service Attack Detection Error Messages

CBAC detects and blocks denial-of-service attacks and notifies you when denial-of-service attacks occur. The following error messages may indicate that denial-of-service attacks have occurred:

Error Message  
%FW-4-ALERT_ON:[chars], count ([dec]/[dec]) current 1-min rate: [dec]

Explanation    Either the max-incomplete high threshold of half-open connections or the new connection initiation rate has been exceeded. This error message indicates that an unusually high rate of new connections is coming through the firewall, and a DOS attack may be in progress. This message is issued only when the max-incomplete high threshold is crossed.

Recommended Action   This message is for informational purposes only, but may indicate a security problem.

The following is an example of this type of message:

%FW-4-ALERT_ON: getting aggressive, count (550/500) current 1-min rate: 250

Error Message  
%FW-4-ALERT_OFF:[chars], count ([dec]/[dec]) current 1-min rate: [dec]

Explanation    Either the number of half-open connections or the new connection initiation rate has gone below the max-incomplete low threshold. This message indicates that the rate of incoming new connections has slowed down and is issued only when the max-incomplete low threshold is crossed.

Recommended Action   This message is for informational purposes only, but may indicate that an attack has stopped.

The following is an example of this type of message:

%FW-4-ALERT_OFF: calming down, count (0/400) current 1-min rate: 0
 

When %FW-4-ALERT_ON and %FW-4-ALERT_OFF error messages appear together, each "aggressive/calming" pair of messages indicates a separate attack. The following example shows two separate attacks:

%FW-4-ALERT_ON: getting aggressive, count (25/25) current 1-min rate: 103
%FW-4-ALERT_OFF: calming down, count (9/10)current 1-min rate: 108
%FW-4-ALERT_ON: getting aggressive, count (25/25) current 1-min rate: 99
%FW-4-ALERT_OFF: calming down, count (9/10)current 1-min rate: 99
"

0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17850784

Steve_I,

Well, I've got good news and bad news for you.

The bad news first - when you see that series of messages, the IOS firewall is alerting you that it is receiving an excessive number of suspicious packets.  What this means is a denial-of-service attack is probably occurring.  Each "aggressive/calming" pair of messages indicates a separate attack.  If you see something like the following, then you've probably got a denial-of-service attack on a specific TCP host (%a is a variable - usually 5 -  and w.x.y.z would be the IP address of the host):

%FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections (%a) exceeded for host w.x.y.z.
%FW-4-BLOCK_HOST: Blocking new TCP connections to host w.x.y.z for 2 minutes (half-open count %a exceeded)
%FW-4-UNBLOCK_HOST: New TCP connections to host w.x.y.z no longer blocked

The good news - your IOS firewall is doing what it's supposed to.  I'd recommend you set up logging on the router and start checking to see if you can trace back the source IPs (you may not be able to if it's a distributed attack) and then you can try to trace the IPs back to the ISP using WHOIS at ARIN's site.

Hope this helps!

<-=+=->

0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17850798
Sorry - instillmotion must have posted while I was typing.  Doh!

<-=+=->
0
 

Author Comment

by:Steve_I
ID: 17850867
Well very good explanation boys, But You who bring me the bad news first :) any idea hos can I turn on logging on the router, and how to access the log file for to find out ?? Is it possible also to trace WHICH server they are trying to attack ? internal ip and than the ip of the son of the bitch, I will find him. I have great contacts on the right places, need just help to log the ip.

And please if You have any good suggestions to monitor the network for attack just let me know, because I have really sensitive info on my network.

The router I use is 2600 Series with latest IOS 12.4.10(a)

Thank You all again !!

Best regards
Steve_I
0
 
LVL 13

Accepted Solution

by:
Joseph Hornsey earned 125 total points
ID: 17850989

Steve_I,

I'd recommend setting up SYSLOG.  Here are some links:

- Grab a copy of Kiwi's syslog server (http://www.kiwisyslog.com) - it's freeware.
- Configure it on a Windows box (http://www.kiwitools.com/downloads/syslog/Syslogd.pdf) - I'm assuming you're running Windows
- Configure your Cisco router to log to the syslog server(http://www.linuxhomenetworking.com/cisco-hn/syslog-cisco.htm)

That's pretty much it.  You'll have to do some tweaking and playing around with it to get used to the info and to set the appropriate debugging level.

<-=+=->
0
 

Author Comment

by:Steve_I
ID: 17851042
Ok, I will test it. Yes I am using the windows, and I use the KIWITOOLS for backup of the routers and switches.

One more question :

What You mean with this :

I'd recommend you set up logging on the router and start checking to see if you can trace back the source IPs (you may not be able to if it's a distributed attack)

(you may not be able to if it's a distributed attack) ??

Steve_I
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17851106

Well, if it's a DDoS (Distributed Denial of Service), then the attack is distributed, meaning it's coming from a bunch of different IP addresses.  If it's a run-of-the-mill DoS, then it's coming from one box.

What I meant was that tracing the source on a DDoS is going to be very difficult (which is why they're used) because you'll see the attacks coming from so many different places.  Most of the time, the people whose computers are sourcing the attacks are clueless that it's happening.

<-=+=->
0
 

Author Comment

by:Steve_I
ID: 17851129
Ok, I understand now.

THANK YOU VERY MUCH FOR GREAT EXPLANATIONS ! boys !
I will install the kiwi tools and I will test it, so we will see..

Best regards
Steve_I
0
 

Author Comment

by:Steve_I
ID: 17852884
Wired, these messages are comming whole time is it normally that someone tryes to attack the router whole time ??

1d01h: %FW-4-ALERT_ON: getting aggressive, count (88/500) current 1-min rate: 501
1d01h: %FW-4-ALERT_OFF: calming down, count (62/400) current 1-min rate: 374
1d01h: %FW-4-ALERT_ON: getting aggressive, count (107/500) current 1-min rate: 501
1d01h: %FW-4-ALERT_OFF: calming down, count (83/400) current 1-min rate: 396
1d01h: %FW-4-ALERT_OFF: calming down, count (29/400) current 1-min rate: 326
1d02h: %FW-4-ALERT_ON: getting aggressive, count (94/500) current 1-min rate: 501
1d02h: %FW-4-ALERT_OFF: calming down, count (39/400) current 1-min rate: 340
1d02h: %FW-4-ALERT_ON: getting aggressive, count (122/500) current 1-min rate: 501
1d02h: %FW-4-ALERT_OFF: calming down, count (60/400) current 1-min rate: 390
1d02h: %FW-4-ALERT_ON: getting aggressive, count (79/500) current 1-min rate: 501
1d02h: %FW-4-ALERT_OFF: calming down, count (73/400) current 1-min rate: 395
1d03h: %FW-4-ALERT_ON: getting aggressive, count (93/500) current 1-min rate: 501
1d03h: %FW-4-ALERT_OFF: calming down, count (10/400) current 1-min rate: 278
1d03h: %FW-4-ALERT_ON: getting aggressive, count (109/500) current 1-min rate: 501
1d03h: %FW-4-ALERT_OFF: calming down, count (78/400) current 1-min rate: 390
1d03h: %FW-4-ALERT_ON: getting aggressive, count (81/500) current 1-min rate: 501
1d03h: %FW-4-ALERT_OFF: calming down, count (50/400) current 1-min rate: 332
1d03h: %FW-4-ALERT_ON: getting aggressive, count (101/500) current 1-min rate: 501
1d03h: %FW-4-ALERT_OFF: calming down, count (2/400) current 1-min rate: 305

Steve_I
0
 

Author Comment

by:Steve_I
ID: 17853041
Well now I have installed the Kiwi SYSLOG and configured logging on the router.
So when I open the SYSLOG manager, I see that there is logging, but the massages are the same as on the router, I am not able to see the ip address. Any idea why ? Where is it possible to see detailed attacks ? Do I need to reconfigure it ?

Because now I only see the "Display00 Default" in the sys manager.

Steve_I
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17854823
Steve_I,

You might be able to get this to do what you want by changing the syslog logging trap level on the router:

The command is "logging trap x" where "x" is the level number as follows:
   0 - Emergency
   1 - Alert
   2 - Critical
   3 - Error
   4 - Warning
   5 - Notice
   6 - Informational
   7 - Debug

However, that may not do what you want, either.  An alternative, since you're running 12.4 is to try to use the IP source tracker:
http://www-search.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455c57.html

Another link you might find interesting on preventing DoS attacks on your router:
http://www-search.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804fde4f.html

Hope this helps!

<-=+=->
0
 

Author Comment

by:Steve_I
ID: 17856115
Thank You Splinter !!

I understod both links, I readed trough the docs. But on this first link :

However, that may not do what you want, either.  An alternative, since you're running 12.4 is to try to use the IP source tracker:
http://www-search.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455c57.html

I see that You need to choose manually which IP to track as I understod it.

go on that link above and use "FIND COMMAND" in explorer "ctrl + f" and type this:  Enables IP source tracking for a specified host

Than it will display what I am talking about. So in this case I need to find which ip is attackung and than trace it or ?? because I see that router needs the IP I will track. or ?

Steve_I


0
 

Author Comment

by:Steve_I
ID: 17861814
I have created the access list on the router which looks like one below:

___________________________________________________________

ip access-list extended ACL_CBAC
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 permit tcp any any eq www
 permit tcp any any eq smtp
 permit tcp any any eq pop3
 permit tcp any any eq ftp
 permit tcp any any eq 7612
 permit tcp any any eq 7615
 permit tcp any any eq 443
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit udp any eq 5060 any
 permit udp any eq 16300 any
 permit udp any eq 16700 any
 permit tcp any any eq 5060
 permit tcp any any eq 16300
 permit tcp any any eq 16700
 permit udp any eq 5063 any
 permit tcp any any eq 5063
 permit udp any any eq domain
 permit udp any eq domain any
 permit tcp any eq 5060 any
 permit tcp any eq 5063 any
 permit tcp any eq 16300 any
 permit tcp any eq 16700 any
 permit tcp any any eq domain
 permit tcp any eq domain any
 permit udp any any eq 21

And this acl is applied to outside interface fa0/0.30 as described below:

interface FastEthernet0/0.30
 encapsulation dot1Q 30
 ip address REMOVED 255.255.255.192
 ip access-group ACL_CBAC in
 ip nat outside
 ip inspect cbac_in_to_out out
 ip virtual-reassembly
 crypto map clientmap
___________________________________________________________

So the question is this right way to configure the TCP Intercept.

Use the ACL I already have

ip access-list extended ACL_CBAC
 deny tcp any 10.0.0.0 0.0.0.255     this is my internal ip address range
 deny tcp any 172.16.0.0 0.0.0.255  this is my internal ip address range

So than enable the TCP Intercept:

ip tcp intercept list ACL_CBAC

Would this be corect ?? I was thinking maybe I have blosked all contact to my servers using this ACL which I already have hmm ??
The ACL that have TCP Intercept must be appliet to an outside interface isn`t it ??

Best regards
Steve_I




0
 

Author Comment

by:Steve_I
ID: 17861930
Because I have mail servers, web servers running on these internal ip addresseses, so therfore I am asking is this right way to do so.

Steve_I
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17864707
Steve,

First, let me go back to your first comment after mine.  You said "So in this case I need to find which ip is attackung and than trace it ??"  - Actually, the command "ip source-track <ip address>" is used to identify the destination host, not the source.  So, if your web server's address is 192.168.1.100 and that's the address that's being attacked, you'll want to issue the command "ip source-track 192.168.1.100" and that will start tracking the source addresses of all traffic being sent to that host.

Regarding the extended ACL you've supplied.  You might want to simplify things a little and then get more specific as you need to.  The way I read your access list, you would be intercepting any TCP traffic that met the following criteria:
                   Source - Any
                   Destination - Any
                   Ports - 80, 25, 100, 21, 7612, 7615, 443, 5060, 16300, 16700, 5063 and 53
Keep in mind that ICMP, ESP and UDP packets won't be affected because SYN attacks are TCP-based and the TCP Intercept is only going to look at TCP traffic.

I would just configure the router to examine all incoming traffic and if that over-burdens your router, you can scale it back as needed.  So, if your internal network ID was 192.168.1.0/24, then you'd want to create the following ACL:

access-list TCP_Intercept permit tcp any 192.168.1.0 0.0.0.255

And then issue the following command:

ip tcp intercept list TCP_Intercept

Let me know what you think.

<-=+=->
0
 

Author Comment

by:Steve_I
ID: 17864763
Hello again Splinter,

Thank You for very great explanations !!!

First I will ask about Your first answer:
So, if your web server's address is 192.168.1.100 than the command would be "ip source-track 192.168.1.100"
But did You mean maybe WAN ip address external or really internal ip address ??

Regarding the extended ACL I've supplied:

You told me to create the access list as below :
access-list TCP_Intercept permit tcp any 192.168.1.0 0.0.0.255

Than enable the TCP Intercept:
ip tcp intercept list TCP_Intercept

But the question is why You used the PERMIT instead of DENY ?
And how can this ACL work if it is not assigned to outbound interface where the static ip address is assigned ??
Or it work without it ??

Steve_I


0
 

Author Comment

by:Steve_I
ID: 17864767
If this acl must be assigned to an interface than it should than be: ip access-group TCP_Intercept out or in ?

Steve_i
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17864798
Steve_I,

First of all.... "You're welcome!"  ;-)

Regarding the ip source-track, I believe that it's the external (public) address that you would use in the command, but I may be wrong.  It's been a while since I've had to configure this.

Regarding your question about the ACL... you're thinking of the ACL from the perspective of filtering network traffic on an interface, which is the most common use for it.  Keep in mind, however, that an ACL can be used for much more than just filtering inbound or outbound traffic on an interface.

It helps if you think of the ACL as a separate object.  Consider it as a list that defines traffic.  Now, you can apply that list to an interface, and if you do that, then the interface will filter traffic based on that list.  Or, you could add the list to a VPN configuration and now any traffic that matches the list will go across the VPN tunnel.  Or, you could apply the list using the NAT command to tell the router that it doesn't need to perform NAT on traffic that matches the list.  Or you could attach the list to the TCP Intercept command to tell that process which traffic to look at.

The ACL only defines a traffic pattern.  That pattern can then be used in a multitude of ways.

Does that help clarify?

<-=+=->
0
 

Author Comment

by:Steve_I
ID: 17864819
Better and better ;-) I understand what You mean.

So in my case there would be enough to just

add the acl and enable the TCP Intercept:

access-list TCP_Intercept permit tcp any 192.168.1.0 0.0.0.255
ip tcp intercept list TCP_Intercept

and not assign it to interface.

Am I right Am I right Am I Right ;-) from dumb and dumber

Thank You very much again for very good explanation !!!!
Very easy to understand when someone CAN explain the scenario, the explanation method is the most important for users who will learn it.

Very best regards
Steve_I
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17864882

Yep.  That's exactly right.  In your case, you assign it to the TCP Intercept and not the interface.

Let me know if it works for you.  I'm always interested in nailing those little script kiddies.

<-=+=->
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Steve_I
ID: 17864941
Ok dude, no problems at all.
I will test this today and I promise I will let You know ! ! You have my word on it !
I am little afraid to test now, I can access the router from here it is standing in other location, but I am little afraid if something goes wrong I have no person there who can restart it if something happens. And there is 15 users which are logged trough the VPN.

but as I told I`ll do it today I am 100 % sure and than You will hear fro me.

Thank You very much again for taking time to help me !!!
Very best regards
Steve_I
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17864946

You're very welcome.
Good luck!

<-=+=->
0
 

Author Comment

by:Steve_I
ID: 17868736
Hi again dude, I promised to let You know when I am finish with it.

This is exact how I did it :

Router(config)#ip access-list extended TCP_INTERCEPT
Router(config-ext-nacl)#permit tcp any 172.16.0.0 0.0.0.255
Router(config-ext-nacl)#permit tcp any 10.0.0.0 0.0.0.255
Router(config-ext-nacl)#exit
Router(config)#exit
Router#wri mem

And it seems to be working just fine, I hope I did the ACL on the reight way ?? should I maybe reconfigure the acl as following:

Should I configure instead of :

permit tcp any 172.16.0.0 0.0.0.255
permit tcp any 10.0.0.0 0.0.0.255

Like below ?

permit tcp any 172.16.0.0 0.0.0.255 any   ???
permit tcp any 10.0.0.0 0.0.0.255 any       ???

Or just let the config stay as it is ??? I will not change it until I get an answer from You.

And maybe if the config is correct is it great that I send You my ip address on the email so You can try DOS it ?? You have my full permission to test it no problems at all.

Best regards
Steve_I
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17868790
Actually, I think it looks okay. (The syntax is correct)

The only question I would have is this:  Should the TCP_Intercept be configured with the internal (private) addresses or the external (public) addresses?

It'll be interesting to find out.

Feel free to leave your email and we can talk about the DOS.  I do security audits for banks and we have all kinds of paperwork to keep us out of jail when we do that sort of thing, so I'm a little cautious in doing it without some discussion first.

<-=+=->
0
 

Author Comment

by:Steve_I
ID: 17869491
heh dude I got a phone call from my users 10 min after I have configured the TCP Intercept.
They are asking me "what a hell are You doing man" we can not access the web page :-) they got the message
"the page can not be displayed" it seems that the router deny access to the web servers :-)

Is this normal ? any suggestions ? I reconfigured it back to old config before we find out why it happens.

Best regards
Steve_I
0
 

Author Comment

by:Steve_I
ID: 17869525
I am trying to find out is it internal ip address or external as You ask in the post above.
Hmm...

Steve_I
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17869721
Did you make any other changes to any other ACLs?

<-=+=->
0
 

Author Comment

by:Steve_I
ID: 17869754
No, I have just added this :

ip access-list extended TCP_INTERCEPT
 permit tcp any 10.0.0.0 0.0.0.255
 permit tcp any 172.16.0.0 0.0.0.255

nothing more is changed at all.

I am still trying to find out the reason, I don`t understand the Cisco described it on the same way...

Steve_I
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17869781
Right, but Cisco is using private IPs so that they don't inadvertantly publish someone's public IP.

You didn't apply it to the interface, right?

<-=+=->
0
 

Author Comment

by:Steve_I
ID: 17869828
No no not to interface everything I did was :

ip access-list extended TCP_INTERCEPT
 permit tcp any 10.0.0.0 0.0.0.255
 permit tcp any 172.16.0.0 0.0.0.255

my servers are on the range 10.0.0.0 and one of them on another vlan.

Steve_I
0
 

Author Comment

by:Steve_I
ID: 17869842
I think we would get the same problem if I used the WAN addresses, because it is the same the user must reach the WAN ip.

Steve_I
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17869844

Try using the external IPs instead and let's see what happens.

<-=+=->
0
 

Author Comment

by:Steve_I
ID: 17869865
ip access-list extended TCP_INTERCEPT
 permit tcp any wan_ip 0.0.0.255

?? Sounds bad I thing hmm ?

I don`t think we can use the WAN ip.

Steve_I
 
0
 

Author Comment

by:Steve_I
ID: 17869964
I saw that ALL TCP traffic was blocked when I added TCP Intercept, all mails from Experts Exchange You posted before 15 min is comming just now, so this blocked the port 25 and 110 which use TCP.

But the email works fine now when I removed the TCP Intercept.

Steve_I
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17869971

I know it doesn't sound right, but I'm pretty sure it is (I don't have this configured on my routers).

Think of it this way - the router is examining packets as they come in so it knows whether or not it needs to intercept them because they are SYN requests from unreachable sources coming in at an unacceptable rate (that's what TCP Intercept is doing).  When it looks at that IP address, it sees the source IP address and the destination IP address... the destination is going to be the WAN address.  Because if someone addressed the packet to your LAN address, it would never reach you because private IP addresses, by definition, are not routed on the internet.  Since it is examining packets as they come in, it's the WAN address that matters.

Kind of like your other ACLs.  Let say that my web server's public IP address was 66.113.1.1 and the LAN address is 10.1.1.1.  I have to configure NAT to forward incoming requests addressed to 66.113.1.1 to 10.1.1.1 because 10.1.1.1 isn't routable on the internet.  Once I've done that, I need to configure an ACL to allow TCP port 80 (and maybe 443 if I use SSL) to my web server so that web requests are passed to it.  In that case, the ACL looks like this:

ip access-list extended ACCESS_LIST101
 permit tcp any 66.113.1.1 0.0.0.0 eq www

This tells the IOS firewall to allow TCP port 80 traffic to requests to 66.113.1.1 and then that traffic (because of how I have NAT configured) will then be forwarded internally to 10.1.1.1.

The TCP Intercept is probably going to work the same way.  Keep in mind that if you use:

ip access-list extended TCP_INTERCEPT
 permit tcp any wan_ip 0.0.0.255


You're not telling your router to blindly pass all traffic through.  You're telling TCP Intercept to examine all traffic destined for your internal network.  (It may be better to use specific IP addresses instead)  You other ACLs are still in effect.

What do you think?

<-=+=->
0
 

Author Comment

by:Steve_I
ID: 17870107
Sounds 100 % correct, I understod this.

Of course I use the NAT from WAN ip on to LAN ip, because the LAN ip is not routable on the internet. So after I readed Your post I agree that we try to use the WAN ip address. So I think I will reconfigure it now, so we`ll se.

Thank it would also be:

ip access-list extended TCP_INTERCEPT
 permit tcp any my_wan_ip 0.0.0.255 eq www

I will let You know about 5-10 min when I have tested it.

Steve_I
0
 

Author Comment

by:Steve_I
ID: 17870123
no

I mean :

ip access-list extended TCP_INTERCEPT
 permit tcp any wan_ip 0.0.0.255

Steve_I
0
 

Author Comment

by:Steve_I
ID: 17870203
Well I think it work now. This is exact what I did :


Router(config)#ip access-list extended TCP_INTERCEPT
Router(config-ext-nacl)#permit tcp any MY_WAN_IP 0.0.0.255
Router(config-ext-nacl)#exit
Router(config)#exit
Router#wri mem
Building configuration...
[OK]
Router#

So I see that mail server and web server is accepting normal TCP traffic, now is the turn to test the DOS attack.
Shell I send You email address, so I can give You my external ip address ?

Steve_I
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17870529
Go ahead and post your email... I'm going to be in a conference call for about the next hour or so, so I won't be able to respond until then.  So don't think I'm being rude!  :)

<-=+=->
0
 

Author Comment

by:Steve_I
ID: 17870631
Ok no problems dude, just send the email when You are ready.

Here is the mail address You can use:
test@24sata.info this is only temporary email address which will autostop function about 5 hours. So send me Your email address on this address, and I will respond You with my orginal emal address.

Steve_I
0
 

Author Comment

by:Steve_I
ID: 17874467
If I set the security level to:

2 - Critical
what should than facility be ??

logging facility local2   or ??

What the facility means in the config ??

Steve_I
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now