Syslog config 2811

I have a 2811 ISR that is running zone firewall and serves as a SIP gateway for UCM.  I want to log failed  access attempts and DOS attacks.  I also would like to log basic SIP call activity.  How can setup syslog to see these events?  Thank you.
LVL 2
amigan_99Network EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

t509Commented:
At first:

logging <YOUR SYSLOG SERVER>

======================================================

Enable logging of commands on syslog-server:

archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys

event manager applet SHCOMMANDS
event cli pattern ".*" sync no skip no
action 1.0 syslog priority informational msg "$_cli_msg"
set 2.0 _exit_status 1
end

========================================================

event manager applet DOSATTACK
 event interface name <serial0/0 or whatever>
  parameter rxload
  entry-op gt entry-val 200 entry-type value
  exit-op lt exit-val 150 exit-type value
  poll-interval 10
 action 1.0 syslog msg "$_interface_name overloaded: $_interface_parameter = $_interface_value"

IF-Configuration:
 int s0/0
 bandwidth 2000
 load-inter 30

Just tune your parameters the desired way. In this configuration the values for an overloaded IF are for starting alarming/logging 200/255, the exit value is 150/255.

This works, i did it several times this way.

============================================

event manager applet VARDEBUGS
event syslog occurs 1 pattern "%SYS-5-RESTART"
action 1.0 cli command "enable"

action 2.0 cli command "debug ssh"
          or
action 2.0 cli command "debug ip ssh"

action 3.0 cli command "debug ccsip events"
action 4.0 cli command "debug ccsip calls"

With this EEM skript the debugging of this topics is automatically enabled after each restart and therefore will be logged on your syslog server.



This should do the trick/s.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
t509Commented:
Additionally:
Add

deny ip any any log

as last line of your ACL.
This will log all forbidden traffic on the regarding IFs.
amigan_99Network EngineerAuthor Commented:
Great information.  Thank you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.