Vanguard Networks Applications Ware SYSLOG Client User Manual
Contents
1. Information and software in this document are proprietary to Vanguard Managed Solutions LLC or its Suppliers and without the express prior permission of an officer may not be copied reproduced disclosed to others published or used in whole or in part for any purpose other than that for which it is being made available Use of software described in this document is subject to the terms and conditions of the Software License Agreement This document is for information purposes only and is subject to change without notice Part No T0299 01 Rev A Publication Code TK First Printing July 2010 Manual is current for Release 7 3 of Vanguard Applications Ware To comment on this manual please send e mail to vntechsupport vanguardnetworks com Contents I A 1 E AL AEA A l Betoro Using TMS Manpal scsi cicecartserssriemearereemnnisnnknunennad l TO a E l Related Vanguard Information a cicnssisnincicsatieckindcnekuadins l P E A scicmsccneri merengue 2 ical gee Glee N AARATI 2 Application of the Vanguard Networks SYSLOG Client Feature Sr SLOG ee TOOS eee eE E 3 SYSLOG Client Theory of Operation cscsiasvstsciensmnciienunenuemninne 4 SoLL Mosse FODDE girija En 5 AIG Moite DERI saraaa E SYSLOG Message Hender sicaccitiicriianniidbannmbuanien 6 Spored Pe COOS sra 7 Y laD E e E O A E 8 Soer CO AAEN 8 Filtering SYSLOG Messages Based on Severity cccccccccccceceeeeeeees 8 Logged Alarm Priority Level to SYSLOG Message Severity2. Node Firewall Address 101 Date 12 AUG 10 Time 7 19 29 Menu Configure SYSLOG Path Main 6 34 ales SYSLOG Global Parameters Die SYSLOG Server Parameters Figure 15 SYSLOG Configure Menu SYSLOG Global The table below describes the SYSLOG Global Parameters Configuration Parameters Configuration SYSLOG Global Enable Range ENABLED DISABLED Default DISABLED Description Enable Disable SYSLOG in this router Setting this parameter to DISABLED will result in no SYSLOG Messages being sent to the SYSLOG Server s Boot Effect Booting of this parameter results in the reseting of all of the SYS LOG sessions and could result in lost SYSLOG Messages 17 Configuring SYSLOG Menus SYSLOG Server Parameters Configuration The table below describes the SYSLOG Server Parameters Configuration Entry Number Range 1 2 Default l Description Entry number used to reference this table record Enable Disable this SYSLOG Server Connection Range ENABLED DISABLED Default DISABLED Description Enable Disable this SYSLOG Server Connection Setting this parameter to DISABLED will result in no SYSLOG Messages being sent to the SYSLOG Server Boot Effect Booting of this parameter results in the reseting of this SYSLOG session and could result in lost SYSLOG Messages SYSLOG Protocol Range UDP Default UDP Description This SYSLOG Server Connection uses UDP S
3. 120 18984 vnauth 449 TrapNumber 5004 1 node1 23 Jan 2010 19 20 50 CTP Login Authorized for User leah Privilege High Level Figure 11 Sample VN Authorization SYSLOG message 13 SYSLOG Messages Accounting Type Accounting SYSLOG messages are generated for all system administrative activities SYSLOG Message such as configuration changes booting image transfer and image corruption The Configuration Change Alarm Parameter in the Node Record must be set to Enabled for the Accounting Type SYSLOG Messages to be generated Figure 12 shows an example of a Vanguard Networks Accounting SYSLOG message All Vanguard Applications Ware Accounting Alarms are assigned a HIGH Severity If the High Logged Alarm Severity Selection is configured in the Node Record Parameter Alarm Selection and the Accounting Alarm is not being throttled via the Alarms Throttling Configuration Menu the SYSLOG Message will be generated lt 165 gt 1 2010 01 28T19 20 50 52 04 00 vn3480a vanguard com CTP CTP 4 origin ip 150 30 1 50 enterpriseld 449 swVersion V7 2 ROOA 28 Jan 2010 17 07 vnstats 449 nodeName node101 couUt 30 couUtMax 50 pbuffers cur max 334 31650 dbuffer cur max 120 18010 vnaccount 449 TrapNumber 5005 1 node1 23 Jan 2010 19 20 50 CTP Configuration Changed 1st prompt Boot Port menu path Main 7 1 Figure 12 Sample VN Accounting SYSLOG Message Traffic Monitor Traffic Monitor SYSLOG messages are
4. VanQquerd NETWORKS Vanguard Networks Applications Ware SYSLOG Client User Manual Notice 2010 Vanguard Networks 25 Forbes Boulevard Foxboro Massachusetts 02035 508 964 6200 All rights reserved Printed in U S A Restricted Rights Notification for U S Government Users The software including firmware addressed in this manual is provided to the U S Government under agreement which grants the government the minimum restricted rights in the software as defined in the Federal Acquisition Regulation FAR or the Defense Federal Acquisition Regulation Supplement DFARS whichever is applicable If the software is procured for use by the Department of Defense the following legend applies Restricted Rights Legend Use duplication or disclosure by the Government is subject to restrictions as set forth in subparagraph c 1 11 of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 If the software is procured for use by any U S Government entity other than the Department of Defense the following notice applies Notice Notwithstanding any other lease or license agreement that may pertain to or accompany the delivery of this computer software the rights of the Government regarding its use reproduction and disclosure are as set forth in FAR 52 227 19 C Unpublished rights reserved under the copyright laws of the United States Notice continued Proprietary Material
5. Field The PRIVAL Priority Value field consists of the Facilities Code and the Severity Code The following calculation shows how the Facilities Code and Severity Code are combined to form the PRIVAL field It is calculated as follows PRIVAL lt nnn gt Facility X 8 Severity converted to ASCII For example if the Facility is LOCAL4 20d and the severity is 5 PRIVAL is 20 8 5 165d When converted to ASCII it becomes 31h 36h 35h where h hexadecimal Further the PRIVAL is enclosed in lt gt brackets So in this example the PRI field in Figrure 5 is lt 165 gt Introduction to SYSLOG Supported Facility Table 1 shows all of the possible Facility Codes defined by RFC5424 The first Codes Column Numerical Code is the decimal representation of the facility code The column labeled Vanguard Networks Applications Ware Facility Code is a list of the possible facility codes that the Vanguard Networks SYSLOG Client sends in the PRIVAL field of the SYSLOG Message Table 1 Facility Codes sent by Vanguard Networks SYSLOG Client Numerical Description Vanguard Networks Code Applications Ware Supported Facilities 0 kernel messages KERNEL l user level messages NA 2 mail system NA 3 system daemons NA 4 security authorization msgs AUTHORIZATION 5 ONS SYSLOG specific Events NA 6 line printer subsystem NA 7 network news subsystem NA 8 UUCP subsystem NA 9 clock daemon NA 10 security author
6. enterprise numbers Finally the Vanguard Networks SYSLOG Client sets the sw Version structured data parameter to a string such as V7 3 ROOA 28 Jan 2010 17 07 Size 4721692 bytes Figure 7 shows an example of the IANA defined Structured Data Parameters origin ip 150 30 1 50 enterpriseld 449 swVersion V7 3 RO0A 28 Jan 2010 17 07 Size 4721692 bytes Figure 7 IANA defined Structured Data Field Vanguard Following the I ANA defined structured data fields the Vanguard Networks Networks Private SYSLOG client transmits two private Structured Data Fields The first is the Structured Data vnstats 449 Structured Data Field This Structured Data Field is in ASCII and Field provides the nodeName the CPU Utilization and the Buffer Counts for the Vanguard Networks Router An example is illustrated in Figure 8 vnstats 449 nodeName node101 cou 50 couUtMax 50 pbuffer cur max 344 1650 dbouffer cur max 120 18984 Figure 8 Example of vnstats 449 Structured Data Field 11 Introduction to SYSLOG SYSLOG Message Text Field The second Vanguard Networks Structured Data Field specifies the type of message being sent It is either vnevent 449 vnauth 449 vnaccount 449 or vuntraffic 449 depending on the type of SYSLOG Message event authorization accounting or traffic respectively Table 5 shows examples of these Structure Data Fields The trap number is included as a parameter for each of these Structured Data Fi
7. sages sent Auth Messages Sent Connection Type Total number of Authentication Type SYSLOG Messages sent MAC Address of the station whose address was placed in the table Current MSG Queue Size The current size of the SYSLOG message queue Current State Status of the entry Learned Local Event Messages Sent Total number of Event Type SYSLOG Messages sent Length Errors Total number of messages dropped because the messages exceeded the available buffer s size Local IP Address IP Address of the SYSLOG Client Local Port IP Address of the LOCAL Port MAX MSG Queue Size The maximum size of the SYSLOG message queue MSG Q Limit Exceeded MSG Q Threshold Exceeded Number of messages dropped due to Message Queue is Full Number of messages dropped due to Message Queue Threshold is exceeded Out of Buffer Errors Total number of messages dropped due to an out of packet buffer condition Out of Memory Errors Total number of messages dropped to to an out of memory condition Server IP Address IP Address of the SYSLOG Server Server Port UDP Port Number of the SYSLOG Server Time of MAX MSG Queue The time that the message queue hit its max size Size Total Messages Dropped Total Number of SYSLOG Messages dropped due to errors Total Messages Sent Total Number of SYSLOG Messages sent to the SYSLOG Server Total Transmitted Bytes Traffic Messages Sent Total nu
8. EMERGENCY ALERT HIGH CRITICAL MED ERROR WARNING NOTICE CONN INFORM LOW DEBUG E Note For TRAFFIC LOGGING Messages to be sent to the SYSLOG Server you must include NOTICE in this Severity selection Note Any combination of above may be specified by summing e g EMERGENCY ALERT SYSLOG High Queue Threshold Range 100 1500 Default 1500 Description The high queue threshold of the SYSLOG message queue When this message queue threshold is reached any new Informational and Debug messages are dropped and not sent to the SYSLOG Server 21 Statistics Statistics Introduction This section describes how to access SYSLOG Statistics Types of SYSLOG You can access these SYSLOG Statistics Menu Options Statistics Menus e SYSLOG Server Statistics e Reset SYSLOG Server Statistics by Server Number Access and Reset Follow these steps to generate and reset statistics Statistics Step Action Result 1 Select Status Statistics for the Con The Status Statistics menu displays trol Terminal Port CTP Main Menu 2 Select SYSLOG Statistics from the The SYSLOG Statistics menu dis Status statistics Menu plays SYSLOG Statistics Figure 16 below shows the SYSLOG Statistics Menu Menu Node Firewall Address 101 Date 12 AUG 10 Time 7 19 29 Menu SYSLOG Statistics Path Main 5 41 1 SYSLOG Server Statistics 2 Reset SYSLOG Server Statistics by Serv
9. Facility Code Override NONE SYSLOG Severity EMERGENCY ALERT CRITICAL ERROR SYSLOG High Queue Threshold 1500 Figure 19 SYSLOG Basic Configuration Example Traffic Logging SYSLOG Configuration Example SYSLOG Configuration Examples Figure 20 shows an example of SYSLOG application where Traffic Logging is enabled in the Firewall Policies In this example the Firewall State in the Firewall Global Parameters is ENABLED and the Traffic Logging parameter in the Firewall Policy Configuration is set to START END In addition the SYSLOG Severity is configured for NOTICE The Firewall Monitor Events that are logged to the Firewall Log are sent ina SYSLOG Message to the SYSLOG server with this configuration a SYSLOG Configuration Examples Kiwi SYSLOG Server Setup Node 3460 v Listen for UDP SYSLOG Messages UDP Port 1 65535 514 Kiwi SYSLOG Server Figure 20 Traffic Logging SYSLOG Configuration Example 28 A Accounting Type Message 1 14 Alarm Throttling 1 9 Application of the Vanguard Networks SYSLOG Client Feature 1 2 Appliction of Vanguard Networks SYSLOG Client Feature 1 2 Authorization Type Message 1 13 B Basic Configuration Example 1 26 Boot Menu 1 25 C Configuration Examples 1 26 Configuration Parameters 1 16 Configure Menu 1 16 Configuring SYSLOG Menus 1 17 D Description of Terms 1 24 Detailed Server Statistics Menu 1 23 E Event Type Message 1 13 F Fac
10. LOG Severity Level according to Table 4 As shown in Table 4 a High Level Alarm is sent as a SYSLOG Message with the SYSLOG Severity level set to Alert The Medium Level Alarm is sent as a SYSLOG Message with the SYSLOG Severity level set to Critical The Connection Level Alarm is sent as SYSLOG Severity of Notice And the Low Level Alarm is sent as SYSLOG Severity of Informational Table 4 Logged Alarm Severity to SYSLOG Severity Logged Alarm SYSLOG Severity Numerical Description Code 1 High Alert action must be taken immediately 2 Medium Critical critical conditions s 3 Connection Notice normal but significant condition 4 Low Informational informational messages Alarm Filtering is accomplished by the setting of the Alarm Throttling Configuration and the Node Record Alarm Selection configuration This filtering results in the corresponding SYSLOG message being filtered This impacts Event Authentication and Accounting message types Traffic Monitoring SYSLOG Messages are controlled with the Firewall Policy configuration parameter Traffic Monitoring As shown in Figure 4 following the PRIVAL field in the SYSLOG Message Header is the Version Number The SYSLOG Client supports Version 1 Therefore the Version Number field of the SYSLOG Message Header is set to ASCII 1 or 31H The Timestamp comes after the Version Number in the SYSLOG Message Header If the Universal Time Zone UTC parameter in the Nod
11. Level Mapping 9 Alarm Throttling and Node Record Alarm Selection c000 9 PL PIT r 9 IE ETEEN EEA TITEI PET A ETET ETETE TPE E AE 9 E a E areneeeneae eater eens 9 EEEE ane A AAAA AAAA 10 PEE I EAR 10 B RUD a EA A AAE AER 10 Vanguard Networks SYSLOG Message Header Example 10 JANA defined Structured Data Field 0 ccseecccccceeeessesseneeeeees 11 Vanguard Networks Private Structured Data Field cece 1 SLOG Mese 0 Fe rinin 12 S Ee aa naman enaaeelaneeenenen 13 Evom Doe he csassacracnnseaneccnccmnsaqznassneiactunnenssorqunsecncanst 13 Authorization Type SYSLOG Message ccciacsssicvicasssaioroinadacousainensaiorss 13 Accounting Type SYSLOG Messag i asinsicrsracciesnseenstionswnion 14 Traffic Monitor SYSLOG Messages a icasssaninivennevcteersstsiacsanemieeeciatens 14 SYSLOG Message Congestion Control ccccccsssssssssesessssceeeeees 15 Configuration of the SYSLOG Parameters scjiscsseossaniesinsivsceminicemneneenans 16 E E N 16 Configuring the SYSLOG Client Feature sicssckssncivussasissssternernapivessintins 16 CT EARR 16 OTe Sro LOG MOS sirrinin siTe aE 17 IW EPIC TET R 17 OS A 17 SYSLOG Fre Men cs sccensiseacorssteosioveveureouerannmeonnien 17 SYSLOG Global Parameters Configuration cccccceeeeeeeeeeeeeeeeees 17 SYSLOG Server Parameters Configuration cccsassicissnainscsesdnceneseascnsidias 18 ey aree N A essay elena E 22 E EA EAR da Types of SYSLOG Statistics Me
12. PP MLP Authentication Parameter 7 Software Key Table 25 PPP MLP Profiles 8 Calling Addr Translation Table 26 Configure SPFM Connection Table 9 NUI Password Table 27 ToW Table 10 PAD Profile Table 28 AT Dialer Profile 11 Remote PAD Parameter Table 29 T1 E1 Interface 12 CUD based Addr Translation Table 30 Configure SNMP 13 Node to node download 31 Virtual Port Mapping Table 14 BSC DSP3270 Device Table 32 Configure TFTP Server 15 SDLC Port Stations 33 TCP to BSC Conv Record Configure 16 FRI Stations 34 Configure SYSLOG Parameters 17 Configure Bridge 18 Configure Network Security Enter Selection a Figure 14 Typical Vanguard Networks Configuration Menu Configuring SYSLOG Menus Configuring SYSLOG Menus Introduction The SYSLOG Global Parameters and SYSLOG Server Parameters are required configuration for the SYSLOG Client feature to function Configuration Follow these steps to configure the SYSLOG Parameters Records Step Action Result 1 Select Configure from the CTP Main The Configure menu displays menu 2 Select SYSLOG Parameters from the 1 SYSLOG Global Parameters Configure menu 2 SYSLOG Server Parmeters 3 At the prompt enter the number The SYSLOG Global Parameters 1 SYSLOG Global Parameters and SYSLOG Server Parameters are detailed in the following sections 2 SYSLOG Server Parmeters SYSLOG Configure Figure 15 below shows the SYSLOG Configure Menus Menu
13. Severity Codes supported by the Vanguard Networks SYSLOG Client feature These are the possible values that can appear in the Severity portion of the PRIVAL field in the SYSLOG message sent by the SYSLOG Client feature Table 3 SYSLOG Severity Codes and Descriptions Filtering SYSLOG Messages Based on Severity Numerical Description Vanguard Networks Code Applications Ware Supported Facilities 0 Emergency system is unusable EMERGENCY 1 Alert action must be taken immediately ALERT 2 Critical critical conditions CRITICAL 3 Error error conditions ERROR 4 Warning warning conditions WARNING 5 Notice normal but significant condition NOTICE 6 Informational informational messages INFORM 7 Debug debug level messages DEBUG The SYSLOG Severity Parameter in the SYSLOG Server Configuration is used to specify based on the severity field of the SYSLOG message which messages to send and which messages to block Ifthe Severity in the SYSLOG message PRIVAL field is not configured as a value within the SYSLOG Severity Parameter the SYSLOG Message will not be sent to the SYSLOG server Logged Alarm Priority Level to SYSLOG Message Severity Level Mapping Alarm Throttling and Node Record Alarm Selection Version Number Timestamp Hostname Introduction to SYSLOG When a Logged Alarm is sent as a SYSLOG Message by the SYSLOG Client feature the Logged Alarm Level is mapped to a SYS
14. YSLOG Server IP Address Range A valid IP address in dotted notation Default 0 0 0 0 Description The IP Address of the SYSLOG Server Server UDP Port Number Range 256 65535 Default 514 Description The UDP Port number of the SYSLOG Server Configuring SYSLOG Menus SYSLOG Source Address Range A valid IP Address in dotted notation Default 0 0 0 0 Description The Source IP Address of this UDP connection If 0 0 0 0 is entered the Internal IP Address in IP Router Parame ters is used SYSLOG Traffic Type Range EVENT TRAFFIC AUTHENTICATION ACCOUNTING Default EVENT TRAFFIC AUTHENTICATION ACCOUNTING Description The SYSLOG Type parameter selects the type of SYSLOG mes sages to forward accross this SYSLOG Server connection EVENT Forward Alarm messages TRAFFIC Forward Traffic messages AUTH Forward Authentication messages ACCOUNTING Forward Accounting messages Any combination of above specified by summing e g EVENT TRAFFIC SYSLOG Facility Code Override Range NONE KERNEL AUTHORIZATION SECURITY AUDIT ALERT LOCALO LOCAL1 LOCAL2 LOCAL3 LOCAL4 LOCALS LOCAL6 LOCAL7 Default NONE 19 Configuring SYSLOG Menus 20 SYSLOG Facility Code Override continued Description This is the Facility Override value It overides the internally gener ated Facility Field of a
15. a SYSLOG message is dropped due to the queue threshold being reached The maximum queue size is 2000 Ifthe maximum queue size reaches 2000 then all additional messages are dropped and not enqueued The MSG Q Limit Exceeded statistic is incremented when a SYSLOG message is dropped due the Message queue limit being exceeded 15 Configuration of the SYSLOG Parameters Configuration of the SYSLOG Parameters Introduction Configuring the SYSLOG Client Feature Configure Menu 16 To set up a Vanguard Networks SYSLOG Client feature configure the following e SYSLOG Global Parameters e SYSLOG Server Parameters e Router see Note E Note For details on configuring your node for IP Routing operation refer to Vanguard Router Basics Manual Part No T0100 01 Vanguard IP Routing Basics Manual Part No T0100 03 Follow the steps in the table below to configure the SYSLOG Client feature related parameters Action Result Select Configure 6 from the CTP The Configure Menu Displays Main menu Figure 14 below is a sample of Vanguard Networks Configuration Menu Node Firewall Address 101 Date 14 AUG 2010 Time 13 20 38 Menu Configure Path Main 6 1 Node 19 Configure LAN Connections 2 Port 20 Alarms Throttling 3 Configure Network Services 21 Configure Router 4 Inbound Call Translation Table 22 LLC to SDLC Tables 5 Outbound Call Translation Table 23 2CP 6 PAD Prompt Table 24 P
16. com BGP BGP 12 origin ip 150 30 1 50 enterpriseld 449 swVersion V7 3 RO0A 28 Jan 2010 17 07 vnstats 449 nodeName node101 couUt 50 couUtMax 50 pbuffer cur max 344 1650 dbuffer cur max 120 18984 vnevent 449 TrapNumber 501002 1 node1 2010 02 25 11 52 43 BGP 12 BGP Peer Established Figure 10 Sample VN Event SYSLOG message Authorization Type Figure 11 shows an example of an Authorization SYSLOG message It is generated SYSLOG Message when a user logs in when a user attempts to login but is unsuccessful and when a user logs out of the Vanguard Networks Router User Interface The Authorization Alarm message is generated for CTP access Telnet Access SSH Access and HTML Access The Authorization Type SYSLOG messages are generated when a Vanguard Applications Ware Authorization Alarm is generated and stored in the Logged Alarm Database All Vanguard Applications Ware Authorization Alarms are assigned a HIGH Severity Ifthe High Logged Alarm Severity Selection is configured in the Node Record Parameter Alarm Selection and the Authorization Alarm is not being throttled via the Alarms Throttling Configuration Menu the SYSLOG Message will be generated lt 33 gt 1 2010 01 28119 20 50 52 04 00 vn3480a vanguard com CTP CTP 12 origin ip 150 30 1 50 enterpriseld 449 swVersion V7 2 ROOA 28 Jan 2010 17 07 vnstats 449 nodeName node101 couUt 50 couUtMax 50 pbuffer cur max 344 1650 dbuffer cur max
17. e Record is set to EST the timestamp will appear in the following format 2010 01 25T19 20 50 00 05 00 If the Universal Time Zone parameter is set to GMT the timestamp will appear in the following format 2010 01 25T19 20 50 00 The Hostname comes after the Timestamp in the SYSLOG Message Header The hostname is the the Domain Name that is configured in the Node Record It is transmitted in the Hostname field of the SYSLOG Message Header If the Domain Name in the Node Record is blank then the Default Router IP Address is transmitted in the Hostname field of the SYSLOG Message Header The Hostname is limited to 255 alphanumeric characters or less For example vn3480a vanguard com Introduction to SYSLOG APP Name The APP Name comes after the Hostname The APP Name is set to the Vanguard Networks Applications Ware module that generated to SYSLOG message For instance if the SYSLOG Message is from the Vanguard Networks Applications Ware BGP Module then the SYSLOG application name will be BGP PROC ID The PROC ID comes after the APP Name It is always set to the Nil Value in the SYSLOG Message Header MSG ID The MSG ID represents the Vanguard Applications Ware Module a period and the Vanguard Networks Applications Ware report number For example BGP 5 stands for the BGP module s fifth message Vanguard Figure 6 shows an example of an actual SYSLOG Message Header In this Networks SYSLOG example the PRIVAL is 165 which repre
18. elds Table 5 List of Structured Data Fields representing message type Message Type Vanguard Networks Message Type Structured Data Field Authentication vnauth 449 TrapNumber 105001 Accounting vnaccount 449 TrapNumber 205002 Event vnevent 449 TrapNumber 301003 3 Traffic vntraffic 449 TrapNumber 403002 Figure 9 shows a typical SYSLOG Message Text Field This follows after the Structured Data Field of the SYSLOG message The message text in the SYSLOG Message shown here is equivalent to what appears in the Vanguard Networks Router Alarm Log 1 node1 2010 02 25 11 52 43 BGP 12 BGP Peer Established Figure 9 Sample ONS SYSLOG MSG Text Field SYSLOG Messages SYSLOG Messages Event Type Figure 10 shows a SYSLOG message including the SYSLOG Message header the SYSLOG Message _ I ANA defined structured data fields the Vanguard Networks defined priviate structured data field vnstats the private structured data field indicating that this message is an Event Type message and the message field An Event Type SYSLOG message is generated when a Vanguard Applications Ware Alarm is generated and stored in the Logged Alarm Database If the Logged Alarm Severity is enabled in the Node Record Parmeter Alarm Selection and the Logged Alarm 1s not throttled in the Alarms Throttling configuration the SYSLOG Message for the Logged alarm will be generated lt 165 gt 1 2010 02 28119 20 50 00 05 00 vn3480a vanguard
19. er Number Figure 16 SYSLOG Statistics Menu Access Server Follow these steps to access server statistics Statistics Step Action Result 1 Select SYSLOG Server Statistics The SYSLOG Server Number dis from the SYSLOG Statistics Menu plays 2 Select the SYSLOG Server Number The Detailed SYSLOG Statistics 1 2 menu displays 22 Detailed SYSLOG Server Statistics Menu Statistics Figure 17 below shows the Detailed SYSLOG Statistics Menu Node Firewall Address 101 Date 28 JUN 2010 Time 15 19 11 Detailed SYSLOG Server Statistics Server Number 1 Page 1 of 1 Connection Type UDP Current State ACTIVE Server IP Address 150 30 1 50 Server Port 514 Local IP Address 150 30 1 51 Local Port 1025 Last Statistics Reset 28 JUN 2010 14 02 21 Total Messages Sent 11 Total Messages Dropped 0 Traffic Messages Sent 0 MSG Q Threshold Exceeded 0 Event Messages Sent 10 MSG Q Limit Exceeded 0 Auth Messages Sent 1 Out of Buffer Errors 0 Accounting Messages Sent 0 Out of Memory Errors 0 Total Transmitted Bytes 4304 Length Errors 0 UDP Socket Errors 0 MAX MSG Queue Size at 28 JUN 2010 14 02 45 Current MSG Queue Size D ct Figure 17 Detailed SYSLOG Server Statistics Menu 23 Description of Terms Description of Terms 24 Screen Term Description Accounting Messages Sent Total number of Accounting Type SYSLOG Mes
20. generated by the Vanguard Networks SYSLOG Messages Firewall feature Figure 13 shows an example of a Traffic Monitoring SYSLOG message sent by the Vanguard Networks SYSLOG Client Traffic Monitoring SYSLOG Messages are generated if the Traffic Logging parameter is configured in the Firewall Policies Configuration Menu The Message Text portion of the Traffic Type SYSLOG message is stored in the Firewall Traffic Log For more information about Traffic Monitoring refer to Vanguard Networks IP Routing Basics Manual Part No T0100 03 lt 165 gt 1 2010 06 17119 20 50 52 04 00 vn3480a vanguard com FIREWALL FIREWALL 548000 origin ip 150 30 1 50 enterpriseld 449 swVersion V7 2 ROOA 28 Jan 2010 17 07 vnstats 449 nodeName node101 couUt 30 pbuffers 3050 dbuffers 28010 vntraffic 449 TrapNumber 548000 start_time 2010 06 18 13 44 30 ingress_zone Untrust egress_zone Control Plane policy_num 2 policy_action Deny sent 0 recvd 0 src 150 30 7 1 dst 150 30 7 2 proto 1 icmp_type 5 icmp_code 1 reason Creation Figure 13 Sample Traffic Monitoring SYSLOG message 14 SYSLOG Message Congestion Control SYSLOG Messages The SYSLOG Client feature supports one message queue for each server If the message queue reaches the High Queue Threshold the SYSLOG messages with Severity of 4 through 7 Warning Notice Informational and Debug are dropped and not enqueued The MSG Q Threshold Exceeded statistic 1s incremented when
21. gh an IP Connection via the 3460 s Ethernet Port 23 In the Node Record the Configuration Change Alarm parameter is set to Enabled to allow configuration change alarms to be logged to the alarm log and to allow configuration change alarms to be forwarded to the SYSLOG server Also in Figure 21 the SYSLOG Global Enable is set to ENABLED and the SYSLOG Server Parameters for Server 1 are configured such that the SYSLOG Messages are sent to the Kiwi SYSLOG Server UDP Port 514 IP Address 172 16 1 253 All SYSLOG Message Types Event Traffic Authentication and Accounting are being sent to the SYSLOG Server Only SYSLOG Messages of the following severities are forwarded to the SYSLOG Server EMERGENCY ALERT CRITICAL and ERROR Because the SYSLOG Source Address in the SYSLOG Server Parameters is set to 0 0 0 0 the Internal IP Address in the IP Parameters configuration is used for the SYSLOG Source Address for the UPD connection to the Kiwi SYSLOG server 172 16 1 0 24 Kiwi SYSLOG Server Setup v Listen for UDP SYSLOG Messages UDP Port 1 65535 514 FA lasts Kiwi SYSLOG Server SYSLOG Global Parameters SYSLOG Global Enable ENABLED SYSLOG Server Parameters Entry Number 1 SYSLOG Server Connection Enable ENABLED SYSLOG protocol UDP SYSLOG Server IP Address 172 16 1 253 Server UDP Port Number 514 SYSLOG Source Address 0 0 0 0 SYSLOG Type EVENT TRAFFIC AUTHENTICATION ACCOUNTING SYSLOG
22. ility Code Setting 1 8 Filtering SYSLOG Messages Based on Severity 1 8 G Global Parameters Configuration 1 17 l IANA defined Structured Data Field 1 11 Introduction to SYSLOG 1 2 Message Congestion Control 1 15 Message Details 1 5 Message Format 1 5 Message Header 1 6 Message Header Example 1 10 Message Text Field 1 12 Message Types 1 3 O Overview l 1 P Private Structured Data Field 1 11 Index S Server Parameters Configuration 1 18 Server Statistics 1 22 Severity Level 1 9 Statistics 1 22 Statistics Menu 1 22 Supported Facility Codes 1 7 Supported Severity Codes 1 8 SYSLOG Messages 1 13 T Theory of Operation 1 4 Traffic Logging Configuration Example 1 27 Traffic Monitor Message 1 14 Index 1
23. ization msgs SECURITY 11 FTP daemon NA 12 NTP subsystem NA 13 log audit note 1 LOG AUDIT 14 log alert note 1 LOG ALERT 15 clock daemon note 2 NA 16 local use 0 local0 LOCALO 17 local use 1 local1 LOCALI 18 local use 2 local2 LOCAL2 19 local use 3 local3 LOCAL3 20 local use 4 local4 LOCAL4 21 local use 5 local5 LOCALS 22 local use 6 local6 LOCAL6 23 local use 7 local7 LOCAL7 Introduction to SYSLOG Facility Code Setting The Facility Code in the PRIVAL field is determined by either SYSLOG Facility Code Override Parameter or by the mapping shown in Table 3 Ifthe Facility Code Override is set to None then the mapping shown in Table 2 is used to determine the Facility Code From Table 2 if the Message Type is Event then the Facility Code is set to LOG ALERT Ifthe Message Type is Authorization then the Facility Code is set to Authorization If the Message Type is Accounting or Traffic then the Facility Code is set to LOG AUDIT If the SYSLOG Facility Code Override is set to a value other than NONE then the SYSLOG Facility Code Override is always sent with this override value Table 2 Logged Alarm Severity to SYSLOG Severity Message Type SYSLOG Facility Code Event LOG ALERT Authorization LOG AUTHORIZATION Accounting LOG AUDIT Traffic LOG AUDIT Supported Severity Codes Table 3 shows all of the possible
24. ll SYSLOG Messages being sent to the SYSLOG Server NONE The Internally generated facility code is sent in the SYSLOG message The Internally generated facility code is not overridden KERNEL A facility code of 0 is sent in the SYSLOG message AUTHORIZATION A facility code of 4 is sent in the SYSLOG message SECURITY A facility code of 10 is sent in the SYSLOG message LOG AUDIT A facility code of 13 is sent in the SYSLOG message LOG ALERT A facility code of 14 is sent in the SYSLOG message LOCALO A facility code of 16 is sent in the SYSLOG message LOCALI A facility code of 17 is sent in the SYSLOG message LOCAL2 A facility code of 18 is sent in the SYSLOG message LOCAL3 A facility code of 19 is sent in the SYSLOG message LOCAL4 A facility code of 20 is sent in the SYSLOG message LOCALS A facility code of 21 is sent in the SYSLOG message LOCAL6 A facility code of 22 is sent in the SYSLOG message LOCAL7 A facility code of 23 is sent in the SYSLOG message SYSLOG Severity Range EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORM DEBUG Default EMERGENCY ALERT CRITICAL ERROR WARN ING NOTICE Configuring SYSLOG Menus SYSLOG Severity continued Description The SYSLOG severity parameter selects the severity of the SYS LOG message to forward to the SYSLOG Server Below are the selectionswith the corresponding mapping to the Logged Alarm Severity
25. mber of bytes transmitted in the form of SYSLOG Messages to the SYSLOG Server Total Number of Traffic Monitoring messages sent UDP Socket Errors Total number of messages dropped because the socket to UDP was disconnected SYSLOG Boot Menu SYSLOG Boot Menu SYSLOG Global Boot Description SYSLOG Server Boot Description Figure 18 below shows the SYSLOG Boot Menu Node Firewall Address 101 Date 12 AUG 10 Time 7 19 29 Menu SYSLOG Statistics Path Main 7 28 1 SYSLOG Global Boot 2 SYSLOG Server Boot Figure 18 SYSLOG Boot Menu The SYSLOG Global Boot activates the Global and Severs SYSLOG Parameters and restarts all of the SYSLOG Servers Note that Booting may result in lost SYSLOG messages The SYSLOG Server Boot activates the SYSLOG Server s Parameters and restarts the SYSLOG Server Note that Booting may result in lost SYSLOG messages 25 SYSLOG Configuration Examples SYSLOG Configuration Examples Basic SYSLOG Configuration Example 26 Node Record Alarm Selection HIGH MED Configuration Change Configure IP Interface Table IP Address 172 16 1 2 Configure Port 23 Port Type ETH Router Interface Number 1 Node 3460 Configure IP Parameters Internal IP Address 172 16 1 1 Configure Interface 1 Interface State Enabled Figure 19 shows a basic SYSLOG Configuration Example In this example the 3460 is connected to the Kiwi SYSLOG server throu
26. n Figure 1 the Vanguard Networks 3480 is configured to send Authentication and Accounting SYSLOG messages to server A in addition to sending Event and Traffic monitoring messages to server B TRUST ZONE SYSLOG Server A Authentication and Accounting Message Msg A Logging VG3480 q Laa Untrust Zone Q SYSLOG Server B Event and Traffic Message Logging Msg B E z m So Trust User 2 DMZ User 2 User 1 Trust DMZ ZONE User 1 The 3480 sends SYSLOG Messages to Hosts A and B Msg A Authentication and Accounting Type SYSLOG messages Msg B Event and Traffic Type SYSLOG Messages Figure 1 Application of the Vanguard Networks SYSLOG Client Feature Introduction to SYSLOG SYSLOG Message There are four types of SYSLOG messages Types The Authentication SYSLOG Messages contain information about users that are logging in users that are attempting to login and users that are logging out from the User Interface of the Vanguard Networks Router The Accounting SYSLOG Messages contain information about any configuration changes including modifying or booting parameters loading software images enabling disabling links or any other modification to the configuration The Event SYSLOG Messages correspond to Alarms in the Alarm Log like LINK UP or LINK DOWN Alarms The Traffic monitoring SYSLOG Messages correspond to the Traffic Logging messages generated by the Vanguard Networks Firewall Application I
27. ntroduction to SYSLOG SYSLOG Client Theory of Operation Figure 2 shows a simplified IP Network containing a SYSLOG client VN3480 and a SYSLOG server Host A In Figure 2 the SYSLOG client is sending a SYSLOG Message through the IP Network to the SYSLOG server The SYSLOG Message is described in detail in the next section SYSLOG SYSLOG Client Ethernet Segment Server VN3480 Host A Q UDP Port 1025 IP Address 150 30 1 50 UDP Port 514 MAC Address 08 3e 00 34 80 01 IP Address 150 30 1 51 MAC Address 00 07 34 28 39 03 SYSLOG Message Sent by the VN3480 SYSLOG Client to the SYSLOG Server Figure 2 SYSLOG Sample Network Connection The SYSLOG client is sending the SYSLOG message using User Datagram Protocol UDP Itis sending the SYSLOG message destined to the SYSLOG server s UDP Port 514 and the SYSLOG server s IP Address 150 30 1 51 Both the UDP Port and IP address of the SYSLOG server are configurable from the SYSLOG Server Menu of the VN3480 The source IP Address and source UDP Port of the SYSLOG message in figure 2 are 150 30 1 50 and 1025 respectively The source IP address is configurable in the VN3480 SYSLOG Server Menu The UDP Port number is automatically assigned when the UDP session is initialized Introduction to SYSLOG SYSLOG Message Figure 3 shows a break out of the SYSLOG frame in Figure 2 Within this frame are Format the Ethernet MAC Header the IP Header the UDP Header and
28. nus sciincssicnciscsenmanscneeniioomennen a Access and Roset IAI ICS 4 ncissrcstcsachencteesinadienaineedndeniniemeen da Contents continued SSL ICS VIO caiie aeiaai a PCRS heryer Se diirid idaron EAN fe Detailed SYSLOG Server Statistics Menu cscccsssssssssssorcasnannscasencsesces 23 Per T sp 24 T OED sipia 25 SYSLOG Global Boot Descriptio accnicriieemaewiennnanies pe SYSLOG Seryer Boot Descriphol sccijscssnsssscrvarasesareenenieetonnnamensiiens 25 SYSLOG C0 Examples so cesdcine cctienscnernnceaensemencneminiennen 26 Basic SYSLOG Configuration Example 2 0 0 cccccccccccccccceeccceeeeeeeeees 6 Traffic Logging SYSLOG Configuration Example cceeeeeee 27 Overview Introduction Before Using This Manual Trademarks Related Vanguard Information The purpose of this document is to describe the Vanguard Networks SYSLOG Client feature The SYSLOG Client feature is the implementation of the SYSLOG Protocol and is compliant with RFC5424 The SYSLOG Client feature is available for the Vanguard Networks 7300 6800 and 3400 routers starting in Release 7 3 ROOA with the purchase of the Security Services Add on license Before using this manual you should have experience with IP Routing and familiarity with the Vanguard Networks Products The following are trademarks or registered trademarks of their respective companies or organizations e Vanguard and Vanguide are trademarks or registered trademarks of Vanguard Netwo
29. rks LLC Refer to these related Vanguard Applications Ware documents for additional information e Vanguard Networks Basic Protocols Manual Part No T0113 e Vanguard Networks Router Basics Manual Part No T0100 01 e Vanguard Networks IP and LAN Feature Protocols Bridging P N T0100 02 e Vanguard Networks IP Routing Basics Manual Part No T0100 03 e Vanguard Networks IP and LAN Feature Protocols Manual Part No T0100 03 e Vanguard Networks SNMP MIB Management Manual Part No T0106 04 e Vanguard Networks Alarms and Reports Manual Part No T0005 for details on alarms and reports generated by this feature Introduction to SYSLOG Introduction to SYSLOG What is SYSLOG SYSLOG isa standardized scheme for generating and sending events from a device or a client to a collector or a server It specifies the format of the event messages Because the event message format is standardized and the event messages are stored in a centralized collector Network Administrators are able to conveniently access and analyze the events Application of the The Vanguard Networks SYSLOG Client feature enables the Vanguard Network Vanguard Router Products to send SYSLOG messages to up to two SYSLOG servers It Networks SYSLOG categorizes the SYSLOG messages into four message types Authentication Client Feature Accounting Event and Traffic Monitoring and is capable of directing these SYSLOG messages based on their message types For instance i
30. sents a Facility Code of 20 decimal or Message Header LOCAL4 and a severity of 5 or SYSLOG NOTICE Example lt 165 gt 1 2010 01 25T19 20 50 00 05 00 vn3480a vanguard com BGP NM a ssi __ PRI Version Timestamp Hostname APP NAME PROCID MSGID Number Figure 6 Sample VN SYSLOG Message Header Format Also in this example the Version Number is 1 and the timestamp is January 25 2010 at 7 20 50 p m The Hostname is from the Domain Name configured in the Node Record The APP NAME is BGP because the Vanguard Networks Applications Module that generated the SYSLOG message was BGP The PROCID is transmitted as the NILVALUE because the Process ID field is not support by the Vanguard Networks Router The MSG ID is BGP 5 because this message is from the BGP module and the message number is the fifth BGP message in BGP s message list Introduction to SYSLOG IANA defined Following the SYSLOG Message Header are the IANA defined Structured Data Structured Data fields of the SYSLOG message Vanguard Networks SYSLOG Client sends three Field standard ANA defined Structured Data Fields with each SYSLOG message the origin IP the enterpriseID and the swVersion Vanguard Networks SYSLOG Client sets the origin IP field to the source IP Address in the SYSLOG configuration in this example 150 30 1 50 It sets the enterprise ID to 449 which 1s registered to Codex and grandfathered to Vanguard Networks See http www iana org assignments
31. the SYSLOG Message As shown in Figure 3 the SYSLOG Message contains three parts Message Header the Structured Data Field and the Message Text Field ee MAC Header _______________IP Header __________________ UDP Header ____________SYSLOG Message DST MAC Addr 00 SRC MAC Addr 08 DEST IP Addr SRC IP Addr DST UDP ADDR SRC UDP Addr MSG HDR i 08 30 34 62 03 00 3e 00 34 54 150 30 1 51 150 30 1 50 514 1025 StruciData Detailed MSG SYSLOG Message Text Field Figure 3 SYSLOG Message from Figure 2 SYSLOG Message Figure 4 shows the details of the SYSLOG Message The SYSLOG Message Details consists of the SYSLOG Message Header the Structured Data Field and the Message Text field These three portions of the SYSLOG Message are described in more detail in the following sections SYSLOG MESSAGE HEADER PRIVAL VERSION TIMESTAMP HOSTNAME JAPP NAME PROC ID MSGID STRUCTURED DATA FIELD SD ELEMENT SD PARA SD ID PARAM NAME PARAM VALUE SD NAME MESSAGE TEXT FIELD ASCII STRING Figure 4 SYSLOG Message Contents Introduction to SYSLOG SYSLOG Message Figure 5 shows the SYSLOG Message Header The SYSLOG Message Header Header consists of the PRIVAL Field the Version Number the Time Stamp the Hostname the APP Name the PROC ID and the MSG ID The following sections describe these fields in more detail PRIVAL VERSION TIMESTAMP HOSTNAME JAPP NAME PROC ID MSGID Figure 5 SYSLOG Message Header PRIVAL
Download Pdf Manuals
Related Search