Today while working in the lab and trying to get a firewall to play nicely with a VPRN, I wanted to debug and dump out the ICMP packets that I was directing at the VPRN virtual routers. A quick phone call to our Alcatel-Lucent IPD engineer and I had this cookbook in my hands. Cory
Configuring Logs
Two default Logs exist on all 7×50SR:
* Log 99 – records alarms of all severity levels from ‘Main’ source
* Log 100 – records only alarms with critical and major severity levels from ‘Main’ source
When SAM is used to manage the nodes, a log 98 must be created (along with snmp trap-target). It records alarms from ‘Main’ & ‘Security’ source and sends to particular SNMP trap group to SAM
There are 4 possible sources from which events can be logged:
* 1. Main – events related to 7×50 OS applications not assigned to other event categories/sources
* 2. Security – attempts to breach system, like failed login attempts. Generated by the SECURITY application
* 3. Change – events that change the configuration or operation of node. Generated by the USER application.
* 4. Debug – events generated when debug is enabled (debug & trace messages). Generated by the DEBUG application.
* Events are categorized by Application (e.g. APS, ATM, SECURITY, OSPF, etc..).
* Within an Application category, each event has an ID (note that this number is unique within an application category, but not across different application categories).
* Each event is assigned a severity level by default (Critical, Major, Minor, Warning, Info). These can be modified by user.
* Certain events are suppressed by default. This means when they occur an entry will not be generated in the logs. The count of suppressed events is maintained and can be viewed when running the ‘show log event-controller’ command. Most events do generate an entry in the logs. The ‘show log event-controller’ identifies which events are generated and which are suppressed by default.
There are 5 possible destinations to which the logged events can be sent/stored.
* 1. Console or session – Sent to first telnet/ssh session opened. Only valid for duration of session.
* 2 Memory – sent to circular buffer (oldest entry deleted when buffer full.
* 3. File – sent to a specified file located on CF. Need to configure a file-id first (specifies location rollover time of file – i.e. when file is closed and new one started – and retention time.
* 4. SYSLOG server – sent to a syslog server. Need to configure syslog target host first.
* 5. SNMP trap group – sent to SNMP trap group. need to configure snmp community and trap group first.
To view all events that can be logged on a node:
# show log event-controller
To view the event logged to Memory:
# show log log-id <#>
Steps to configure log
1. Configure a log ID with a number from 1 to 97.
2. Identify the source.
3. Specify an optional filter to filter events if required. Requires that the log filter be created first.
4. Identify the destination.
o File
o Syslog
o SNMP
o Memory
o Console or Session
Log Filters
LOG FILTER can be created and applied to a Log so as to only capture events, traps, alarms or debug traces matching particular criteria
Log-id configuration
A:ROUTER>config log log-id 100
*A:ROUTER>config>log>log-id# info detail
—————————————
description “Default Serious Errors Log”
filter 1001
time-format utc
from main
to memory 500
no shutdown
—————————————
Log Filter configuration
Similar to IP filters, where match criteria are specified with associated action of drop or forward.
*A:ROUTER>config>log>filter# info detail
———————————————-
default-action drop
description “Collect events for Serious Errors Log”
entry 10
action forward
description “Collect only events of major severity or higher”
match
no application # event category
no number # event ID
severity gte major # event severity
no router # router name representing VRF-id that generated the event
no subject # entity for which event is reported (e.g. a particular port) – can use regular expression to specify
exit
exit
File-id configuration
Event log files are always created in the \log directory on the specified compact flash device. The naming convention for event log files is:
logEEFF-timestamp
where:
EE is the event log ID
FF is the log file destination ID
timestamp is the timestamp when the file is created in the form of yyyymmdd-hhmmss
where:
yyyy is the four-digit year (for example, 2007)
mm is the two digit number representing the month (for example, 12 for December)
dd is the two digit number representing the day of the month (for example, 03 for the 3rd of the month)
hh is the two digit hour in a 24-hour clock (for example, 04 for 4 a.m.)
mm is the two digit minute (for example, 30 for 30 minutes past the hour)
ss is the two digit second (for example, 14 for 14 seconds)
e.g. log5010-20090206-172530
A file ID can only be assigned to one log-id.
To configure a file-id:
A:ALA-12>config>log# info
——————————————
file-id 10
description “This is a log file.”
location cf1:
rollover 600 retention 24
exit
———————————————-
Note: rollover time in minutes, retention time in hours.
To view the events logged to a file:
# file
# cd cf1:/log
>Cf1/log# type
Syslog Target configuration
A:ROUTER>config>log# syslog 1
A:ROUTER>config>log>syslog$ info detail
———————————————-
no description
no address # IP address of target host
no facility # The code should be entered in accordance with the syslog RFC (e.g.kernel, user, etc)
level info # specifies severity level. Events exceeding level will be sent to syslog
log-prefix “TMNX“ # RFC3164, The BSD syslog Protocol, allows a alphanumeric string (tag) to be prepended to the content of every log message sent to the syslog host. This alphanumeric string can, for example, be used to identify the node that generates the log entry no port
# UDP port that will be used to send syslog messages to the syslog target host. The port configuration is needed if the syslog target host uses a port other than the standard UDP syslog port 514.
———————————————-
SNMP Configuration
* A group specifies the types of SNMP traps and specifies the log ID which will receive the group of
* SNMP traps. A trap group must be configured in order for SNMP traps to be sent.
* Alarms and traps that are generated can be sent to one or more SNMP trap groups.
* Note that if the same trap-target name port port parameter value is specified in more than one SNMP trap group, each trap destination should be configured with a different notify-community value
* Debug events are NOT sent to SNMP trap groups.
Create community string
SR-1# configure system security snmp
SR-1>config>system>security>snmp# community “public” r version both
SR-1>config>system>security>snmp# no shutdown
Create a trap group
SR-1# configure log
SR-1>config>log# snmp-trap-group 50
SR-1>config>log>snmp-trap-group>$ trap-target primary_trap address 128.128.0.5 snmpv2c notify-community public
SR-1>config>log>snmp-trap-group>$ trap-target secondary_trap address 128.128.2.1 snmpv2c notify-community public
Create log-id to be used by trap-group 50
SR-1>config>log# log-id 50
SR-1>config>log>log-id>$ from main
SR-1>config>log>log-id># to snmp 1024
NOTE: The snmp-trap-id must be the same as the log-id
Recent Comments