HP Load Balancing Module System Maintenance Configuration Guide Part number: 5998-4221 Software version: Feature 3221 Document version: 6PW100-20130326
Legal and notice information Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents Using ping, tracert, and system debugging 1 Ping 1 Using a ping command to test network connectivity 1 Ping example 1 Tracert 3 Prerequisites 4 Using a tracert command to identify failed or all nodes in a path 5 System debugging 5 Debugging information control switches 5 Debugging a feature module 6 Ping and tracert example 7 Configuring the information center 9 Overview 9 Classification of system information 9 System information levels 9 Output channels and destinations 10 Default output rules of system information 11 System information formats 11 Information center configuration task list 14 Outputting system information to the console 14 Outputting system information to the monitor terminal 15 Outputting system information to a log host 16 Outputting system information to the trap buffer 17 Outputting system information to the log buffer 18 Outputting system information to the SNMP module 19 Outputting system information to the Web interface 19 Saving system information to a log file 20 Managing security logs 21 Saving security logs into the security log file 22 Managing the security log file 22 Enabling synchronous information output 25 Disabling an interface from generating link up/down logging information 26 Displaying and maintaining information center 26 Information center configuration examples 27 Outputting log information to the console 27 Outputting log information to a UNIX log host 28 Outputting log information to a Linux log host 29 Saving security logs into the security log file 30 Managing logs 34 Configuring syslog 34 User logging (flow logging) overview 36 Configuring user logging in the Web interface 37 Displaying user logging statistics 39 Clearing user logs and user logging statistics 39 Configuring the time zone for user logs 40 Configuring user logging at the CLI 40 User logging configuration task list 40 Configuring the user logging version 40 i
Configuring the source address for user logging packets 41 Exporting user logs 41 Displaying and maintaining user logging 42 User logging configuration example 42 Troubleshooting user logging 43 Configuring session logging 44 Session logging configuration task list 44 Configuring a session logging policy 44 Setting session logging thresholds 45 Log report 46 Displaying system logs 46 Displaying connection limit logs 48 Displaying attack prevention logs 48 Displaying blacklist logs 49 Displaying user logs (flow logging) 50 Configuring SNMP 53 Overview 53 SNMP framework 53 MIB and view-based MIB access control 53 SNMP operations 54 SNMP protocol versions 54 SNMP configuration task list 54 Configuring SNMP basic parameters 55 Configuring SNMPv3 basic parameters 55 Configuring SNMPv1 or SNMPv2c basic parameters 56 Configuring SNMP logging 57 Configuring SNMP traps 58 Enabling SNMP traps 58 Configuring the SNMP agent to send traps to a host 59 Displaying and maintaining SNMP 60 SNMP configuration examples 61 SNMPv1/SNMPv2c configuration example 61 SNMPv3 configuration example 62 SNMP logging configuration example 64 Configuring RMON 66 Overview 66 Working mechanism 66 RMON groups 66 Configuring the RMON statistics function 68 Configuring the RMON Ethernet statistics function 68 Configuring the RMON history statistics function 68 Configuring the RMON alarm function 69 Displaying and maintaining RMON 70 Ethernet statistics group configuration example 70 History group configuration example 71 Alarm group configuration example 73 Managing the file system 75 Overview 75 Storage medium naming rules 75 File name formats 75 Managing files 76 Displaying file information 76 Displaying the contents of a file 76 ii
Renaming a file 76 Copying a file 77 Moving a file 77 Deleting/restoring a file 77 Emptying the recycle bin 77 Managing directories 77 Displaying directory information 78 Displaying the current working directory 78 Changing the current working directory 78 Creating a directory 78 Removing a directory 78 Managing storage media 79 Managing storage medium space 79 Mounting and unmounting a storage medium 79 Partitioning a CF card 80 Performing batch operations 81 Setting the file system operation mode 81 File system management examples 81 Configuring FTP 83 Overview 83 Using the device as an FTP client 83 Establishing an FTP connection 83 Managing directories on the FTP server 84 Working with the files on the FTP server 85 Switching to another user account 86 Maintaining and troubleshooting the FTP connection 86 Terminating the FTP connection 86 FTP client configuration example 86 Using the device as an FTP server 88 Configuring basic parameters 88 Configuring authentication and authorization 89 FTP server configuration example 90 Displaying and maintaining FTP 92 Configuring TFTP 93 Overview 93 Prerequisites 93 Using the device as a TFTP client 93 Displaying and maintaining the TFTP client 94 TFTP client configuration example 94 Optimizing IP performance 96 Configuring TCP attributes 96 Configuring TCP MSS for the interface 96 Configuring TCP path MTU discovery 96 Configuring the TCP send/receive buffer size 97 Configuring TCP timers 98 Configuring ICMP to send error packets 98 Advantages of sending ICMP error packets 98 Disadvantages of sending ICMP error packets 99 Configuration procedure 99 Displaying and maintaining IP performance optimization 100 Support and other resources 101 Contacting HP 101 iii
Subscription service 101 Related information 101 Documents 101 Websites 101 Conventions 102 Index 104 iv
Using ping, tracert, and system debugging Ping Use the ping, tracert, and system debugging utilities to test network connectivity and identify network problems. Ping, tracert, and system debugging utilities can be used only at the CLI. The ping utility sends ICMP echo requests (ECHO-REQUEST) to the destination device. Upon receiving the requests, the destination device responds with ICMP echo replies (ECHO-REPLY) to the source device. The source device outputs statistics about the ping operation, including the number of packets sent, number of echo replies received, and the round-trip time. You can measure the network performance by analyzing these statistics. Using a ping command to test network connectivity Execute ping commands in any view. Task Command Remarks Test the network connectivity to an IP address. For an IPv4 network: ping [ ip ] [ -a source-ip -c count -f -h ttl -i interface-type interface-number -m interval -n -p pad -q -r -s packet-size -t timeout -tos tos -v -vpn-instance vpn-instance-name ] * host For an IPv6 network: ping ipv6 [ -a source-ipv6 -c count -m interval -s packet-size -t timeout -vpn-instance vpn-instance-name ] * host [ -i interface-type interface-number ] Set a larger value for the timeout timer (indicated by the -t parameter in the command) when you configure the ping command for a low-speed network. Disabling the echo reply function on the destination affects the ping function. Ping example Network requirements Test the network connectivity between LB and Device B in Figure 1. If they can reach each other, get detailed information about routes from LB to Device B. 1
Figure 1 Network diagram Configuration procedure # Use the ping command on LB to test connectivity to Device B. <LB> ping 1.1.2.2 PING 1.1.2.2: 56 data bytes, press CTRL_C to break Reply from 1.1.2.2: bytes=56 Sequence=1 ttl=254 time=205 ms Reply from 1.1.2.2: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 1.1.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 1.1.2.2: bytes=56 Sequence=4 ttl=254 time=1 ms Reply from 1.1.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms --- 1.1.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/41/205 ms # Get detailed information about routes from LB to Device B. <LB> ping -r 1.1.2.2 PING 1.1.2.2: 56 data bytes, press CTRL_C to break Reply from 1.1.2.2: bytes=56 Sequence=1 ttl=254 time=53 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=2 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 2
Tracert 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=4 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 --- 1.1.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/11/53 ms The test procedure with the ping r command (see Figure 1) is as follows: 1. The source device (LB) sends an ICMP echo request with the RR option being empty to the destination device (Device B). 2. The intermediate device (Device A) adds the IP address of its outbound interface (1.1.2.1) to the RR option of the ICMP echo request, and forwards the packet. 3. Upon receiving the request, the destination device copies the RR option in the request and adds the IP address of its outbound interface (1.1.2.2) to the RR option. Then the destination device sends an ICMP echo reply. 4. The intermediate device adds the IP address of its outbound interface (1.1.1.2) to the RR option in the ICMP echo reply, and then forwards the reply. 5. Upon receiving the reply, the source device adds the IP address of its inbound interface (1.1.1.1) to the RR option. Finally, you can get the detailed information of routes from LB to Device B: 1.1.1.1 <-> {1.1.1.2; 1.1.2.1} <-> 1.1.2.2. Tracert (also called "Traceroute") enables you to get the IP addresses of Layer 3 devices in the path to a specific destination. You can use tracert to test network connectivity and identify failed nodes. 3
Figure 2 Traceroute operation Tracert uses received ICMP error messages to get the IP addresses of devices. As shown in Figure 2, tracert works as follows: 1. The source device (Device A) sends a UDP packet with a TTL value of 1 to the destination device (Device D). The destination UDP port is not used by any application on the destination device. 2. The first hop (Device B, the first Layer 3 device that receives the packet) responds by sending a TTL-expired ICMP error message to the source, with its IP address (1.1.1.2) encapsulated. In this way, the source device can get the address of the first Layer 3 device (1.1.1.2). 3. The source device sends a packet with a TTL value of 2 to the destination device. 4. The second hop (Device C) responds with a TTL-expired ICMP error message, which gives the source device the address of the second Layer 3 device (1.1.2.2). 5. The process continues until the packet sent by the source device reaches the ultimate destination device. Because no application uses the destination port specified in the packet, the destination device responds with a port-unreachable ICMP message to the source device, with its IP address encapsulated. This way, the source device gets the IP address of the destination device (1.1.3.2). 6. The source device thinks that the packet has reached the destination device after receiving the port-unreachable ICMP message, and the path to the destination device is 1.1.1.2 to 1.1.2.2 to 1.1.3.2. Prerequisites Before you use a tracert command, perform the tasks in this section. For an IPv4 network: Enable sending of ICMP timeout packets on the intermediate devices (devices between the source and destination devices). If the intermediate devices are HP devices, execute the ip ttl-expires enable command on the devices. For more information about this command, see System Maintenance Command Reference. Enable sending of ICMP destination unreachable packets on the destination device. If the destination device is an HP device, execute the ip unreachables enable command. For more information about this command, see System Maintenance Command Reference. For an IPv6 network: Enable sending of ICMPv6 timeout packets on the intermediate devices (devices between the source and destination devices). If the intermediate devices are HP devices, execute the ipv6 4
hoplimit-expires enable command on the devices. For more information about this command, see Network Management Command Reference. Enable sending of ICMPv6 destination unreachable packets on the destination device. If the destination device is an HP device, execute the ipv6 unreachables enable command. For more information about this command, see Network Management Command Reference. Using a tracert command to identify failed or all nodes in a path Execute tracert commands in any view. Task Command Remarks Display the routes from source to destination. For an IPv4 network: tracert [ -a source-ip -f first-ttl -m max-ttl -p port -q packet-number -vpn-instance vpn-instance-name -w timeout ] * host For an IPv6 network: tracert ipv6 [ -f first-ttl -m max-ttl -p port -q packet-number -vpn-instance vpn-instance-name -w timeout ] * host Use either approach. System debugging The device supports debugging for the majority of protocols and features and provides debugging information to help users diagnose errors. Debugging information control switches The following switches control the display of debugging information: Protocol debugging switch Controls whether to generate the protocol-specific debugging information. Screen output switch Controls whether to display the debugging information on a certain screen. As shown in Figure 3, assume that the device can provide debugging for the three modules 1, 2, and 3. The debugging information can be output on a terminal only when both the protocol debugging switch and the screen output switch are turned on. Output of debugging information depends on the configurations of the information center and the debugging commands of each protocol and functional module. Debugging information is typically displayed on a terminal (including console or VTY). You can also send debugging information to other destinations. For more information, see "Configuring the information center." 5
Figure 3 Relationship between the protocol and screen output switch Debugging a feature module Output from debugging commands is memory intensive. To guarantee system performance, enable debugging only for modules that are in an exceptional condition. When debugging is complete, use the undo debugging all command to disable all the debugging functions. Configure the debugging, terminal debugging and terminal monitor commands before you can display detailed debugging information on the terminal. For more information about the terminal debugging and terminal monitor commands, see System Maintenance Command Reference. To debug a feature module and display the debugging information on a terminal: Step Command Remarks 1. Enable the terminal monitoring of system information. 2. Enable the terminal to display debugging information. 3. Enable debugging for a specified module. 4. Display the enabled debugging functions. terminal monitor terminal debugging debugging { all [ timeout time ] module-name [ option ] } display debugging [ interface interface-type interface-number ] [ module-name ] [ { begin exclude include } regular-expression ] By default, the monitoring of system information is enabled on the console port and disabled on the terminal. Available in user view. By default, the display of debugging information is disabled on the console. Available in user view. By default, debugging for a specified module is disabled. Available in user view. Available in any view. 6
Ping and tracert example Network requirements As shown in Figure 4, LB failed to Telnet Device B. Determine whether LB and Device B can reach each other. If they cannot reach each other, locate the failed nodes in the network. Figure 4 Network diagram Configuration procedure 1. Use the ping command to test connectivity between LB and Device B. <LB> ping 1.1.2.2 PING 1.1.2.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 1.1.2.2 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss The output shows that LB and Device B cannot reach each other. 2. Use the tracert command to identify failed nodes: # Enable sending of ICMP timeout packets on Device A. <DeviceA> system-view [DeviceA] ip ttl-expires enable # Enable sending of ICMP destination unreachable packets on Device B. <DeviceB> system-view [DeviceB] ip unreachables enable # Execute the tracert command on LB. <LB> tracert 1.1.2.2 traceroute to 1.1.2.2(1.1.2.2) 30 hops max,40 bytes packet, press CTRL_C to break 1 1.1.1.2 14 ms 10 ms 20 ms 2 * * * 3 * * * 4 * * * 5 <LB> The output shows that LB and Device B cannot reach other, LB and Device A can reach each other, and an error occurred on the connection between Device A and Device B. 7
# Use the debugging ip icmp command on LB and Device B to verify that they can send and receive the specific ICMP packets, or use the display ip routing-table command to verify the availability of active routes between LB and Device B. 8
Configuring the information center Information center can be configured only at the CLI. Overview The information center collects and classifies system information as follows: Receives system information including log, trap, and debug information from source modules. Outputs the information to different information channels, according to output rules. Outputs information to different destinations, based on channel-to-destination associations. Figure 5 Information center diagram By default, the information center is enabled. It affects system performance to some degree when processing large amounts of information. If the system resources are insufficient, disable the information center to save resources. Classification of system information System information falls into the following types: Log information Describes user operations and interface state changes. Trap information Describes device faults such as authentication and network failures. Debug information Displays device running status for troubleshooting. Source modules refer to protocol modules, board drivers, and configuration modules which generate system information. You can classify, filter, and output system information based on source modules. To view the supported source modules, use the info-center source? command. System information levels System information is classified into eight severity levels, from 0 through 7 in descending order. The device outputs the system information with a severity level that is higher than or equal to the specified level. For example, if you configure an output rule with a severity level of 6 (informational), information that has a severity level from 0 to 6 is output. Table 1 System information levels Severity Emergency 0 Severity value Description The system is unusable. For example, the system authorization has expired. Corresponding keyword in commands emergencies 9
Severity Alert 1 Critical 2 Error 3 Warning 4 Notification 5 Informational 6 Severity value Description Action must be taken immediately to solve a serious problem. For example, traffic on an interface exceeds the upper limit. Critical condition. For example, the device temperature exceeds the upper limit, the power module fails or the fan tray fails. Error condition. For example, the link state changes or a storage card is unplugged. Warning condition. For example, an interface is disconnected, or the memory resources are used up. Normal but significant condition. For example, a terminal logs in to the device, or the device reboots. Informational message. For example, a command or a ping operation is executed. Corresponding keyword in commands alerts critical errors warnings notifications informational Debug 7 Debug message. debugging Output channels and destinations Table 2 shows the output channels and destinations. The system supports ten channels. By default, channels 0 through 6, and channel 9 are configured with channel names and output destinations. You can change these default settings as needed. You can also configure channels 7 and 8 and associate them with specific output destinations as needed. You can use the info-center channel name command to change the name of an information channel. Each output destination receives information from only one information channel, but each information channel can output information to multiple output destinations. Table 2 Default information channels and output destinations Channel number Default channel name Default output destination System information received by default 0 console Console Log, trap and debug information 1 monitor Monitor terminal Log, trap and debug information 2 loghost Log host Log, trap and debug information 3 trapbuffer Trap buffer Trap information 4 logbuffer Log buffer Log information 5 snmpagent SNMP module Trap information 6 channel6 Web interface Log information 7 channel7 Not specified Log, trap, and debug information 8 channel8 Not specified Log, trap, and debug information 9 channel9 Log file Log, trap, and debug information 10
Default output rules of system information A default output rule specifies the system information source modules, information type, and severity levels for an output destination. Table 3 shows the default output rules. Table 3 Default output rules Destinatio n Console System informatio n source modules All supported modules Log Trap Debug Output switch Enabled Severity Information al Output switch Severity Output switch Severity Enabled Debug Enabled Debug Monitor terminal All supported modules Enabled Information al Enabled Debug Enabled Debug Log host All supported modules Enabled Information al Enabled Debug Disabled Debug Trap buffer All supported modules Disabled Information al Enabled Informatio nal Disabled Debug Log buffer All supported modules Enabled Information al Disabled Debug Disabled Debug SNMP module All supported modules Disabled Debug Enabled Informatio nal Disabled Debug Web interface Log file All supported modules All supported modules Enabled Debug Enabled Debug Disabled Debug Enabled Debug Enabled Debug Disabled Debug System information formats Formats The following shows the original format of system information, which may be different from what you see. The actual system information format depends on the log resolution tool you use. The format of system information displayed on the Web interface depends on the Web interface. The system information format varies with output destinations. See Table 4. 11
Table 4 System information formats Output destination Format Example Console, monitor terminal, logbuffer, trapbuffer, SNMP module, or log file Log host timestamp sysname module/level/digest: content HP format: <PRI>timestamp Sysname %%vvmodule/level /digest: source content UNICOM format: <PRI>timestamp Sysname vvmodule/level/serial_numb er: content %Jun 26 17:08:35:809 2012 Sysname SHELL/4/LOGIN: VTY login from 1.1.1.1. HP format: <189>Oct 9 14:59:04 2012 Sysname %%10SHELL/5/SHELL_LOGIN(l): VTY logged in from 192.168.1.21. UNICOM format: <186>Oct 13 16:48:08 2000 Sysname 10IFNET/2/210231a64jx073000020: log_type=port;content=vlan-interface1 link status is DOWN. <186>Oct 13 16:48:08 2000 Sysname 10IFNET/2/210231a64jx073000020: log_type=port;content=line protocol on the interface Vlan-interface1 is DOWN. Field description Field Description PRI (priority) The priority is calculated by using this formula: facility*8+level, where: facility is the facility name. It can be configured with info-center loghost. It is used to identify different log sources on the log host, and to query and filter logs from specific log sources. level ranges from 0 to 7. See Table 1 for more information. Note that the priority field is available only for information that is sent to the log host. The timestamp records the time when the system information was generated. Timestamp Sysname (host name or host IP address) %% (vendor ID) vv (version information) Logs sent to the log host and those sent to the other destinations have different precisions, and their timestamp formats are configured with different commands. See Table 5 and Table 6 for more information. If the system information that is sent to a log host is in the UNICOM format, and the info-center loghost source command is configured, or the vpn-instance vpn-instance-name option is provided in the info-center loghost command, the sysname field is displayed as the IP address of the device that generated the system information. If the system information is in the HP format, the field is displayed as the system name of the device that generated the system information. You can use the sysname command to modify the local system name. For more information, see System Management Command Reference. This field indicates that the information was generated by an HP device. It exists only in logs sent to a log host. This field identifies the version of the log, and has a value of 10. It exists only in logs sent to the log host. 12
Field Module Level (severity) Description This field specifies source module name. You can execute the info-center source? command in system view to view the module list. System information is divided into eight severity levels, from 0 to 7. See Table 1 for more information about severity levels. You cannot change the system information levels generated by modules. However, you can use the info-center source command to control the output of system information based on severity levels. This field briefly describes the content of the system information. It contains a string of up to 32 characters. Digest Serial Number source content For system information destined to the log host: If the string ends with (l), the information is log information. If the string ends with (t), the information is trap information. If the string ends with (d), the information is debug information. This field indicates the serial number of the device that generated the system information. It is displayed only if the system information sent to the log host is in the UNICOM format. This optional field identifies the source of the information. It is displayed only if the system information is sent to a log host in HP format. This field contains the content of the system information. Table 5 Timestamp precisions and configuration commands Item Destined to the log host Destined to the console, monitor terminal, log buffer, and log file Precision Seconds Milliseconds Command used to set the timestamp format info-center timestamp loghost info-center timestamp Table 6 Description of the timestamp parameters Timestamp parameters boot date Description Time since system startup, in the format of xxx.yyy. xxx represents the higher 32 bits, and yyy represents the lower 32 bits, of milliseconds elapsed. System information sent to all destinations other than log host supports this parameter. Current date and time, in the format of mm dd hh:mm:ss:xxx yyy. All system information supports this parameter. Example %0.109391473 Sysname FTPD/5/FTPD_LOGIN: User ftp (192.168.1.23) has logged in successfully. 0.109391473 is a timestamp in the boot format. %May 30 05:36:29:579 2012 Sysname FTPD/5/FTPD_LOGIN: User ftp (192.168.1.23) has logged in successfully. May 30 05:36:29:579 2012 is a timestamp in the date format. 13
Timestamp parameters iso none no-year-date Description Timestamp format stipulated in ISO 8601. Only system information that is sent to the log host supports this parameter. No timestamp is included. All system information supports this parameter. Current date and time without year information, in the format of mm dd hh:mm:ss:xxx. Only the system information that is sent to the log host supports this parameter. Example <189>2012-05-30T06:42:44 Sysname %%10FTPD/5/FTPD_LOGIN(l): User ftp (192.168.1.23) has logged in successfully. 2012-05-30T06:42:44 is a timestamp in the iso format. % Sysname FTPD/5/FTPD_LOGIN: User ftp (192.168.1.23) has logged in successfully. No timestamp is included. <189>May 30 06:44:22 Sysname %%10FTPD/5/FTPD_LOGIN(l): User ftp (192.168.1.23) has logged in successfully. May 30 06:44:22 is a timestamp in the no-year-date format. Information center configuration task list Task Outputting system information to the console Outputting system information to the monitor terminal Outputting system information to a log host Outputting system information to the trap buffer Outputting system information to the log buffer Outputting system information to the SNMP module Outputting system information to the Web interface Saving system information to a log file Managing security logs Enabling synchronous information output Disabling an interface from generating link up/down logging information Remarks Configurations for the information output destinations function independently. Outputting system information to the console Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the information center. info-center enable Enabled by default. 14
Step Command Remarks 3. Name the channel with a specified channel number. 4. Configure an output channel for the console. 5. Configure an output rule for the console. 6. Configure the timestamp format. info-center channel channel-number name channel-name info-center console channel { channel-number channel-name } info-center source { module-name default } channel { channel-number channel-name } [ debug { level severity state state } * log { level severity state state } * trap { level severity state state } * ] * info-center timestamp { debugging log trap } { boot date none } See Table 2 for default channel names. By default, system information is output to the console through channel 0 (console). See "Default output rules of system information." By default, the timestamp format for log, trap and debug information is date. 7. Return to user view. quit N/A 8. Enable system information output to the console. 9. Enable the display of system information on the console. terminal monitor Enable the display of debug information on the console: terminal debugging Enable the display of log information on the console: terminal logging Enable the display of trap information on the console: terminal trapping The default setting is enabled. By default, the console displays log and trap information, and discards debug information. Outputting system information to the monitor terminal Monitor terminals refer to terminals that log in to the device through the AUX or VTY user interface. To output system information to the monitor terminal: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the information center. info-center enable Enabled by default. 3. Name the channel with a specified channel number. info-center channel channel-number name channel-name See Table 2 for default channel names. 15
Step Command Remarks 4. Configure an output channel for the monitor terminal. 5. Configure an output rule for the monitor terminal. 6. Configure the timestamp format. info-center monitor channel { channel-number channel-name } info-center source { module-name default } channel { channel-number channel-name } [ debug { level severity state state } * log { level severity state state } * trap { level severity state state } * ] * info-center timestamp { debugging log trap } { boot date none } By default, system information is output to the monitor terminal through channel 1 (known as monitor). See "Default output rules of system information." By default, the timestamp format for log, trap and debug information is date. 7. Return to user view. quit N/A The default setting is disabled. 8. Enable system information output to the monitor terminal. 9. Enable the display of system information on a monitor terminal. terminal monitor Enable the display of debug information on a monitor terminal: terminal debugging Enable the display of log information on a monitor terminal: terminal logging Enable the display of trap information on a monitor terminal: terminal trapping You must execute this command before you can enable the display of debug, log, and trap information on the monitor terminal. By default, the monitor terminal displays log and trap information, and discards debug information. Outputting system information to a log host Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the information center. 3. Name the channel with a specified channel number. info-center enable info-center channel channel-number name channel-name Enabled by default. See Table 2 for default channel names. 16
Step Command Remarks 4. Configure an output rule for the log host. 5. Specify the source IP address for the log information. 6. Configure the timestamp format for system information output to the log host. info-center source { module-name default } channel { channel-number channel-name } [ debug { level severity state state } * log { level severity state state } * trap { level severity state state } * ] * info-center loghost source interface-type interface-number info-center timestamp loghost { date iso no-year-date none } See "Default output rules of system information." By default, the source IP address of output log information is the primary IP address of the matching route' egress interface. date by default. 7. Set the format of the system information sent to a log host. Set the format to UNICOM: info-center format unicom Set the format to HP: undo info-center format Use either approach. HP by default. 8. Specify a log host and configure related parameters. info-center loghost [ vpn-instance vpn-instance-name ] { host-ipv4-address ipv6 host-ipv6-address } [ port port-number ] [ channel { channel-number channel-name } facility local-number ] * By default, no log host or related parameters are specified. If no channel is specified when outputting system information to a log host, the system uses channel 2 (loghost) by default. The value of the port-number argument must be the same as the value configured on the log host. Otherwise, the log host cannot receive system information. Outputting system information to the trap buffer The trap buffer only receives trap information, and discards log and debug information. To output system information to the trap buffer: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the information center. info-center enable Enabled by default. 3. Name the channel with a specified channel number. info-center channel channel-number name channel-name See Table 2 for default channel names. 17
Step Command Remarks 4. Configure an output channel for the trap buffer and set the buffer size. 5. Configure an output rule for the trap buffer. 6. Configure the timestamp format. info-center trapbuffer [ channel { channel-number channel-name } size buffersize ] * info-center source { module-name default } channel { channel-number channel-name } [ debug { level severity state state } * log { level severity state state } * trap { level severity state state } * ] * info-center timestamp { debugging log trap } { boot date none } By default, system information is output to the trap buffer through channel 3 (known as trapbuffer) and the default buffer size is 256. See "Default output rules of system information." The timestamp format for log, trap and debug information is date by default. Outputting system information to the log buffer The log buffer only receives log information, and discards trap and debug information. To output system information to the log buffer: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the information center. info-center enable Enabled by default. 3. Name the channel with a specified channel number. 4. Configure an output channel for the log buffer and set the buffer size. 5. Configure an output rule for the log buffer. 6. Configure timestamp format. info-center channel channel-number name channel-name info-center logbuffer [ channel { channel-number channel-name } size buffersize ] * info-center source { module-name default } channel { channel-number channel-name } [ debug { level severity state state } * log { level severity state state } * trap { level severity state state } * ] * info-center timestamp { debugging log trap } { boot date none } See Table 2 for default channel names. By default, system information is output to the log buffer through channel 4 (known as logbuffer) and the default buffer size is 512. See "Default output rules of system information." The timestamp format for log, trap and debug information is date by default. 18
Outputting system information to the SNMP module The SNMP module only receives trap information, and discards log and debug information. To monitor the device running status, trap information is usually sent to the SNMP network management system (NMS). For this purpose, you must configure output of traps to the SNMP module, and set the trap sending parameters for the SNMP module. For more information about SNMP, see "Configuring SNMP." To output system information to the SNMP module: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the information center. info-center enable Enabled by default. 3. Name the channel with a specified channel number. 4. Configure an output channel for the SNMP module. 5. Configure an output rule for the SNMP module. 6. Configure the timestamp format. info-center channel channel-number name channel-name info-center snmp channel { channel-number channel-name } info-center source { module-name default } channel { channel-number channel-name } [ debug { level severity state state } * log { level severity state state } * trap { level severity state state } * ] * info-center timestamp { debugging log trap } { boot date none } See Table 2 for default channel names. By default, system information is output to the SNMP module through channel 5 (known as snmpagent). See "Default output rules of system information." The timestamp format for log, trap and debug information is date by default. Outputting system information to the Web interface The Web interface only receives log information, and discards trap and debug information. This feature allows you to control whether to output system information to the Web interface and, if so, which system information can be output to the Web interface. The Web interface provides abundant search and sorting functions. If you output system information to the Web interface, you can view the system information by clicking corresponding tabs after logging in to the device through the Web interface. To output system information to the Web interface: Step Command Remarks 1. Enter system view. system-view N/A 19
Step Command Remarks 2. Enable the information center. info-center enable Enabled by default. 3. Name the channel with a specified channel number. 4. Configure an output channel for the Web interface. 5. Configure an output rule for the Web interface. 6. Configure the timestamp format. info-center channel channel-number name channel-name info-center syslog channel { channel-number channel-name } info-center source { module-name default } channel { channel-number channel-name } [ debug { level severity state state }* log { level severity state state }* trap { level severity state state }* ]* info-center timestamp { debugging log trap } { boot date none } See Table 2 for default channel names. By default, system information is output to the Web interface through channel 6. See "Default output rules of system information." The timestamp format for log, trap and debug information is date by default. Saving system information to a log file This feature enables the device to save generated log information to a log file. You can specify how often the log file is saved, or you can manually save the log file. Logs are saved into the log file buffer. The system writes the logs from the log file buffer to the log file at the specified interval (24 hours by default). You can also manually save the logs while the device is not busy. After saving logs from the log file buffer to the log file, the system clears the log file buffer. The log file has a specific capacity. When the capacity is reached, the system deletes the earliest messages and writes new messages into the log file. The log file is saved in the directory /logfile/logfile.log. To save system information to a log file: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the information center. info-center enable 3. Enable the log file feature. info-center logfile enable Enabled by default. Enabled by default. 4. Configure the interval at which the system saves logs in the logfile buffer to the log file. info-center logfile frequency freq-sec The default saving interval is 86400 seconds. 20
Step Command Remarks 5. Configure the maximum size of the log file. 6. Configure the directory to save the log file. 7. Manually save the log file buffer content to the log file. info-center logfile size-quota size info-center logfile switch-directory dir-name logfile save The default setting is 10 MB. To ensure normal operation of the device, set the size argument to a value between 1 MB and 10 MB. By default, the log file is saved in the logfile directory under the root directory of the storage device (the root directory of a storage device varies with devices). The configuration made by this command cannot survive a system reboot. Available in any view. By default, the system saves logs in the log file buffer to the log file at the interval configured by the info-center logfile frequency command. Managing security logs Security logs are very important for locating and troubleshooting network problems. Generally, security logs are output together with other logs. It is difficult to identify security logs among all logs. To solve this problem, you can save security logs into a security log file without affecting the current log output rules. The configuration of this feature and the management of the security log file are separate, and the security log file is managed by a privileged user. After logging in to the device, the administrator can enable the saving of security logs into the security log file and configure related parameters However, only the privileged user, known as the security log administrator, can perform operations on the security log file. The privileged user must pass AAA local authentication and log in to the device. No other users (including the system administrator) can perform operations on the security log file. A security log administrator is a local user who is authorized by AAA as the security log administrator. You can authorize a security log administrator by executing the authorization-attribute user-role security-audit command in local user view. The system administrator cannot view, copy, or rename the security log file. If they try, the system displays an "%Execution error" message. The system administrator can view, copy and rename other types of files. For more information about local user and AAA local authentication, see Security Configuration Guide. 21
Saving security logs into the security log file If this feature is enabled, the system first outputs security logs to the security log file buffer, and then saves the logs in the security log file buffer into the security log file at a specified interval (the security log administrator can also manually save security logs into the log file). After the logs are saved, the buffer is cleared immediately. The size of the security log file is limited. If the maximum size is reached, the system deletes the oldest log and writes the new log into the security log file. To avoid losing security logs, you can set an alarm threshold. When the alarm threshold is reached, the system outputs a message to inform the administrator. The administrator can log in to the device as the security log administrator and back up the security log file. By default, security logs are not saved into the security log file. The parameters, such as the saving interval, the maximum size, and the alarm threshold, have default settings. To modify these parameters, log in to the device as the system administrator, and then follow the steps in the following table to configure the related parameters: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the information center. info-center enable 3. Enable the saving of the security logs into the security log file. 4. Set the interval for saving security logs to the security log file. info-center security-logfile enable info-center security-logfile frequency freq-sec Enabled by default. Disabled by default. The default saving interval is 600 seconds. 5. Set the maximum size of the security log file. 6. Set the alarm threshold of the security log file usage. info-center security-logfile size-quota size info-center security-logfile alarm-threshold usage The default setting is 1 MB. 80 by default. That is, when the usage of the security log file reaches 80%, the system informs the user. Managing the security log file To manage and maintain the security log file, the security log administrator must pass local AAA authentication first. For more information about security log administrator, see Security Configuration Guide. To manage the security log file: Task Command Remarks Display a summary of the security log file. display security-logfile summary [ { begin exclude include } regular-expression ] Available in user view. 22
Task Command Remarks Change the directory of the security log file. Display contents of the security log file buffer. Manually save all the contents in the security log file buffer into the security log file. info-center security-logfile switch-directory dir-name display security-logfile buffer [ { begin exclude include } regular-expression ] security-logfile save By default, the security log file is saved in the seclog directory under the root directory of the storage device. If the device has been partitioned, the security log file is saved in the seclog directory in the second partition of the storage device. Available in user view. By default, the system automatically saves the contents in the security log file buffer into the security log file at the interval specified by the info-center security-logfile frequency command. The directory of the security log file can be configured by using the info-center security-logfile switch-directory command. Available in user view. 23
Task Command Remarks Perform these operations to the security log file. Display the contents of the specified file: more file-url Display information about all files and folders: dir [ /all ] [ file-url ] Create a folder in a specified directory on the storage medium: mkdir directory Change the current working directory: cd { directory.. / } Display the current path: pwd Copy a file: copy fileurl-source fileurl-des Rename a file or a folder: rename fileurl-source fileurl-dest Move a file: move fileurl-source fileurl-dest Move a specified file from a storage medium to the Recycle Bin: delete [ /unreserved ] file-url Remove a folder: rmdir directory Format a storage medium: format device [ FAT16 FAT32 ] Restore a file from the Recycle Bin: undelete file-url Available in user view. For more information about these commands, see System Management Command Reference. 24
Task Command Remarks () Upload the security log file to the SFTP server. Establish a connection to an IPv4 SFTP server and enter SFTP client view: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ prefer-compress { zlib zlib-openssh } prefer-ctos-cipher { 3des aes128 des } prefer-ctos-hmac { md5 md5-96 sha1 sha1-96 } prefer-kex { dh-group-exchange dh-group1 dh-group14 } prefer-stoc-cipher { 3des aes128 des } prefer-stoc-hmac { md5 md5-96 sha1 sha1-96 } ] * Establish a connection to an IPv6 SFTP server and enter SFTP client view: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ prefer-compress { zlib zlib-openssh } prefer-ctos-cipher { 3des aes128 des } prefer-ctos-hmac { md5 md5-96 sha1 sha1-96 } prefer-kex { dh-group-exchange dh-group1 dh-group14 } prefer-stoc-cipher { 3des aes128 des } prefer-stoc-hmac { md5 md5-96 sha1 sha1-96 } ] * Upload a file on the client to the remote SFTP server: put localfile [ remotefile ] Download a file from a remote SFTP server and save it: get remotefile [ localfile ] The sftp and sftp ipv6 commands are available in user view. The other commands are available in SFTP client view. For more information about these commands, see Security Command Reference. For all other operations supported by the device acting as an SFTP client, see Security Configuration Guide. Enabling synchronous information output The output of system logs interrupts ongoing configuration operations. You have to find the previously input commands before the logs. Synchronous information output can show the previous input after log output and a command prompt in command editing mode, or a [Y/N] string in interaction mode so you can continue your operation from where you were stopped. If system information, such as log information, is output before you input any information under the current command line prompt, the system does not display the command line prompt after the system information output. If system information is output when you are inputting some interactive information (non Y/N confirmation information), the system displays your previous input in a new line but does not display the command line prompt. To enable synchronous information output: 25
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable synchronous information output. info-center synchronous Disabled by default. Disabling an interface from generating link up/down logging information By default, all interfaces generate link up or link down log information when the state changes. In some cases, you might want to disable specific interfaces from generating this information. For example: You are concerned only about the states of some interfaces. In this case, you can use this function to disable other interfaces from generating link up and link down log information. An interface is unstable and continuously outputs log information. In this case, you can disable the interface from generating link up and link down log information. Use the default setting in normal cases to avoid affecting interface status monitoring. To disable an interface from generating link up/down logging information: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, or VLAN interface view. 3. Disable the interface from generating link up or link down logging information. interface interface-type interface-number undo enable log updown N/A By default, all interfaces generate link up and link down logging information when the state changes. Displaying and maintaining information center Task Command Remarks Display information about information channels. Display information center configuration information. Display the state and the log information of the log buffer. display channel [ channel-number channel-name ] [ { begin exclude include } regular-expression ] display info-center [ { begin exclude include } regular-expression ] display logbuffer [ reverse ] [ level severity size buffersize ] * [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. 26
Task Command Remarks Display a summary of the log buffer. Display the content of the log file buffer. Display the log file configuration. Display the state and the trap information of the trap buffer. display logbuffer summary [ level severity ] [ { begin exclude include } regular-expression ] display logfile buffer [ { begin exclude include } regular-expression ] display logfile summary [ { begin exclude include } regular-expression ] display trapbuffer [ reverse ] [ size buffersize ] [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. Available in any view. Clear the log buffer. reset logbuffer Available in user view. Clear the trap buffer. reset trapbuffer Available in user view. Information center configuration examples Outputting log information to the console Network requirements Configure the LB to send ARP and IP log information that has a severity level of at least informational to the console. Figure 6 Network diagram Configuration procedure # Enable the information center. <LB> system-view [LB] info-center enable # Use channel console to output log information to the console. (This step is optional because it is the default setting.) [LB] info-center console channel console # Disable the output of log, trap, and debug information of all modules on channel console. [LB] info-center source default channel console debug state off log state off trap state off To avoid output of unnecessary information, disable the output of log, trap, and debug information of all modules on the specified channel (console in this example), and then configure the output rule as needed. # Configure an output rule to enable the LB to send ARP and IP log information that has a severity level of at least informational to the console. 27
[LB] info-center source arp channel console log level informational state on [LB] info-center source ip channel console log level informational state on [LB] quit # Enable the display of log information on the console. (This function is enabled by default.) <LB> terminal monitor Info: Current terminal monitor is on. <LB> terminal logging Info: Current terminal logging is on. Now, if the ARP and IP modules generate log information, the information center automatically sends the log information to the console. Outputting log information to a UNIX log host Network requirements Configure the LB to send ARP and IP log information that has a severity level of at least informational to the UNIX log host at 1.2.0.1/16. Figure 7 Network diagram Configuration procedure Before the configuration, make sure the LB and the log host can reach each other. (Details not shown.) 1. Configure the LB: # Enable the information center. <LB> system-view [LB] info-center enable # Specify the log host 1.2.0.1/16, use channel loghost to output log information (optional, loghost by default), and specify local4 as the logging facility. [LB] info-center loghost 1.2.0.1 channel loghost facility local4 # Disable the output of log, trap, and debug information of all modules on channel loghost. [LB] info-center source default channel loghost debug state off log state off trap state off To avoid outputting unnecessary information, disable the output of log, trap, and debug information on the specified channel (loghost in this example) before you configure an output rule. # Configure an output rule to output to the log host ARP and IP log information that has a severity level of at least informational. [LB] info-center source arp channel loghost log level informational state on trap state off [LB] info-center source ip channel loghost log level informational state on trap state off 2. Configure the log host: The following configurations were performed on Solaris which has similar configurations to the UNIX operating systems implemented by other vendors. 28
a. Log in to the log host as a root user. b. Create a subdirectory named LB in directory /var/log/, and then create file info.log in the LB directory to save logs from the LB. # mkdir /var/log/lb # touch /var/log/lb/info.log c. Edit the file syslog.conf in directory /etc/ and add the following contents. # LB configuration messages local4.info /var/log/lb/info.log In this configuration, local4 is the name of the logging facility that the log host uses to receive logs. info is the informational level. The UNIX system records the log information that has a severity level of at least informational to the file /var/log/lb/info.log. NOTE: Be aware of the following issues while editing file /etc/syslog.conf: Comments must be on a separate line and must begin with a pound sign (#). No redundant spaces are allowed after the file name. The logging facility name and the information level specified in the /etc/syslog.conf file must be identical to those configured on the LB by using the info-center loghost and info-center source commands. Otherwise the log information might not be output properly to the log host. d. Display the process ID of syslogd, kill the syslogd process, and then restart syslogd using the r option to make the new configuration take effect. # ps -ae grep syslogd 147 # kill -HUP 147 # syslogd -r & Now, the system can record log information into the log file. Outputting log information to a Linux log host Network requirements Configure the LB to send log information that has a severity level of at least informational to the Linux log host at 1.2.0.1/16. Figure 8 Network diagram Configuration procedure Before the configuration, make sure the LB and the log host can reach each other. (Details not shown.) 1. Configure the LB: # Enable the information center. <LB> system-view [LB] info-center enable 29
# Specify the host 1.2.0.1/16 as the log host, use the channel loghost to output log information (optional, loghost by default), and specify local5 as the logging facility. [LB] info-center loghost 1.2.0.1 channel loghost facility local5 # Configure an output rule to output to the log host the log information that has a severity level of at least informational. [LB] info-center source default channel loghost log level informational state on debug state off trap state off Disable the output of unnecessary information of all modules on the specified channel in the output rule. 2. Configure the log host: a. Log in to the log host as a root user. b. Create a subdirectory named LB in the directory /var/log/, and create file info.log in the LB directory to save logs from the LB. # mkdir /var/log/lb # touch /var/log/lb/info.log c. Edit the file syslog.conf in the directory /etc/ and add the following contents. # LB configuration messages local5.info /var/log/lb/info.log In this configuration, local5 is the name of the logging facility used by the log host to receive logs. info is the information level. The Linux system will record the log information with severity level equal to or higher than informational to file /var/log/lb/info.log. NOTE: Be aware of the following issues while editing file /etc/syslog.conf: Comments must be on a separate line and must begin with a pound sign (#). No redundant spaces are allowed after the file name. The logging facility name and the information level specified in the /etc/syslog.conf file must be identical to those configured on the LB by using the info-center loghost and info-center source commands. Otherwise, the log information might not be output properly to the log host. d. Display the process ID of syslogd, kill the syslogd process, and then restart syslogd using the r option to make the new configuration take effect. # ps -ae grep syslogd 147 # kill -9 147 # syslogd -r & Make sure the syslogd process is started with the -r option on a Linux log host. Now, the system can record log information into the log file. Saving security logs into the security log file Network requirements Save security logs into the security log file cfa0:/securitylog/seclog.log every one hour. Only the security log administrator can view the contents of the security log file. No other logged-in users can view, copy, or rename the security log file. 30
Figure 9 Network diagram Configuration considerations The configuration in this example includes two parts: 1. Log in to the LB as the system administrator Enable saving of security logs into the security log file and set the saving interval to one hour. Create a local user seclog with the password 123123123123, and authorize this user as the security log administrator. That is, use the authorization-attribute command to set the user privilege level to 3 and specify the user role as security audit. In addition, specify the service types that the user can use by using service-type. Set the authentication mode to scheme for the user logging in to the lb, and make sure only a local user who has passed AAA local authentication can view and perform operations on the security log file. 2. Log in to the LB as the security log administrator Configuration procedure Set the directory for saving the security log file to cfa0:/securitylog/seclog.log. View the contents of the security log file to learn the security status of the LB. 1. Configuration performed by the system administrator # Enable saving security logs into the security log file and set the saving interval to one hour. <LB> system-view [LB] info-center security-logfile enable [LB] info-center security-logfile frequency 3600 # Create a local user seclog, and configure the password for the user as 123123123123. [LB] local-user seclog New local user added. [LB-luser-seclog] password simple 123123123123 # Authorize the user to manage the security log file. [LB-luser-seclog] authorization-attribute level 3 user-role security-audit # Authorize the user to use SSH, Telnet, and terminal services. [LB-luser-seclog] service-type ssh telnet terminal [LB-luser-seclog] quit 31
# According to the network plan, the user will log in to the LB through SSH or Telnet, so configure the authentication mode of the VTY user interface as scheme. [LB] display user-interface vty? INTEGER<0-4> Specify one user terminal interface The output shows that the LB supports five VTY user interfaces, which are numbered 0 through 4. [LB] user-interface vty 0 4 [LB-ui-vty0-4] authentication-mode scheme [LB-ui-vty0-4] quit 2. Configuration performed by the security log administrator # Log in to the LB as user seclog. C:/> telnet 1.1.1.1 ****************************************************************************** * Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P. * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** Login authentication Username:seclog Password: <Sysname> # Display the summary of the security log file. <LB> display security-logfile summary Security-log is enabled. Security-log file size quota: 1MB Security-log file directory: cfa0:/seclog Alarm-threshold: 80% Current usage: 0% Writing frequency: 1 hour 0 min 0 sec The output shows that the directory for saving the security log file is cfa0:/seclog. # Change the directory where the security log file is saved to cfa0:/securitylog. <LB> mkdir securitylog. %Created dir cfa0:/securitylog. <LB> info-center security-logfile switch-directory cfa0:/securitylog/ # Display the contents of the security log file buffer. <LB> display security-logfile buffer %@175 Nov 2 17:02:53:766 2012 LB SHELL/4/LOGOUT: Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.2: logout from Console %@176 Nov 2 17:02:53:766 2012 LB SHELL/5/SHELL_LOGOUT:Console logged out from con0. The content of other logs is not shown. The preceding information indicates that there is still new content in the buffer that has not been saved into the security log file. 32
# Mannually save the contents of the security log file buffer into the security log file. <LB> security-logfile save Info: Save all the contents in the security log buffer into file cfa0:/securitylog/seclog.log successfully. # Display the contents of the security log file. <LB> more securitylog/seclog.log %@157 Nov 2 16:12:01:750 2012 LB SHELL/4/LOGIN: Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1: login from Console %@158 Nov 2 16:12:01:750 2012 LB SHELL/5/SHELL_LOGIN:Console logged in from con0. The content of other logs is not shown. 33
Managing logs This chapter describes how to manage various types of logs. Configuring syslog Syslog can be configured only in the Web interface. The syslog module allows you to set parameters for the information center. The information center classifies and manages system information and it can output log information to the Web interface and log hosts. To configure syslog: 1. Select Log Report > Syslog from the navigation tree to enter the page as shown in Figure 10. 34
Figure 10 Syslog 2. Configure syslog settings as described in Table 7. 3. Click Apply. Table 7 Configuration items Item Log Buffer Size Description Set the number of syslogs that can be stored in the log buffer. Syslogs that can be stored in the log buffer include system logs, connection limit logs, attack prevention logs, and blacklist logs. 35
Item Log Host IP Address Log Host 1 Log Host 2 Log Host 3 Log Host 4 Description Set the address (IPv4 address, host name, or IPv6 address), port number and the VPN instance. You can report log information to log hosts in the format of syslog. You can specify up to four syslog log hosts. You can specify up to four syslog log hosts. Set the refresh period on the log information displayed on the log report Web interface. Refresh Period You can select manual refresh or automatic refresh: Manual Refresh the Web interface to view latest information. Automatic Select to refresh the webpage every 10 seconds, 30 seconds, 1 minute, 5 minutes, or 10 minutes. To clear syslogs: 4. Select Log Report > Syslog from the navigation tree to enter the page as shown in Figure 10. 5. Click Clear Log. The system clears all syslogs, including system logs, connection limit logs, attack prevention logs, and blacklist logs. User logging (flow logging) overview To generate user logs, configure session logging (see "Configuring session logging"). User logging records users' access information to the external network. The device classifies flows based on 5-tuple information, including the source IP address, destination IP address, source port, destination port, and protocol number. User logging records the 5-tuple information of the packets and numbers of the bytes received and sent. With user logging, administrators can track and record accesses to the network. You can output user logs in one of the following formats: Output logs to the information center in the format of system information. The information center determines the output destination. Output logs to a log host in UDP packets in binary format. Two versions are available with user logging: version 1.0 and version 3.0, which are slightly different in packet format. For more information about packet formats, see Table 8 and Table 9. Table 8 Packet format in user logging version 1.0 Field SourceIP DestIP SrcPort DestPort Description Source IP address. Destination IP address. TCP/UDP source port number. TCP/UDP destination port number. StartTime Start time of the flow, in seconds, counted from 1970/1/1 0:0. EndTime End time of the flow, in seconds, counted from 1970/1/1 0:0. 36
Field Prot Operator Reserved Description Protocol. Indicates the reason why the flow ended. For future applications. Table 9 Packet format in user logging version 3.0 Field Prot Operator IpVersion TosIPv4 SourceIP SrcNatIP DestIP DestNatIP SrcPort SrcNatPort DestPort DestNatPort Description Protocol. Indicates the reason why the flow ended. IP packet version. ToS field of the IPv4 packet. Source IP address. Source IP address after Network Address Translation (NAT). Destination IP address. Destination IP address after NAT. TCP/UDP source port number. TCP/UDP source port number after NAT. TCP/UDP destination port number. TCP/UDP destination port number after NAT. StartTime Start time of the flow, in seconds, counted from 1970/01/01 00:00. EndTime End time of the flow, in seconds, counted from 1970/01/01 00:00. InTotalPkg InTotalByte OutTotalPkg OutTotalByte Reserved1 Reserved2 Reserved3 Number of packets received. Number of bytes received. Number of packets sent. Number of the bytes sent. Reserved in version 0x02. In version 0x03, the first byte is the source VPN ID, the second byte is the destination VPN ID, and the third and forth bytes are reserved. For future applications. For future applications. Configuring user logging in the Web interface To configure user logging: 1. Select Log Report > Userlog from the navigation tree to enter the page as shown in Figure 11. 37
Figure 11 User logging 2. Configure user logging settings as described in Table 10. 3. Click Apply. Table 10 Configuration items Item Description Set the user logging version, 1.0 or 3.0. Version Log timestamps IMPORTANT: Configure the user logging version according to the capacity of the log receiving device. If the log receiving device does not support user logging of the specified version, the device cannot resolve the logs received. Set the time zone for userlogs: UTC or localtime. UTC Coordinated Universal Time, loosely defined as current date and time of day in Greenwich, England. Localtime Coordinated Universal Time (UTC) plus the UTC offset. Set the source IP address of user logging packets. Source IP Address of Packets After you specify the source IP address, when Device A sends user logs to Device B, it uses the specified IP address instead of the actual egress address as the source IP address of the packets. In this way, although Device A sends out packets to Device B through different ports, Device B can judge whether the packets are sent from Device A according to their source IP addresses. This function also simplifies ACL and security policy configurations. If you specify the same source address as the source or destination address in the rule command in ACL, the IP address variance and the influence of interface status can be masked to filter user logging packets. HP recommends you to use the IP address of the loopback interface as the source IP address of user logging packets. 38
Item Log Host Configura tion Log Host 1 Log Host 2 Description Set the IPv4/IPv6 addresses, port number, and the VPN instance (this option is available only when you specify a log host with an IPv4 address) of the userlog log host to encapsulate user logs in UDP packets and send them to the specified userlog log host. The log host can analyze and display the user logs to remotely monitor the device. You can specify up to two userlog log hosts. IMPORTANT: To avoid collision with the common UDP port numbers, use a UDP port number in the range 1025 to 65535. Set to output user logs to the information center in the format of system information. Output user logs to the information center IMPORTANT: With this function enabled, user logs will not be output to the specified userlog log host. Outputting user logs to the information center occupies the storage space of the device. Output user logs to the information center when there are a small amount of user logs. Displaying user logging statistics If you select to send user logs in UDP packets to the specified userlog log host, you can view the related statistics, including the total number of user logs sent to the log host, the total number of UDP packets, and the total number of user logs stored on the device log buffer. 1. Select Log Report > Userlog from the navigation tree to enter the page as shown in Figure 11. 2. Click the Statistics expansion button on the page to view the user logging statistics as shown in Figure 12. Figure 12 Viewing user logging statistics Clearing user logs and user logging statistics 1. Select Log Report > Userlog from the navigation tree to enter the page as shown in Figure 11. 2. Click the Statistics expansion button on the page to display the information as shown in Figure 12. 3. Click Reset. The system clears all user logging statistics for the device and user logs in the log buffer. 39
Configuring the time zone for user logs User logs can be recorded in UTC or localtime: UTC Coordinated Universal Time, loosely defined as current date and time of day in Greenwich, England. Localtime Coordinated Universal Time (UTC) plus the UTC offset. To configure the time zone for user logs: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the system to record user logs in localtime. userlog flow export timestamps localtime By default, userlogs are recorded in UTC. Configuring user logging at the CLI At the CLI, user logging is also known as "flow logging." User logging configuration task list Task Configuring the user logging version Configuring the source address for user logging packets Remarks Exporting user logs Exporting user logs to log servers Exporting user logs to the information center Required. Use either method. Configuring the user logging version Configure the user logging version according to the receiver capability. A receiver cannot resolve user logs correctly if it does not support the version of the user logs. To configure the user logging version: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the user logging version. userlog flow export version version-number The default version is 1.0. Although the device supports two versions, only one can be active at one time. Therefore, if you configure the user logging version multiple times, the most recent configuration takes effect. 40
Configuring the source address for user logging packets A source IP address is usually used to uniquely identify the sender of a packet. Suppose Device A sends flow logs to Device B. Device A uses the specified IP address instead of the actual egress address as the source IP address of the packets. In this way, although Device A sends out packets to Device B through different ports, Device B can judge whether the packets are sent from Device A according to their source IP addresses. This function also simplifies the configurations of ACLs and security policies. You only need to specify one address to filter packets from or to a device. To configure the source address for user logging packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the source IP address of user logging packets. userlog flow export source-ip ip-address By default, the source IP address of user logging packets is the IP address of the egress interface. Exporting user logs User logs can be exported in the following ways: User logs can be encapsulated into UDP packets and sent to an IPv4 log server or an IPv6 log server (see Figure 13). The log server analyzes user logs and displays them by class, thus realizing remote monitoring. User logs in the format of system information are exported to the information center of the device. You can set the output destinations of the user logs by setting the output parameters of the system information. For more information about the information center, see "Configuring the information center." The two export approaches are mutually exclusive. If you configure both approaches, the system automatically exports user logs to the information center. Exporting user logs to log servers You can specify at most two log servers of the same type or different types for a device. There are three types of log servers, the VPN user logging server, the IPv4 user logging server, and the IPv6 user logging server. If you have already specified two servers, you need to delete one to specify a new one. If you specify a new server that has the same IP address as but has other information different from the current server, the new configuration overwrites the current one. To export user logs to an IPv4 log server: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the IPv4 address and UDP port number of the log server. userlog flow export [ vpn-instance vpn-instance-name ] host ipv4-address udp-port Not configured by default. To export user logs to an IPv6 log server: 41
Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the IPv6 address and UDP port number of the log server. userlog flow export [ vpn-instance vpn-instance-name ] host ipv6 ipv6-address udp-port Not configured by default. Exporting user logs to the information center Exporting user logs to the information center occupies device storage space, so use this export approach only if there are a small amount of logs. User logs exported to the information center have a severity level of informational. To export user logs to the information center: Step Command Remarks 1. Enter system view. system-view N/A 2. Export user logs to the information center. userlog flow syslog User logs are exported to the log server by default. Displaying and maintaining user logging Task Command Remarks Display the configuration and statistics about user logging. display userlog export [ { begin exclude include } regular-expression ] Available in any view. Clear statistics about user logging. reset userlog flow export Available in user view. Clear user logs in the log buffer. reset userlog flow logbuffer Available in user view. User logging configuration example Network requirements As shown in Figure 13, configure user logging on the LB so that the log server can monitor the user's access to the network. 42
Figure 13 Network diagram Configuration procedure # Configure IP addresses for the interfaces according to the network diagram. Make sure that the devices can reach each other. (Details not shown.) # Set the user logging version to 3.0. <LB> system-view [LB] userlog flow export version 3 # Export user logs to the log server with IP address 1.2.3.6:2000. [LB] userlog flow export host 1.2.3.6 2000 # Configure the source IP address of UDP packets carrying user logs as 2.2.2.2. [LB] userlog flow export source-ip 2.2.2.2 Configuration verification # Display the configuration and statistics about user logs. <LB> display userlog export flow: Export Version 3 logs to log server : enabled Source address of exported logs : 2.2.2.2 Address of log server : 1.2.3.6 (port: 2000) total Logs/UDP packets exported : 112/87 Logs in buffer : 6 Troubleshooting user logging Symptom 1: No user log is exported Analysis: No export approach is specified. Solution: Configure user logging to export user logs to the information center or to the log server. Symptom 2: User logs cannot be exported to log server Analysis: Both of the export approaches are configured. Solution: Restore to the default, and then configure the IP address and UDP port number of the log server. 43
Configuring session logging Session logging can be configured only in the Web interface. Session logging records users' access information, IP address translation information, and traffic information, and can output the records in a specific format to a log host, allowing administrators to perform security auditing. Session logging records an entry for a session if it reaches the specified threshold. Session logging supports two categories of thresholds: Time threshold When the lifetime of a session reaches this threshold, a log entry is output for the session. Traffic threshold The traffic threshold can be in units of the number of bytes or the number of packets. When the traffic of a session reaches the specified number of bytes or packets, a log entry is output for the session. For more information about session management, see Security Configuration Guide. Session logs are output in the format of user logs. To view session logs, you also need to configure user logging. Session logging configuration task list Task Configuring a session logging policy Setting session logging thresholds Remarks Required. Configure a session logging policy, specifying the source zone and destination zone of the sessions and the ACL for filtering log entries. By default, no session logging policy exists. Required. Configure the time threshold or/and traffic threshold for session logging. By default, both the time threshold and traffic threshold are 0, meaning that no session logging entries are output. IMPORTANT: If both the time threshold and traffic threshold are configured, a log entry is output for the session when it reaches whichever threshold and the statistics of the session will be cleared. Configuring a session logging policy 1. Select Log Report > Session Log > Log Policy from the navigation tree to display existing session logging policies, as shown in Figure 14. 44
Figure 14 Session logging policy list 2. Click Add to enter the session logging policy configuration page, as shown in Figure 15. Figure 15 Creating a session logging policy 3. Configure a session logging policy as described in Table 11. 4. Click Apply. Table 11 Configuration items Item Source Zone Destination Zone ACL Description Specify the source zone and destination zone. You can configure an optional security zone on the page entered by selecting Security > Zone. Specify the ACL for filtering log entries, and only log entries permitted by the ACL will be output. The rules of the specified ACL can be configured on the page entered by selecting Security > ACL. Setting session logging thresholds 1. Select Log Report > Session Log > Global Setup from the navigation tree to enter the page for setting session logging thresholds, as shown in Figure 16. 45
Figure 16 Global configuration page 2. Configure session logging thresholds as described in Table 12. 3. Click Apply. Table 12 Configuration items Item Time Threshold Traffic Threshold Description Set the time threshold for outputting session logging entries. With this argument set, log entries will be output for sessions whose lifetimes reach the specified time threshold. Set the traffic threshold for outputting session logging entries. It can be in number of packets or bytes. With the traffic threshold set, log entries will be output for sessions whose traffic reaches the specified threshold in number of bytes or packets. Log report The log report module allows you to view the following types of log information on the device: System logs. Connection limit logs. Attack prevention logs. Blacklist logs. User logs. Except that the user logs can be viewed at both the Web interface and the CLI, all other types of log information can only be viewed in the Web interface. Displaying system logs Select Log Report > Report > System Log from the navigation tree to enter the page as shown in Figure 17. Table 13 describes the configuration items. 46
Figure 17 Operation log configuration page Table 13 Configuration items Item Time/Date Source Level Description Description Time when the system log was generated. Module that generated the system log. Severity level of the system log. For more information about severity levels, see Table 14. Content of the system log. Table 14 System log severity level Severity level Description Value Emergency The system is unusable. 0 Alert Information that demands prompt reaction. 1 Critical Critical information. 2 Error Error information. 3 Warning Warning information. 4 Notification Normal but significant information. 5 Information Informational information to be recorded. 6 Debug Information generated during debugging. 7 Note: A smaller value represents a higher severity level. 47
Displaying connection limit logs Select Log Report > Report > Connection Limit Log from the navigation tree to enter the page as shown in Figure 18. Table 15 describes the configuration items. Figure 18 Connection limit log configuration page Table 15 Configuration items Item Time/Date Type Source Zone Source IP Destination Zone Destination IP Current Rate Current Connection TCP Percentage UDP Percentage ICMP Percentage Description Time when the connection limit log was generated. Type of the traffic alarm: too many source IP sessions The number of source IP-based connections exceeds the upper limit. too many source IP sessions The number of destination IP-based connections exceeds the upper limit. Source zone of the connection. Source IP address of the connection. Destination zone of the connection. Destination IP address of the connection. Rate of the current connection. Total number of the current connections. Percentage of TCP packets to the total packets. Percentage of UDP packets to the total packets. Percentage of ICMP packets to the total packets. Displaying attack prevention logs Select Log Report > Report > Attack Prevention Log from the navigation tree to enter the page as shown in Figure 19. Table 16 describes the configuration items. 48
Figure 19 Attack prevention log configuration page Table 16 Configuration items Item Time Type Interface Source IP Source MAC Destination IP Destination MAC Speed Description Time when the attack was detected. Attack type. Interface that receives the attack packets. Source IP address of the attack packets. Source MAC address of the attack packets. Destination IP address of the attack packets. Destination MAC address of the attack packets. Connection speed of the attack. Displaying blacklist logs Select Log Report > Report > Blacklist Log from the navigation tree to enter the page as shown in Figure 20. Table 17 describes the configuration items. Figure 20 Blacklist log configuration page 49
Table 17 Configuration items Item Time/Date Mode Source IP Reason Hold Time Description Time when the log was generated. Whether the log is added or removed. Source IP address. Why the source IP address was added to the blacklist: Auto insert The source IP address was automatically added to the blacklist by the system. Manual insert The source IP address was manually added to the blacklist through the Web interface. Hold time. Displaying user logs (flow logging) This section describes how to view the userlog in the Web interface. For information about viewing the userlog at the CLI, see "Displaying and maintaining user logging." To display user logs through the Web interface, configure outputting user logs to the information center. Select Log Report > Report > Userlog from the navigation tree to enter the page for displaying user logs. If you select the 1.0 option, the user logging information is displayed, as shown in Figure 21. If you select the 3.0 option, the user logging 3.0 information is displayed, as shown in Figure 22. Figure 21 User logging 1.0 log report 50
Figure 22 User logging 3.0 log report Table 18 User logging 1.0 configuration items Item Time/Date Protocol Type Flow Information Start Time End Time Description Time and date when the user log was generated. Protocol type of the flow log. Flow information: If the protocol type is TCP or UDP, the displayed flow information is source IP address:source port-->destination IP address:destination port, for example, 1.1.1.2:1026-->1.1.2.10:69. If the protocol type is another type except TCP or UDP, the displayed flow information is source IP address-->destination IP address, for example, 1.1.1.2-->1.1.2.10. Time when the flow was created. Time when the flow was removed. Operator field of the flow: (1)Normal over The flow ended normally. (2)Aged for timeout Timer timed out. (3)Aged for reset or config-change Flow aging due to configuration change. Flow Action (4)Aged for no enough resource Flow aging due to insufficient resource. (5)Aged for no-pat of NAT One to one NAT. In this case, only the source IP address, the source IP address after translation and the time fields are available. (6)Active data flow timeout The lifetime of the flow reached the limit. (8)Data flow created Record for the flow when it was created. (254)Other Other reasons. 51