- Table of Contents
-
- 12-Network Management and Monitoring Configuration Guide
- 00-Preface
- 01-System Maintenance and Debugging Configuration
- 02-NQA Configuration
- 03-NTP Configuration
- 04-Clock Monitoring Configuration
- 05-IPC Configuration
- 06-SNMP Configuration
- 07-RMON Configuration
- 08-Sampler Configuration
- 09-Mirroring Configuration
- 10-NetStream Configuration
- 11-IPv6 NetStream Configuration
- 12-Protocol Packet Statistics Configuration
- 13-Information Center Configuration
- 14-Flow Logging Configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
14-Flow Logging Configuration | 118.81 KB |
Contents
Flow logging configuration task list
Configuring flow logging version
Configuring the source address for flow logging packets
Exporting flow logs to log server
Exporting flow logs to information center
Displaying and maintaining flow logging
Flow logging configuration example
Flow logging overview
Introduction to flow logging
Flow logging records users’ access to the extranet. The device classifies and calculates flows through the 5-tuple information, which includes source IP address, destination IP address, source port, destination port, and protocol number, and generates user flow logs. Flow logging records the 5-tuple information of the packets and number of the bytes received and sent. With flow logs, administrators can track and record accesses to the network, facilitating the availability and security of the network.
Flow logging versions
Two versions are available with flow logging: version 1.0 and version 3.0, which are slightly different in packet format. For more information, see the following two tables.
Table 1 ?UDP packet format in flow logging version 1.0
Field |
Description |
SIP |
Source IP address |
DIP |
Destination IP address |
SPORT |
TCP/UDP source port number |
DPORT |
TCP/UDP destination port number |
STIME |
Start time of a flow, in seconds, counted from 1970/1/1 0:0 |
ETIME |
End time of a flow, in seconds, counted from 1970/1/1 0:0 |
PROT |
Protocol carried over IP |
OPERATOR |
Indicates the reason why a flow ended |
RESERVED |
For future applications |
Table 2 Packet format in flow logging version 3.0
Field |
Description |
Prot |
Protocol carried over IP |
Operator |
Indicates the reason why a flow ended |
IpVersion |
IP packet version |
TosIPv4 |
ToS field of the IPv4 packet |
SourceIP |
Source IP address |
SrcNatIP |
Source IP address after Network Address Translation (NAT) |
DestIP |
Destination IP address |
DestNatIP |
Destination IP address after NAT |
SrcPort |
TCP/UDP source port number |
SrcNatPort |
TCP/UDP source port number after NAT |
DestPort |
TCP/UDP destination port number |
DestNatPort |
TCP/UDP destination port number after NAT |
StartTime |
Start time of a flow, in seconds, counted from 1970/01/01 00:00 |
EndTime |
End time of a flow, in seconds, counted from 1970/01/01 00:00 |
InTotalPkg |
Number of packets received |
InTotalByte |
Number of bytes received |
OutTotalPkg |
Number of packets sent |
OutTotalByte |
Number of the bytes sent |
Reserved1 |
Reserved in version 0x02 (FirewallV200R001); In version 0x03 (FirewallV200R005), the first byte is the source VPN ID, the second byte is the destination VPN ID, and the third and forth bytes are reserved |
Reserved2 |
For future applications |
Reserved3 |
For future applications |
Flow logging configuration task list
Complete the following tasks to configure flow logging:
Task |
Remarks |
|
Optional |
||
Optional |
||
Required Use either approach |
||
Configuring flow logging version
Configure the flow logging version according to the receiver capability. A receiver cannot resolve flow logs correctly if it does not support the flow logging version.
To configure flow logging version:
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
2. Configure flow logging version. |
userlog flow export version version-number |
Optional The default flow logging version is 1.0 |
|
NOTE: Although the router supports both of the two versions, only one can be active at one time. Therefore, if you configure the flow logging version multiple times, the latest configuration will take effect. |
Configuring the source address for flow logging packets
A source IP address is usually used to uniquely identify the sender of a packet. If the source IP address is specified, when Device A, for example, sends flow logs to Device B, it uses the specified IP address instead of the actual egress address as the source IP address of the packets. In this way, although Device A sends out packets to Device B through different ports, Device B can judge whether the packets are sent from Device A according to their source IP addresses. This function also simplifies the configurations of ACL and security policy: If you specify the same source address as the source or destination address in the rule command in ACL, the IP address variance and the influence of interface status can be masked, thus filtering flow logging packets.
To configure the source address for flow logging packets:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Specify the source IP address of flow logging packets. |
userlog flow export source-ip ip-address |
Optional By default, the source IP address of flow logging packets is the IP address of the egress interface of the packets. |
Exporting flow logs
Flow logs can be exported in two ways:
· Flow logs are encapsulated into UDP packets and are sent to a log server of the network, as shown in Figure 1. The log server analyzes flow logs and displays them by class, thus realizing remote monitoring.
· Flow logs in the format of system information are exported to the information center of the router. You can set the output destinations of the flow logs by setting the output parameters of the system information. For more information about information center, see the chapter “Information center configuration.”
|
NOTE: The two export approaches of flow logs are mutually exclusive. If you configure two approaches simultaneously, the system automatically exports the flow logs to the information center. |
Exporting flow logs to log server
Exporting flow logs to an IPv4 log server
To export flow logs to an IPv4 log server:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the IPv4 address and UDP port number of the log server. |
userlog flow export slot slot-number [ vpn-instance vpn-instance-name ] host ipv4-address udp-port |
Not configured by default. |
Exporting flow logs to an IPv6 log server
To export flow logs to an IPv6 log server:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the IPv6 address and UDP port number of the log server. |
userlog flow export slot slot-number host ipv6 ipv6-address udp-port |
Not configured by default. |
|
NOTE: You must configure flow logging server for each card separately. You can select at most two log servers from three types of log servers (which are flow logging server in a VPN, IPv4 flow logging server, and IPv6 flow logging server) to receive flow logs for each card. If you specify two log servers for a router, the servers can be of the same type or of different types. If you have already specified two servers for a card, you need to delete an existing one to specify a new one. If in a new configuration, the IP address is the same with that of the currently effective configuration, but other information of the two configurations is different, then the new configuration will overwrite the previous one. |
Exporting flow logs to information center
To export flow logs to information center:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Export flow logs to information center. |
userlog flow syslog |
Flow logs are exported to the log server by default. |
|
NOTE: · Exporting flow logs to the information center takes up storage space of the router, so adopt this export approach when there are a small amount of logs. · When the flow logs are exported to the information center, the severity level of the logs is informational, namely, general messages of the router. |
Displaying and maintaining flow logging
Task |
Command |
Remarks |
Display the configuration and statistics about flow logging. |
display userlog export slot slot-number [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Clear statistics of all logs. |
reset userlog flow export slot slot-number |
Available in user view |
Clear flow logs in the cache. |
reset userlog flow logbuffer slot slot-number |
Available in user view |
|
CAUTION: Clearing flow logs in the cache causes the loss of log information, so H3C recommends that you should not clear the cache unless you are sure you want to clear it. |
Flow logging configuration example
Network requirements
As shown in Figure 1, Log server is used to monitor User’s access to the network.
Configuration procedure
Configure Device:
# Set the flow logging version to 3.0.
<Sysname> system-view
[Sysname] userlog flow export version 3
# Export flow logs of the interface board in slot 2 to the log server with IP address 1.2.3.6:2000.
[Sysname] userlog flow export slot 2 host 1.2.3.6 2000
# Configure the source IP address of UDP packets carrying flow logs as 2.2.2.2.
[Sysname] userlog flow export source-ip 2.2.2.2
Configuration verification
# Display the configuration and statistics about flow logs of the board in slot 2.
<Device> display userlog export slot 2
nat:
?? No userlog export is enabled
flow:
?? Export Version 3 logs to log server : enabled
?? Source address of exported logs?? : 2.2.2.2
?? Address of log server???????????? : 1.2.3.6 (port: 2000)
?? total Logs/UDP packets exported?? : 128/91
?? Logs in buffer??????????????????? : 10
Troubleshooting flow logging
Symptom 1: No flow logs are exported
· Analysis: Neither of the export approach is specified.
· Solution: Configure to export the flow logs to the information center or to the log server.
Symptom 2: Flow logs cannot be exported to log server
· Analysis: Both of the export approaches are configured.
· Solution: Restore to the default, and then configure the IP address and UDP port number of the log server.