12-Network Management and Monitoring Configuration Guide

HomeSupportResource CenterRoutersH3C SR8800 Series RoutersH3C SR8800Technical DocumentsConfigureConfiguration GuideH3C SR8800 Configuration Guide-Release3347-6W10312-Network Management and Monitoring Configuration Guide
14-Flow Logging Configuration
Title Size Download
14-Flow Logging Configuration 118.81 KB

Flow logging configuration

Flow logging overview

Introduction to flow logging

Flow logging records users’ access to the extranet. The device classifies and calculates flows through the 5-tuple information, which includes source IP address, destination IP address, source port, destination port, and protocol number, and generates user flow logs. Flow logging records the 5-tuple information of the packets and number of the bytes received and sent. With flow logs, administrators can track and record accesses to the network, facilitating the availability and security of the network.

Flow logging versions

Two versions are available with flow logging: version 1.0 and version 3.0, which are slightly different in packet format. For more information, see the following two tables.

Table 1 ?UDP packet format in flow logging version 1.0

Field

Description

SIP

Source IP address

DIP

Destination IP address

SPORT

TCP/UDP source port number

DPORT

TCP/UDP destination port number

STIME

Start time of a flow, in seconds, counted from 1970/1/1 0:0

ETIME

End time of a flow, in seconds, counted from 1970/1/1 0:0

PROT

Protocol carried over IP

OPERATOR

Indicates the reason why a flow ended

RESERVED

For future applications

 

Table 2 Packet format in flow logging version 3.0

Field

Description

Prot

Protocol carried over IP

Operator

Indicates the reason why a flow ended

IpVersion

IP packet version

TosIPv4

ToS field of the IPv4 packet

SourceIP

Source IP address

SrcNatIP

Source IP address after Network Address Translation (NAT)

DestIP

Destination IP address

DestNatIP

Destination IP address after NAT

SrcPort

TCP/UDP source port number

SrcNatPort

TCP/UDP source port number after NAT

DestPort

TCP/UDP destination port number

DestNatPort

TCP/UDP destination port number after NAT

StartTime

Start time of a flow, in seconds, counted from 1970/01/01 00:00

EndTime

End time of a flow, in seconds, counted from 1970/01/01 00:00

InTotalPkg

Number of packets received

InTotalByte

Number of bytes received

OutTotalPkg

Number of packets sent

OutTotalByte

Number of the bytes sent

Reserved1

Reserved in version 0x02 (FirewallV200R001);

In version 0x03 (FirewallV200R005), the first byte is the source VPN ID, the second byte is the destination VPN ID, and the third and forth bytes are reserved

Reserved2

For future applications

Reserved3

For future applications

 

Flow logging configuration task list

Complete the following tasks to configure flow logging:

 

Task

Remarks

Configuring flow logging version

Optional

Configuring the source address for flow logging packets

Optional

Exporting flow logs

Exporting flow logs to log server

Required

Use either approach

Exporting flow logs to information center

 

Configuring flow logging version

Configure the flow logging version according to the receiver capability. A receiver cannot resolve flow logs correctly if it does not support the flow logging version.

To configure flow logging version:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Configure flow logging version.

userlog flow export version version-number

Optional

The default flow logging version is 1.0

 

 

NOTE:

Although the router supports both of the two versions, only one can be active at one time. Therefore, if you configure the flow logging version multiple times, the latest configuration will take effect.

 

Configuring the source address for flow logging packets

A source IP address is usually used to uniquely identify the sender of a packet. If the source IP address is specified, when Device A, for example, sends flow logs to Device B, it uses the specified IP address instead of the actual egress address as the source IP address of the packets. In this way, although Device A sends out packets to Device B through different ports, Device B can judge whether the packets are sent from Device A according to their source IP addresses. This function also simplifies the configurations of ACL and security policy: If you specify the same source address as the source or destination address in the rule command in ACL, the IP address variance and the influence of interface status can be masked, thus filtering flow logging packets.

To configure the source address for flow logging packets:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Specify the source IP address of flow logging packets.

userlog flow export source-ip ip-address

Optional

By default, the source IP address of flow logging packets is the IP address of the egress interface of the packets.

 

Exporting flow logs

Flow logs can be exported in two ways:

·           Flow logs are encapsulated into UDP packets and are sent to a log server of the network, as shown in Figure 1. The log server analyzes flow logs and displays them by class, thus realizing remote monitoring.

·           Flow logs in the format of system information are exported to the information center of the router. You can set the output destinations of the flow logs by setting the output parameters of the system information. For more information about information center, see the chapter Information center configuration.

 

 

NOTE:

The two export approaches of flow logs are mutually exclusive. If you configure two approaches simultaneously, the system automatically exports the flow logs to the information center.

 

Exporting flow logs to log server

Exporting flow logs to an IPv4 log server

To export flow logs to an IPv4 log server:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Configure the IPv4 address and UDP port number of the log server.

userlog flow export slot slot-number [ vpn-instance vpn-instance-name ] host ipv4-address udp-port

Not configured by default.

 

Exporting flow logs to an IPv6 log server

To export flow logs to an IPv6 log server:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Configure the IPv6 address and UDP port number of the log server.

userlog flow export slot slot-number host ipv6 ipv6-address udp-port

Not configured by default.

 

 

NOTE:

You must configure flow logging server for each card separately. You can select at most two log servers from three types of log servers (which are flow logging server in a VPN, IPv4 flow logging server, and IPv6 flow logging server) to receive flow logs for each card. If you specify two log servers for a router, the servers can be of the same type or of different types. If you have already specified two servers for a card, you need to delete an existing one to specify a new one. If in a new configuration, the IP address is the same with that of the currently effective configuration, but other information of the two configurations is different, then the new configuration will overwrite the previous one.

 

Exporting flow logs to information center

To export flow logs to information center:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Export flow logs to information center.

userlog flow syslog

Flow logs are exported to the log server by default.

 

 

NOTE:

·       Exporting flow logs to the information center takes up storage space of the router, so adopt this export approach when there are a small amount of logs.

·       When the flow logs are exported to the information center, the severity level of the logs is informational, namely, general messages of the router.

 

Displaying and maintaining flow logging

 

Task

Command

Remarks

Display the configuration and statistics about flow logging.

display userlog export slot slot-number [ | { begin | exclude | include } regular-expression ]

Available in any view

Clear statistics of all logs.

reset userlog flow export slot slot-number

Available in user view

Clear flow logs in the cache.

reset userlog flow logbuffer slot slot-number

Available in user view

 

CAUTION

CAUTION:

Clearing flow logs in the cache causes the loss of log information, so H3C recommends that you should not clear the cache unless you are sure you want to clear it.

 

Flow logging configuration example

Network requirements

As shown in Figure 1, Log server is used to monitor User’s access to the network.

Figure 1 Network diagram

 

Configuration procedure

Configure Device:

# Set the flow logging version to 3.0.

<Sysname> system-view

[Sysname] userlog flow export version 3

# Export flow logs of the interface board in slot 2 to the log server with IP address 1.2.3.6:2000.

[Sysname] userlog flow export slot 2 host 1.2.3.6 2000

# Configure the source IP address of UDP packets carrying flow logs as 2.2.2.2.

[Sysname] userlog flow export source-ip 2.2.2.2

Configuration verification

# Display the configuration and statistics about flow logs of the board in slot 2.

<Device> display userlog export slot 2

nat:

?? No userlog export is enabled

 

flow:

?? Export Version 3 logs to log server : enabled

?? Source address of exported logs?? : 2.2.2.2

?? Address of log server???????????? : 1.2.3.6 (port: 2000)

?? total Logs/UDP packets exported?? : 128/91

?? Logs in buffer??????????????????? : 10

Troubleshooting flow logging

Symptom 1: No flow logs are exported

·           Analysis: Neither of the export approach is specified.

·           Solution: Configure to export the flow logs to the information center or to the log server.

Symptom 2: Flow logs cannot be exported to log server

·           Analysis: Both of the export approaches are configured.

·           Solution: Restore to the default, and then configure the IP address and UDP port number of the log server.