1

64-Log Management

Chapters Download  (612.8 KB)

64-Log Management


Log Management

The log management feature enables you to store the system messages or logs generated by actions such as packet filtering to the log buffer or send them to the log hosts. The analysis and archiving of the logs can enable you to check the security holes of the firewall, when and who try to disobey security policies, and the types of the network attacks. The real-time logs can also be used to detect the ongoing attacks.

 

If a packet is invalid, the product drops it without logging, such as an IP packet with incorrect header checksum or invalid destination IP address, or a raw IP Protocol 1, 6, or 17 packet. You can see the details by entering the debugging command in CLI.

 

Configuring Syslog

The syslog module allows you to set the related parameters of the information center. Acting as the system information hub, the information center classifies and manages the system information, offering a powerful support for network administrators and developers in monitoring the network performance and diagnosing network problems. The information center can output the log information to the Web interface for users to view the logs. Meanwhile, it can also output the log information to the specified syslog log host based on your configuration.

Select Log Report > Syslog from the navigation tree to enter the page as shown in Figure 1-1.

Figure 1-1 Syslog

 

Table 1-1 describes the syslog configuration items.

Table 1-1 Syslog configuration items

Item

Description

Log Buffer Size

Set the number of syslogs that can be stored in the log buffer.

Clear Log

To clear the logs in the log buffer, click this button.

Log Host1

Set the IP addresses and port number of the syslog log hosts.

The log information can be reported to the specified remote log hosts in the format of syslog, and you can specify up to four syslog log hosts.

Log Host2

Log Host3

Log Host4

Refresh Period

Set the refresh period on the log information displayed on the log report Web interface.

You can select manual refresh or automatic refresh:

l      Manual: You need to refresh the Web interface when displaying log report information.

l      Automatic: You can select to refresh the Web page every 10 seconds, 30 seconds, 1 minute, 5 minutes, or 10 minutes.

 

Configuring User Logging

User logs can be output in the following two formats, and you can select either one. At present, the device support flow logging only.

l          Output to the information center of the device in the format of system information, and the information center then decides the output destination.

l          Output to the specified userlog log host in UDP packets in binary format.

Configuring Flow Logging

 

At present, flow logs refer to session logs only. To generate flow logs, you need to configure session logging.

 

Introduction

Flow logging records users’ access information to the external network. The device classifies and calculates flows through the 5-tuple information, which includes source IP address, destination IP address, source port, destination port, and protocol number, and generates user flow logs. Flow logging records the 5-tuple information of the packets and number of the bytes received and sent. With flow logging, administrators can track and record accesses to the network, facilitating the availability and security of the network.

Two versions are available with flow logging: version 1.0 and version 3.0, which are slightly different in packet format. For details, see the following two tables.

Table 1-2  Packet format in flow logging version 1.0

Field

Description

SourceIP

Source IP address

DestIP

Destination IP address

SrcPort

TCP/UDP source port number

DestPort

TCP/UDP destination port number

StartTime

Start time of a flow, in seconds, counted from 1970/1/1 0:0

EndTime

End time of a flow, in seconds, counted from 1970/1/1 0:0

Prot

Protocol carried over IP

Operator

Indicates the reason why a flow has ended

Reserved

For future applications

 

Table 1-3 Packet format in flow logging version 3.0

Field

Description

Prot

Protocol carried over IP

Operator

Indicates the reason why a flow has ended.

IpVersion

IP packet version

TosIPv4

ToS field of the IPv4 packet

SourceIP

Source IP address

SrcNatIP

Source IP address after Network Address Translation (NAT)

DestIP

Destination IP address

DestNatIP

Destination IP address after NAT

SrcPort

TCP/UDP source port number

SrcNatPort

TCP/UDP source port number after NAT

DestPort

TCP/UDP destination port number

DestNatPort

TCP/UDP destination port number after NAT

StartTime

Start time of a flow, in seconds, counted from 1970/01/01 00:00.

EndTime

End time of a flow, in seconds, counted from 1970/01/01 00:00.

InTotalPkg

Number of packets received

InTotalByte

Number of bytes received

OutTotalPkg

Number of packets sent

OutTotalByte

Number of the bytes sent

Reserved1

l      Reserved in version 0x02 (FirewallV200R001);

l      In version 0x03 (FirewallV200R005), the first byte is the source VPN ID, the second byte is the destination VPN ID, and the third and forth bytes are reserved.

Reserved2

For future applications

Reserved3

For future applications

 

Configuring flow logging

Select Log Report > Userlog from the navigation tree to enter the page as shown in Figure 1-2.

Figure 1-2 Flow logging

 

Table 1-4 describes the configuration items of flow logging.

Table 1-4 Flow logging configuration items

Item

Description

Version

Set the version of flow logging, including 1.0 and 3.0.

Configure the flow logging version according to the capacity of the log receiving device. If the log receiving device does not support flow logging of a certain version, the device cannot resolve the logs received.

Source IP Address of Packets

Set the source IP address of flow logging packets.

After the source IP address is specified, when Device A sends flow logs to Device B, it uses the specified IP address instead of the actual egress address as the source IP address of the packets. In this way, although Device A sends out packets to Device B through different ports, Device B can judge whether the packets are sent from Device A according to their source IP addresses. This function also simplifies the configurations of ACL and security policy: If you specify the same source address as the source or destination address in the rule command in ACL, the IP address variance and the influence of interface status can be masked, thus filtering flow logging packets.

You are recommended to use the IP address of the loopback interface as the source IP address of flow logging packets.

Loghost 1

Set the VPN instance, IP address and port number of the Userlog log host to encapsulate flow logs in UDP packets and send them to the specified userlog log host. The log host can analyze and display the flow logs to remotely monitor the device.

l      Centralized device: Up to two different userlog log hosts can be specified.

l      Distributed or stacking device: Up to two different userlog log hosts can be specified for each card.

To avoid collision with the common UDP port numbers, you are recommended to use a UDP port number in the range from 1025 to 65535.

Loghost 2

Output flows logs to information center

Set to output flow logs to the information center in the format of system information.

l      With this function enabled, flow logs will not be output to the specified userlog log host.

l      Outputting flow logs to the information center occupies the storage space of the device. Therefore, you are recommended to output flow logs to the information center in case that there are a small amount of flow logs.

 

Displaying flow logging statistics

If you set to send flow logs in UDP packets to the specified userlog log host, you can view the related statistics, including the total number of flow logs sent to the log host, the total number of UDP packets and the total number of flow logs stored on the device cache.

If you click the Statistics expansion button on the Flow Log page, you can view the information as shown in Figure 1-3.

l          Centralized device: You can clear all the flow logging statistics of the device and the flow logs in the cache by clicking Reset.

l          Distributed or stacking device: You can clear all the flow logging statistics of a card and the flow logs in the cache by clicking Reset.

Figure 1-3 View flow logging statistics

 

Session Logging

Session Logging Overview

Session logging records users’ access information, IP address translation information, and traffic information, and can output the records in a specific format to a log host, allowing administrators to perform security auditing.

Session logging records an entry for a session if it reaches the specified threshold. Session logging supports two categories of thresholds:

l          Time threshold: When the lifetime of a session reaches this threshold, a log entry is output for the session.

l          Traffic threshold: The traffic threshold can be in units of the number of bytes or the number of packets. When the traffic of a session reaches the specified number of bytes or packets, a log entry is output for the session.

 

l          For information about session management, refer to Session Management.

l          Session logs are output in the format of flow logs. To view session logs, you also need to configure flow logging.

 

Perform the tasks in Table 1-5 to configure session logging.

Table 1-5 Session logging configuration task list

Task

Remarks

Configuring a Session Logging Policy

Required

Configure a session logging policy, specifying the source zone and destination zone of the sessions and the ACL for filtering log entries.

By default, no session logging policy exists.

Setting Session Logging Thresholds

Required

Configure the time threshold or/and traffic threshold for session logging.

By default, both the time threshold and traffic threshold are 0, meaning that no session logging entries should be output.

If both the time threshold and traffic threshold are configured, a log entry is output for the session when it reaches whichever threshold and the statistics of the session will be cleared.

 

Configuring a Session Logging Policy

Select Log Report > Session Log > Log Policy from the navigation tree to display existing session logging policies, as shown in Figure 1-4. Then, click Add to enter the session logging policy configuration page, as shown in Figure 1-5.

Figure 1-4 Session logging policy list

 

Figure 1-5 Create a session logging policy

 

Table 1-6 describes the configuration items for configuring a session logging policy.

Table 1-6 Configuration items for configuring a session logging policy

Item

Description

Source Zone

Specify the source zone and destination zone.

You can configure an optional security zone through System > Zone.

Destination Zone

ACL

Specify the ACL for filtering log entries.

Only log entries permitted by the ACL will be output.

 

Return to Session logging configuration task list.

Setting Session Logging Thresholds

Select Log Report > Session Log > Global Setup from the navigation tree to enter the page for setting session logging thresholds, as shown in Figure 1-6.

Figure 1-6 Global configuration page

 

Table 1-7 describes the configuration items for setting session logging thresholds.

Table 1-7 Configuration items for setting session logging thresholds

Item

Description

Time Threshold

Set the time threshold for outputting session logging entries.

With this argument set, log entries will be output for sessions whose lifetimes reach the specified time threshold.

Traffic Threshold

Set the traffic threshold for outputting session logging entries. It can be in number of packets or bytes.

With the traffic threshold set, log entries will be output for sessions whose traffic reaches the specified threshold in number of bytes or packets.

Support for this feature depends on the device model.

 

Return to Session logging configuration task list.

Log Report

The log report module allows you to view the log information on the device, and you can view the following logs through the Web interface:

l          System logs

l          Connection limit logs

l          Attack prevention logs

l          Blacklist logs

l          Inter-zone policy logs

l          User logs

Displaying System Logs

Select Log Report > Report > System Log from the navigation tree to enter the page as shown in Figure 1-7.

Figure 1-7 Operation log configuration page

 

Table 1-8 describes the system log configuration items.

Table 1-8 System log configuration items

Item

Description

Time/Date

Displays the time when the system logs are generated.

Source

Displays the module that generates the system logs.

Level

Displays the severity level of the system logs. For the detailed description of the severity levels, refer to Table 1-9.

Description

Displays the contents of the system logs.

 

Table 1-9 System log severity level

Severity level

Description

Value

Emergency

The system is unavailable.

0

Alert

Information that demands prompt reaction

1

Critical

Critical information

2

Error

Error information

3

Warning

Warnings

4

Notification

Normal information that needs to be noticed

5

Informational

Informational information to be recorded

6

Debugging

Information generated during debugging

7

Note: A smaller value represents a higher severity level.

 

Displaying Connection Limit Logs

Select Log Report > Report > Connection Limit Log from the navigation tree to enter the page as shown in Figure 1-8.

Figure 1-8 Connection limit log configuration page

 

Table 1-10 describes the connection limit log configuration items.

Table 1-10 Connection limit log configuration items

Item

Description

Time/Date

Displays the time when the connection limit logs are generated.

Type

Displays the types of the traffic alarms: The number of source IP-based connections exceeds the upper limit or the number of destination IP-based connections exceeds the upper limit.

Source Zone

Displays the source zone of the connection.

Source IP

Displays the source IP address of the connection.

Destination Zone

Displays the destination zone of the connection.

Destination IP

Displays the destination IP address of the connection.

Current Rate

Displays the rate of the current connection.

Current Connection

Displays total number of the current connections.

TCP Percentage

Displays the percentage of TCP packets to the total packets.

UDP Percentage

Displays the percentage of UDP packets to the total packets.

ICMP Percentage

Displays the percentage of ICMP packets to the total packets.

 

Displaying Attack Prevention Logs

Select Log Report > Report > Attack Prevention Log from the navigation tree to enter the page as shown in Figure 1-9.

Figure 1-9 Attack prevention log configuration page

 

Table 1-11 describes the attack prevention log configuration items.

Table 1-11 Attack prevention log configuration items

Item

Description

Time

Displays the time when attacks are detected.

Type

Displays the attack type.

Interface

Displays the interface that receives the attack packets.

Source IP

Displays the source IP address of the attack packets.

Source MAC

Displays the source MAC address of the attack packets.

Destination IP

Displays the destination IP address of the attack packets.

Destination MAC

Displays the destination MAC address of the attack packets.

Speed

Displays the connection speed of the attacks.

 

Displaying Blacklist Logs

Select Log Report > Report > Blacklist Log from the navigation tree to enter the page as shown in Figure 1-10.

Figure 1-10 Blacklist log configuration page

 

Table 1-12 describes the blacklist log configuration items.

Table 1-12 Blacklist log configuration items

Item

Description

Time/Date

Displays the time when the blacklist members are generated.

Mode

Displays whether the blacklist members are newly added or removed.

Source IP

Displays the IP addresses of the blacklist members.

Reason

Displays the reasons why the addresses are added to the blacklist, including manual add and automatic add:

l      Automatic add means that the system automatically adds the source IP address to the blacklist.

l      Manual add means that the blacklist is manually added through Web interface.

Hold Time

Displays the hold time of the blacklist members.

 

Displaying Inter-Zone Policy Logs

Inter-zone logs are logs of the flows matching an inter-zone policy. To record inter-zone policy logs, you need to enable the Syslog function when configuring an inter-zone policy. For the detailed configuration, refer to Inter-Zone Policy Configuration.

Select Log Report > Report > InterZone Policy Log from the navigation tree to enter the page as shown in Figure 1-11.

Figure 1-11 Inter-zone policy log configuration page

 

Table 1-13 describes the inter-zone policy log configuration items.

Table 1-13 Inter-zone policy log configuration items

Item

Description

Start Time

Displays the time when the flows are created.

End Time

Displays the time when the flows are removed.

Source Zone

Displays the source zone of the flows.

Destination Zone

Displays the destination zone of the flows.

Policy ID

Displays the ID of the inter-zone policy that the flows match.

Action

Displays the actions taken against the flows, permitted or denied.

Protocol Type

Displays the protocol type of the flows.

Flow Information

Displays the flow information.

l      If the protocol type is TCP or UDP, the displayed flow information is source IP address:source port-->destination IP address:destination port, for example, 1.1.1.2:1026-->1.1.2.10:69.

l      If the protocol type is ICMP, the displayed flow information is source IP address-->destination IP address,ICMP type (ICMP code), for example, 1.1.1.2-->1.1.2.10, echo(8).

l      If the protocol type is another type except these three, the displayed flow information is source IP address-->destination IP address, for example, 1.1.1.2-->1.1.2.10.

 

Displaying User Logs

 

To display user logs through the Web interface, you need to configure outputting user logs to the information center.

 

Displaying flow logs

Select Log Report > Report > Userlog from the navigation tree to enter the page for displaying flow logs. If you select the 1.0 radio box, the flow logging information will be displayed, as shown in Figure 1-12; if you select the 3.0 radio box, the flow logging 3.0 information will be displayed, as shown in Figure 1-13.

Figure 1-12 Flow logging 1.0 log report

 

Figure 1-13 Flow logging 3.0 log report

 

Table 1-14 and Table 1-15 describe the flow logging 1.0 and 3.0 configuration items respectively.

Table 1-14 Flow logging 1.0 configuration items

Item

Description

Time/Date

Displays the time and date when a flow log was generated.

Protocol Type

Displays the protocol type of a flow log.

Flow Information

Displays flow information:

l      If the protocol type is TCP or UDP, the displayed flow information is source IP address:source port-->destination IP address:destination port, for example, 1.1.1.2:1026-->1.1.2.10:69.

l      If the protocol type is another type except TCP or UDP, the displayed flow information is source IP address-->destination IP address, for example, 1.1.1.2-->1.1.2.10.

Start Time

Displays the time when a flow was created.

End Time

Displays the time when a flow was removed.

Flow Action

Displays the operator field of a flow.

l      (1)Normal over: The flow ended normally.

l      (2)Aged for timeout: Timer timed out.

l      (3)Aged for reset or config-change: Flow aging due to configuration change.

l      (4)Aged for no enough resource: Flow aging due to insufficient resource.

l      (5)Aged for no-pat of NAT: One to one NAT. In this case, only the source IP address, the source IP address after translation and the time fields are available.

l      (6)Active data flow timeout: The life time of the flow reached the limit.

l      (8)Data flow created: Record for the flow when it was created.

l      (254)Other: Other reasons

 

Table 1-15 Flow logging 3.0 configuration items

Item

Description

Time/Date

Displays the time and date when a flow log was generated.

Protocol Type

Displays the protocol type of a flow.

Flow Information

Displays the flow information.

l      If the protocol type is TCP or UDP, the displayed flow information is source IP address:source port-->destination IP address:destination port, for example, 1.1.1.2:1026-->1.1.2.10:69.

l      If the protocol type is another type except TCP or UDP, the displayed flow information is source IP address-->destination IP address, for example, 1.1.1.2-->1.1.2.10.

Received Packets/Bytes

Displays the number of received packets/bytes.

Send Packets/Bytes

Displays the number of sent packets/bytes.

Source VPN

Displays the source VPN of the packets.

Destination VPN

Displays the destination VPN of the packets.

Start Time

Displays the time when a flow was created.

End Time

Displays the time when a flow was removed.

Flow Action

Displays the operator field of a flow.

l      (1)Normal over: The flow ended normally.

l      (2)Aged for timeout: Timer timed out

l      (3)Aged for reset or config-change: Flow aging due to configuration change

l      (4)Aged for no enough resource: Flow aging due insufficient resource

l      (5)Aged for no-pat of NAT: One to one NAT. In this case, only the source IP address, the source IP address after translation and the time fields are available.

l      (6)Active data flow timeout: The life time of the flow reached the limit.

l      (8)Data flow created: Record for the flow when it was created.

l      (254)Other: Other reasons

 

H3C reserves the right to modify its collaterals without any prior notice. For the latest information of the collaterals, please consult H3C sales or call 400 hotline.