Login
- Table of Contents
-
- 09-Network Management Configuration Guide
- 00-Preface
- 01-System Maintenance and Debugging Configuration
- 02-NQA Configuration
- 03-NTP Configuration
- 04-IPC Configuration
- 05-SNMP Configuration
- 06-RMON Configuration
- 07-Mirroring Configuration
- 08-Information Center Configuration
- 09-sFlow Configuration
- 10-Flow Log Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 10-Flow Log Configuration | 80.44 KB |
Flow log configuration task list
Specifying the source IP address for flow log packets
Specifying a flow log export destination
Specifying a log server as the flow log export destination
Specifying the information center as the flow log export destination
Displaying and maintaining flow log
Flow log configuration example
Configuring flow log
Flow log records user access to external networks based on flows. Each flow is identified by a 5-tuple of the source IP address, destination IP address, source port, destination port, and protocol number.
Flow log has two versions: version 1.0 and version 3.0. Compared to version 1.0, version 3.0 of flow log provides flow statistics. Table 1 and Table 2 show the fields available in the versions.
Table 1 Flow log 1.0 fields
|
Field |
Description |
|
SIP |
Source IP address. |
|
DIP |
Destination IP address. |
|
SPORT |
Source TCP/UDP port number . |
|
DPORT |
Destination TCP/UDP port number. |
|
STIME |
Start time of the flow, in seconds. |
|
ETIME |
End time of the flow, in seconds. |
|
PROT |
Protocol number. |
|
OPERATOR |
Reason why a flow log entry was generated. |
|
RESERVED |
Reserved for future use. |
|
Field |
Description |
|
Prot |
Protocol number. |
|
Operator |
Reason why a flow log entry was generated. |
|
IpVersion |
IP packet version. |
|
TosIPv4 |
ToS field of the IPv4 packet. |
|
SourceIP |
Source IP address before NAT. |
|
SrcNatIP |
Source IP address after NAT. |
|
DestIP |
Destination IP address before NAT. |
|
DestNatIP |
Destination IP address after NAT. |
|
SrcPort |
Source TCP/UDP port number before NAT. |
|
SrcNatPort |
Source TCP/UDP port number after NAT. |
|
DestPort |
Destination TCP/UDP port number before NAT. |
|
DestNatPort |
Destination TCP/UDP port number after NAT. |
|
StartTime |
Start time of the flow, in seconds. |
|
EndTime |
End time of the flow, in seconds. |
|
InTotalPkg |
Number of packets received. |
|
InTotalByte |
Number of bytes received. |
|
OutTotalPkg |
Number of packets sent. |
|
OutTotalByte |
Number of bytes sent. |
|
Reserved1 |
Reserved in version 0x02 (FirewallV200R001). In version 0x03 (FirewallV200R005), the first byte is the source VPN ID, the second byte is the destination VPN ID, and the third and forth bytes are reserved for future use. |
|
Reserved2 |
Reserved for future use. |
|
Reserved3 |
Reserved for future use. |
Flow log configuration task list
|
Task |
Remarks |
|
Optional. |
|
|
Optional. |
|
|
Perform one of the following tasks for flow log export: · Specifying a log server as the flow log export destination · Specifying the information center as the flow log export destination |
Required. |
Setting the flow log version
|
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the flow log version. |
userlog flow export version version-number |
Optional. The default flow log version is 1.0. Make sure the specified flow log version is supported on the log server. If you set the flow log version multiple times, the most recent setting takes effect. |
Specifying the source IP address for flow log packets
By default, the source IP address for flow log packets is the IP address of their outgoing interface. For the log servers to filter log entries by log sender, specify a source IP address for all flow log packets.
To configure the source IP address for flow log packets:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify the source IP address for flow log packets. |
userlog flow export source-ip ip-address |
By default, the source IP address of flow log packets is the IP address of their outgoing interface. |
Specifying a flow log export destination
You can export flow log entries to a log server or the information center, but not both. If you configure both methods, the system exports flow log entries to the information center.
· If the destination is a log server, flow log entries are sent in UDP. One UDP packet can contain multiple log entries.
· If the destination is the information center, flow log entries are sent in syslog format with the informational severity level. With the information center, you can specify log output destinations. For more information about the information center, see "Configuring the information center."
Specifying a log server as the flow log export destination
The device supports a maximum of two log servers (IPv4 or IPv6) as the destinations for flow log export. When the limit is reached, remove an existing log server and then specify a new one. If you specify a log server that has the same IP address but a different port number than an existing server, the new configuration overwrites the previous one.
Specifying an IPv4 log server as the flow log export destination
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify an IPv4 log server as the destination for flow log export. |
userlog flow export host ipv4-address udp-port |
By default, no IPv4 log servers are specified. To specify multiple IPv4 log servers, repeat this step. |
Specifying an IPv6 log server as the flow log export destination
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify an IPv6 log server as the destination for flow log export. |
userlog flow export host ipv6 ipv6-address udp-port |
By default, no IPv6 log servers are specified. To specify multiple IPv6 log servers, repeat this step. |
Specifying the information center as the flow log export destination
Flow log entries are storage intensive. To export flow log entries to the information center, make sure the storage space is sufficient.
To specify the information center as the destination for flow log export:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify the information center as the destination for flow log export. |
userlog flow syslog |
By default, the information center log export destination is not configured. |
Displaying and maintaining flow log
|
Task |
Command |
Remarks |
|
Display flow log configuration and statistics. |
display userlog export [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Clear flow log statistics. |
reset userlog flow export |
Available in user view. |
|
Clear flow log entries in the buffer. |
reset userlog flow logbuffer |
Available in user view. |
Flow log configuration example
Network requirements
As shown in Figure 1, configure flow log on the device to send flow log entries generated for the user to the log server.
Configuration procedure
# Configure IP addresses, as shown in the network diagram. Make sure the device and the log server can reach each other. (Details not shown.)
# Set the flow log version to 3.0.
<Device> system-view
[Device] userlog flow export version 3
# Specify the log server at 1.2.3.6 as the destination for flow log export. Set the UDP port number to 2000.
[Device] userlog flow export host 1.2.3.6 2000
# Specify 2.2.2.2 as the source IP address for flow log packets.
[Device] userlog flow export source-ip 2.2.2.2
Verifying the configuration
# Display the flow log configuration and statistics.
<Device> display userlog export
nat:
No userlog export is enabled
flow:
Export Version 3 logs to log server : enabled
Source address of exported logs : 2.2.2.2
Address of log server : 1.2.3.6 (port: 2000)
total Logs/UDP packets exported : 112/87
Logs in buffer : 6
Troubleshooting flow log
Symptom 1: No flow log entries are exported
· Analysis: No destination is specified for flow log export.
· Solution: Specify the information center or a log server as the flow log export destination.
Symptom 2: Flow log entries cannot be exported to a log server
· Analysis: Both the information center and the log server are specified as the flow log export destination.
· Solution: Restore to the default, and then specify the log server as the destination for flow log export.
