Vyatta SNMP and logging

This article details the process for setting up Simple Network
Management Protocol (SNMP) and syslog for monitoring of the Brocade
Vyatta vRouter.

Configuring SNMP on vRouter

The following object ID and description for support with a standard SNMP
management and logging system are built in to the vRouter:

sysObjectID  =  1.3.6.1.4.1.30803
sysDescr     =  Vyatta_version_info

You can configure your SNMP management software to communicate with the
vRouter by using the following SNMP messages:

  • GET - Pulls system information and device operational statistics
  • SET - Sets event conditions or thresholds on the vRouter
  • TRAP - When thresholds or conditions are met, sends information
    to the management system

The following scenario variables are used in the SNMP configuration below:

  • Community string - BROCADE
  • IP Address of the SNMP management system - 10.0.0.12

Other variables provide vRouter specific device information.

SNMP configuration

set service snmp community BROCADE
set service snmp community BROCADE client 10.0.0.12
set service snmp community BROCADE authorization rw
set service snmp trap-target 10.0.0.12
set service snmp contact "Rackspace Network Security"
set service snmp description "Test Brocade vRouter"
set service snmp location "San Antonio, TX"`

SNMP access via VPN tunnel

If you want to poll the Vyatta for SNMP information, but you don't want
to receive just traps, you must put a specific configuration in place on
a local firewall applied to the outside interface. Local firewall rules
apply to traffic entering an interface directed at the Vyatta itself.
This is called the Control Plane access list.

The firewall rule in the following example uses the default
protect-vyatta firewall script that is executed when a Vyatta image is
created. By default, the protect-vyatta firewall is already applied,
but the application command is included in this example for a complete
view of how to execute this configuration.

Permit SNMP traffic to vRouter

set firewall name protect-vyatta rule 400 action 'accept'
set firewall name protect-vyatta rule 400 description 'allow snmp'
set firewall name protect-vyatta rule 400 destination port '161'
set firewall name protect-vyatta rule 400 ipsec 'match-ipsec'
set firewall name protect-vyatta rule 400 protocol 'udp'
set interfaces ethernet eth0 firewall local name 'protect-vyatta'

MIBs for managing and monitoring a vRouter

Following is a sample subset of available Management Information Bases
(MIBs) on a vRouter. A full list of supported MIBs is available at the
Vyatta documentation page.

  • HOST-RESOURCES-MIB
  • SNMPv2-MIB
  • IF-MIB
  • IP-MIB
  • RFC1213-MIB
  • TCP-MIB
  • UDP-MIB

Configuring logging on vRouter

Using the standard Linux syslogd process, the vRouter allows the
logging capabilities of most vRouter processes.

Note: Log messages are stored in /var/log/messages. When the file
reaches 500 KB in size, the messages file is renamed to messages.#,
with # being an incremental number).

Use the show log command to view logs. Following are some
examples of the show log command variables.

Viewing the active log file

show log
show log | match <string>
show log | more
show log all
show log tail
show log vpn ipsec

You can configure different custom logging scenarios, such as location,
file name, and user, by using a single command string with the
destination variable, as shown in the following example:

Logging syntax

set system syslog <destination> facility <facility_num> level <logging_level>

Send logs to a specific host

set system syslog host 10.176.10.10 facility local3 level info

The preceding example uses

  • host as the logging destination
  • local3 as the facility
  • info as the logging level

Log options

The following tables shows options for
destinations, logging levels, and facility numbers.

Logging destinations

DestinationPurpose
consoleLogging to system console
fileLogging to a file (stored in /var/log/user/)
globalLogging to system standard location
hostLogging to a remote host
userLogging to specific user's terminal

Logging levels

The level variable refers to severity level, which can be application-specific.

LevelPurpose
emergEmergency messages
alertUrgent messages
critCritical messages
errError messages
warningWarning messages
noticeMessages for investigation (default)
infoInformational messages
debugDebug messages

Facility numbers

The facility variable refers to the type of program logging the message.

FacilityPurpose
allAll facilities excluding "mark"
authAuthentication and authorization
authprivNon-system authorization
cronCron daemon
daemonSystem daemons
kernKernel
lprLine printer spooler
mailMail subsystem
markTimestamp
newsUSENET subsystem
protocolsRouting protocols (local7)
securityAuthentication and authorization
syslogSystem activity logging
userApplication processes
uucpUUCP subsystem
local0Local facility 0
local1Local facility 1
local2Local facility 2
local3Local facility 3
local4Local facility 4
local5Local facility 5
local6Local facility 6

Difference between show log and monitor commands

The show log command is a static representation of the log files that
were written to the /var/log/messages files at the time you executed
the command. If new entries are written to the file after you execute
the command, you will not see those entries until you re-run the
show log command.

The monitorcommand shows log messages as they are being written to the
log buffer. Similar to the debug command in Cisco ASA, you see log
messages on the console as they are generated. Messages are logged to
the console until you exit the monitor command (Ctrl-C).