Vyatta SNMP and logging
This article details the process for setting up Simple Network
Management Protocol (SNMP) and
syslog for monitoring of the Brocade
Configuring SNMP on vRouter
The following object ID and description for support with a standard SNMP management and logging system are built in to the vRouter:
sysObjectID = 188.8.131.52.4.1.30803 sysDescr = Vyatta_version_info
You can configure your SNMP management software to communicate with the vRouter by using the following SNMP messages:
- GET - Pulls system information and device operational statistics
- SET - Sets event conditions or thresholds on the vRouter
- TRAP - When thresholds or conditions are met, sends information to the management system
The following scenario variables are used in the SNMP configuration below:
- Community string - BROCADE
- IP Address of the SNMP management system - 10.0.0.12
Other variables provide vRouter specific device information.
set service snmp community BROCADE set service snmp community BROCADE client 10.0.0.12 set service snmp community BROCADE authorization rw set service snmp trap-target 10.0.0.12 set service snmp contact "Rackspace Network Security" set service snmp description "Test Brocade vRouter" set service snmp location "San Antonio, TX"`
SNMP access via VPN tunnel
If you want to poll the Vyatta for SNMP information, but you don’t want to receive just traps, you must put a specific configuration in place on a local firewall applied to the outside interface. Local firewall rules apply to traffic entering an interface directed at the Vyatta itself. This is called the Control Plane access list.
The firewall rule in the following example uses the default
protect-vyatta firewall script that is executed when a Vyatta image is
created. By default, the
protect-vyatta firewall is already applied,
but the application command is included in this example for a complete
view of how to execute this configuration.
Permit SNMP traffic to vRouter
set firewall name protect-vyatta rule 400 action 'accept' set firewall name protect-vyatta rule 400 description 'allow snmp' set firewall name protect-vyatta rule 400 destination port '161' set firewall name protect-vyatta rule 400 ipsec 'match-ipsec' set firewall name protect-vyatta rule 400 protocol 'udp' set interfaces ethernet eth0 firewall local name 'protect-vyatta'
MIBs for managing and monitoring a vRouter
Following is a sample subset of available Management Information Bases (MIBs) on a vRouter. A full list of supported MIBs is available at the Vyatta documentation page.
Configuring logging on vRouter
Using the standard Linux
syslogd process, the vRouter allows the
logging capabilities of most vRouter processes.
Note: Log messages are stored in
/var/log/messages. When the file
reaches 500 KB in size, the
messages file is renamed to
with # being an incremental number).
show log command to view logs. Following are some
examples of the show log command variables.
Viewing the active log file
show log show log | match <string> show log | more show log all show log tail show log vpn ipsec
You can configure different custom logging scenarios, such as location, file name, and user, by using a single command string with the destination variable, as shown in the following example:
set system syslog <destination> facility <facility_num> level <logging_level>
Send logs to a specific host
set system syslog host 10.176.10.10 facility local3 level info
The preceding example uses
hostas the logging destination
local3as the facility
infoas the logging level
The following tables shows options for destinations, logging levels, and facility numbers.
|console||Logging to system console|
|file||Logging to a file (stored in
|global||Logging to system standard location|
|host||Logging to a remote host|
|user||Logging to specific user’s terminal|
level variable refers to severity level, which can be application-specific.
|notice||Messages for investigation (default)|
facility variable refers to the type of program logging the message.
|all||All facilities excluding “mark”|
|auth||Authentication and authorization|
|lpr||Line printer spooler|
|protocols||Routing protocols (local7)|
|security||Authentication and authorization|
|syslog||System activity logging|
|local0||Local facility 0|
|local1||Local facility 1|
|local2||Local facility 2|
|local3||Local facility 3|
|local4||Local facility 4|
|local5||Local facility 5|
|local6||Local facility 6|
Difference between show log and monitor commands
show log command is a static representation of the log files that
were written to the
/var/log/messages files at the time you executed
the command. If new entries are written to the file after you execute
the command, you will not see those entries until you re-run the
show log command.
monitorcommand shows log messages as they are being written to the
log buffer. Similar to the
debug command in Cisco ASA, you see log
messages on the console as they are generated. Messages are logged to
the console until you exit the
monitor command (Ctrl-C).
©2020 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License