syslog (1)syslog (1)

• The purpose of syslog is to write The purpose of syslog is to write system messages to a logsystem messages to a log

• Syslog messages can include Syslog messages can include everything from critical alarm everything from critical alarm conditions to ordinary debugging conditions to ordinary debugging statementstatement

• It provides a It provides a general trailgeneral trail of activities of activities • It provides the capability for the It provides the capability for the

device to emit event messages device to emit event messages without solicitationwithout solicitation

syslog (2)syslog (2)

• Syslog message has 2 partsSyslog message has 2 parts– A message header and the message A message header and the message

bodybody

• The message bodyThe message body contains the contains the content of the message itself content of the message itself (english text, unstructured) (english text, unstructured)

• The message headerThe message header contains contains minimal but essential information minimal but essential information in structured manner in structured manner

General syslog messageGeneral syslog message

• 179.19.209.130179.19.209.130 – IP Address – IP Address

• 000024000024 – sequence number – sequence number

• Apr 12 18:01:55:643Apr 12 18:01:55:643 – local time – local time

• ENV_MONENV_MON – facility emitting the alarm – facility emitting the alarm

• 1 1 – severity– severity

• SHUTDOWNSHUTDOWN – Event – Event

syslog Protocolsyslog Protocol

• IETF is in process of passing a IETF is in process of passing a particular version of syslog as a particular version of syslog as a standardstandard– RFC 3164 BSD syslog protocolRFC 3164 BSD syslog protocol– RFC 3195 reliable delivery for syslogRFC 3195 reliable delivery for syslog

• Refer to RFC3164 (RFC 5424)Refer to RFC3164 (RFC 5424)– UDP is used as transport serviceUDP is used as transport service– Port 514Port 514

definitiondefinition

• A machine that can generate a message A machine that can generate a message will be called a will be called a "device"."device".

• A machine that can receive the message A machine that can receive the message and forward it to another machine will be and forward it to another machine will be called a called a "relay"."relay".

• A machine that receives the message and A machine that receives the message and does not relay it to any other machines does not relay it to any other machines will be called a will be called a "collector"."collector". This has been This has been commonly known as a commonly known as a "syslog server"."syslog server".

syslog messagesyslog message

• Consists of 3 parts :PRI Consists of 3 parts :PRI /HEADER/MSG/HEADER/MSG

• Length Maximum 2048 bytes or lessLength Maximum 2048 bytes or less

PRI (Priority) part PRI (Priority) part

• Priority – combination of a facility and Priority – combination of a facility and severity severity – Facility – category of a message (kernel Facility – category of a message (kernel

message) , it is a numeric code message) , it is a numeric code – Severity – numeric code 0 -7 , 0 is the Severity – numeric code 0 -7 , 0 is the

most severemost severe– Priority is formed by multiplying the Priority is formed by multiplying the

numeric code of the facility by 8 and numeric code of the facility by 8 and adding the severity adding the severity

– Facility 7 and severity 3 , so priority = 59Facility 7 and severity 3 , so priority = 59

Example of Facility codeExample of Facility code

Example of SeverityExample of Severity

HEADER part (1)HEADER part (1)

• The HEADER part contains a The HEADER part contains a timestamptimestamp and and an an indication of the hostnameindication of the hostname or or IP address IP address of theof the device device

• The HEADER part of the syslog packet MUST The HEADER part of the syslog packet MUST contain contain visible (printing) characters (7-bit visible (printing) characters (7-bit Ascii)Ascii)

• HOSTNAMEHOSTNAME field will contain the hostname field will contain the hostname or IP addressor IP address

• TimestampTimestamp field will contain the local time field will contain the local time and is in the format of “Mmm dd hh:mm:ss" and is in the format of “Mmm dd hh:mm:ss"

HEADER part (2)HEADER part (2)

• Mmm Mmm –month of the year with the first –month of the year with the first character in uppercase and the other two character in uppercase and the other two characters in lowercasecharacters in lowercase““Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec”Oct, Nov, Dec”

• dd dd -dd is the day of the month. -dd is the day of the month. – If the day of the month is less than 10, then it MUST If the day of the month is less than 10, then it MUST

be represented as a space and then the number. be represented as a space and then the number.

• For example,For example,– the 7th day of August would be represented as the 7th day of August would be represented as

"Aug 7"Aug 7", with two spaces between the "g" and the "7", with two spaces between the "g" and the "7

HEADER part (3)HEADER part (3)

• hh:mm:sshh:mm:ss is the local time. is the local time.

• The hour (hh) is represented in a The hour (hh) is represented in a 24-24-hh our format. our format.

– Valid entries are between Valid entries are between 0000 and and 2323

• The minute (mm) and second (ss) ent The minute (mm) and second (ss) ent ries are between ries are between 00 - 5900 - 59

MSG partMSG part (1)(1)

• It It containcontainss some additional information of the p some additional information of the p rocess that generated the message, and then t rocess that generated the message, and then t

he text of the message he text of the message

• It has 2 fields : It has 2 fields : TAG and CONTENTTAG and CONTENT

• TAG TAG field will be field will be the name of the program or the name of the program or

processprocess that generated the message. that generated the message.(not (not exceed 32 chars)exceed 32 chars)

• CONTENTCONTENT field field contains contains the details of the mess the details of the messageage . .– TT his has traditionally been a freeform message that his has traditionally been a freeform message that

gives some detailed information of the event gives some detailed information of the event

Example of syslog messageExample of syslog message

• <<34> 34> Oct Oct 11 22:14:1511 22:14:15 mymachine su mymachine su:: ’su root’ failed for lonvick on /dev/pts ’su root’ failed for lonvick on /dev/pts/8/8

• <34> - priority<34> - priority• Oct Oct 11 22:14:15 – timestamp11 22:14:15 – timestamp• mymachinemymachine – hostname – hostname• su – TAGsu – TAG• :: ’su root’ failed for lonvick on ’su root’ failed for lonvick on

/dev/pts//dev/pts/8- Content 8- Content

Security consideration (1)Security consideration (1)

• AuthenticationAuthentication– The syslog delivery mechanism does not The syslog delivery mechanism does not

strongly associate the message with the strongly associate the message with the message sender message sender

– a misconfigured machine may send syslo a misconfigured machine may send syslo g messages to a collector representing it g messages to a collector representing it

self as another machine self as another machine– An attacker may transmit syslog messag An attacker may transmit syslog messag

es es to to a collector. a collector.

Security consideration (2)Security consideration (2)

• Sequenced deliverySequenced delivery– the syslog process and protocol do not ensur the syslog process and protocol do not ensur

e ordered delivery. e ordered delivery.

• Reliable deliveryReliable delivery– no mechanism within either the syslog proce no mechanism within either the syslog proce

ss or the protocol to ensure deliver ss or the protocol to ensure deliveryy– May be maliciously intercepted or discardedMay be maliciously intercepted or discarded

• Message IntegrityMessage Integrity– syslog messages may be damaged in transit syslog messages may be damaged in transit

or an attacker may maliciously modify them. or an attacker may maliciously modify them.

Security consideration (3)Security consideration (3)

• Message observationMessage observation– No mechanisms to provide confidentiality of No mechanisms to provide confidentiality of

the messages in transit. (clear-text the messages in transit. (clear-text messages) messages)

• Message Prioritization & DifferentiationMessage Prioritization & Differentiation– No mechanism relating to priority messageNo mechanism relating to priority message– Critical message and non critical message Critical message and non critical message

can be treated as equal in term of receptioncan be treated as equal in term of reception

Security consideration (4)Security consideration (4)

• MisconfiguratioMisconfigurationn– The syslog message may go to The syslog message may go to

untended receiveruntended receiver

• Load Considerations Load Considerations– An attacker may perform a Denial of Serv An attacker may perform a Denial of Serv

ice attack by filling the disk of the collect ice attack by filling the disk of the collect or with false messages. or with false messages.

syslog deployment (1)syslog deployment (1)

• Two roles are distinguished Two roles are distinguished – syslog sender (management agent)syslog sender (management agent)– syslog receiver (management manager)syslog receiver (management manager)

• Syslog receiver (1)Syslog receiver (1)– Device itself writing the messages to a Device itself writing the messages to a

local log file local log file •use circular log file for a limit sizeuse circular log file for a limit size

•Log files are created with a certain capacityLog files are created with a certain capacity

syslog deployment (2)syslog deployment (2)

Circular log file

syslog deployment (3)syslog deployment (3)

• syslog receiver (con’t)syslog receiver (con’t)– Centralized logging hostCentralized logging host

•Receiving messages from several devices Receiving messages from several devices and logging those messagesand logging those messages

•Applications access this logging host instead Applications access this logging host instead of individual devicesof individual devices

• It often function as a syslog relay , It often function as a syslog relay , forwarding syslog messages to various apps.forwarding syslog messages to various apps.

syslog deployment (4)syslog deployment (4)

Logging host

syslog relay

Netconf (1) Netconf (1)

• NetconfNetconf is a network management pro is a network management pro tocol developed in the IETF by the Netc tocol developed in the IETF by the Netc

onf working group. onf working group.

• It was published as RFC It was published as RFC 47414741..

• The NETCONF protocol provides mecha The NETCONF protocol provides mecha nisms to install, manipulate, and delete nisms to install, manipulate, and delete

the configuration of network devices. the configuration of network devices.

• It also can perform some monitoring fu It also can perform some monitoring functions.nctions.

Netconf (2)Netconf (2)

• It uses an Extensible Markup Languag It uses an Extensible Markup Languag e (XML) based data encoding for the c e (XML) based data encoding for the c

onfiguration data as well as the proto onfiguration data as well as the proto col messages. col messages.

• The NETCONF protocol operations are The NETCONF protocol operations are realized on top of a simple Remote Pr realized on top of a simple Remote Pr ocedure Call (RPC) layer. ocedure Call (RPC) layer.

Netconf Datastore (1)Netconf Datastore (1)

• The configuration information of devices The configuration information of devices can be thought of and handle as being can be thought of and handle as being contained in a datastore (like a file) contained in a datastore (like a file)

• The datastore resembles a MIB.The datastore resembles a MIB.

• Netconf provides the operations to Netconf provides the operations to manage those datastores.manage those datastores.– SNMP targets the individual managed object in SNMP targets the individual managed object in

side MIB side MIB – Netconf targets the MIB as a whole or portionNetconf targets the MIB as a whole or portion

Netconf Datastore (2)Netconf Datastore (2)

A hierarchical datastore in NetconfA hierarchical datastore in Netconf

Netconf Datastore (3)Netconf Datastore (3)

• Management operations can be Management operations can be applied to individual subtreesapplied to individual subtrees

• This capability feature is called as This capability feature is called as subtree filteringsubtree filtering

Netconf and XML (1)Netconf and XML (1)

• Netconf uses XML as encoding for its Netconf uses XML as encoding for its management operationsmanagement operations

• XML documents contain so-called XML documents contain so-called tags to delimit different pieces of tags to delimit different pieces of informationinformation

• Tags are defined by users such as Tags are defined by users such as <email>alex@cisco.com(/email)<email>alex@cisco.com(/email)

Netconf Architecture (1)Netconf Architecture (1)

Netconf Architecture (2)Netconf Architecture (2)

• Transport layerTransport layer (using Netconf over) (using Netconf over)– Secure Shell (SSH) RFC4742Secure Shell (SSH) RFC4742– Block Extensible Exchange Protocol (BEEP) Block Extensible Exchange Protocol (BEEP)

RFC4744RFC4744– Simple Object Access Protocol (SOAP) Simple Object Access Protocol (SOAP)

RFC4743RFC4743

• Remote Procedure Call layerRemote Procedure Call layer– Allow manager to invoke function on agentAllow manager to invoke function on agent– rpc request / rpc replyrpc request / rpc reply

Netconf Architecture (3)Netconf Architecture (3)

• The operation layerThe operation layer– To manipulate configuration filesTo manipulate configuration files– Get-config / Edit-config Get-config / Edit-config

• The content layerThe content layer – Configuration dataConfiguration data

• The management information will be The management information will be transported and exchanged as XML transported and exchanged as XML documentsdocuments

Netconf Message StructureNetconf Message Structure

• Fig 8-14Fig 8-14

A netconf requestA netconf request (1)(1)

• Ex 8-4Ex 8-4

A netconf requestA netconf request (2)(2)

• RPC tagRPC tag <rpc message-id =“101 … > …. </rpc> <rpc message-id =“101 … > …. </rpc>

- frame the overall message- frame the overall message

• Netconf operation – get-configNetconf operation – get-config <get-config> … </get-config><get-config> … </get-config>

• <source>… </source> <source>… </source> specifies the specifies the config being requested (running config)config being requested (running config)

• <filter> … </filter> <filter> … </filter> specifies the subtree specifies the subtree within the config (all belongs in bgp)within the config (all belongs in bgp)

A netconf replyA netconf reply

• Ex 8-5Ex 8-5

Management operationsManagement operations

• Get-config – to retrieve config file Get-config – to retrieve config file (default is running config)(default is running config)

• Get – to retrieve state information Get – to retrieve state information • Edit-config – to modify or change a Edit-config – to modify or change a

configurationconfiguration• Copy-config – to copy new configurationCopy-config – to copy new configuration• Delete-config – to remove a Delete-config – to remove a

configurationconfiguration• Lock and unlock – to protect Lock and unlock – to protect

configuration file configuration file

Netflow protocolNetflow protocol /IPFIX/IPFIX (1)(1)

• RFC 3954 (Netflow V.9) RFC 3954 (Netflow V.9)

• RFC 5101 (IPFIX- aka. Netflow V.10)RFC 5101 (IPFIX- aka. Netflow V.10)

• Netflow was introduced by cisco to collect Netflow was introduced by cisco to collect data about networking traffic from a device.data about networking traffic from a device.– Who are the top “talker” in the networkWho are the top “talker” in the network– How much traffic is being exchanged between How much traffic is being exchanged between

two destinationtwo destination– How are links in the network being usedHow are links in the network being used– Where are the traffic bottlenecks in the network?Where are the traffic bottlenecks in the network?

Netflow protocolNetflow protocol /IPFIX/IPFIX (2)(2)

• Netflow communicates statistical Netflow communicates statistical information about IP-based data traffic information about IP-based data traffic that flow over routerthat flow over router

• The statistics are provided on a The statistics are provided on a per-per-flow basisflow basis

• A flow consists of all traffic that belongs A flow consists of all traffic that belongs to the same communication contextto the same communication context– A file–transfer application ,all packets A file–transfer application ,all packets

belong to the same transferbelong to the same transfer

• Fig 8-15Fig 8-15

Flow Flow

• Identified by the following informationIdentified by the following information

• Source address/Source portSource address/Source port

• Destination address/Destination portDestination address/Destination port

• Protocol type (TCP or UDP)Protocol type (TCP or UDP)

• Type of service (TOS)Type of service (TOS)

• Input logical interface (same index in SNMP Input logical interface (same index in SNMP MIB)MIB)

• Flow record includes the keys that identify the Flow record includes the keys that identify the flow as well as the time flow as well as the time when flow started when flow started /stopped /how many packets were transported/stopped /how many packets were transported

Benefit Benefit

• Allow network managers to account for Allow network managers to account for detailed network use by individual usersdetailed network use by individual users– Charge based on actual traffic consumptionCharge based on actual traffic consumption

• Provide a wealth of data for traffic Provide a wealth of data for traffic analysis, bottleneck and network analysis, bottleneck and network planningplanning

• Provide tool to spot and defend against Provide tool to spot and defend against attacks on a network attacks on a network

Netflow Protocol Netflow Protocol

• Netflow version5 is commonly used Netflow version5 is commonly used • The newest version is RFC 3954 (version 9)The newest version is RFC 3954 (version 9)• Flow informationFlow information isis exported from the route exported from the route

r in User Datagram Protocol (UDP) or Strea r in User Datagram Protocol (UDP) or Strea m Control Transmission Protocol (SCTP) pac m Control Transmission Protocol (SCTP) pac

kets and collected using a netflow collector. kets and collected using a netflow collector.• Juniper Networks provides a similar feature Juniper Networks provides a similar feature

for its routers called for its routers called JflowJflow . .• Huawei Technology routers also support th Huawei Technology routers also support th

e same technology, but call it e same technology, but call it NetStreamNetStream

Netflow packet structureNetflow packet structure

Packet structurePacket structure

• HeaderHeader– Sequence number of the packetSequence number of the packet– The number of flow records contained in the The number of flow records contained in the

Netflow packetNetflow packet– The version number of the netflow protocol The version number of the netflow protocol

itselfitself

• Flow recordFlow record– keys to identify flow keys to identify flow – Start/finish timeStart/finish time– Statistical data Statistical data

Finishing the flowFinishing the flow

• No traffic has been detected on a No traffic has been detected on a flow for a certain timeflow for a certain time

• A packet is detected at the app-A packet is detected at the app-protocol level that the data transfer protocol level that the data transfer supported by the flow has completed supported by the flow has completed

• If a flow has been going on for a long If a flow has been going on for a long time (30 minutes) ,the router simply time (30 minutes) ,the router simply declare the flow ends and start a declare the flow ends and start a new onenew one

Management protocol Management protocol positioningpositioning