Configuring Starent Networks device to forward syslog events to QRadar
The Starent Networks DSM for IBM QRadar accepts Event, Trace, Active, and Monitor events.
About this task
Before you configure a Starent Networks device in QRadar, you must configure your Starent Networks device to forward syslog events to QRadar.
Procedure
- Log in to your Starent Networks device.
- Configure the syslog server:
logging syslog <IP address> [facility <facilities>] [<rate value>] [pdu-verbosity <pdu_level>] [pdu-data <format>] [event-verbosity <event_level>]
The following table provides the necessary parameters:
Table 1. Syslog server parameters Parameter
Description
syslog <IP address>
Type the IP address of your QRadar
facility <facilities>
Type the local facility for which the logging options are applied. The options are as follows:
- local0
- local1
- local2
- local3
- local4
- local5
- local6
- local7
The default is local7.
rate value Type the rate that you want log entries to be sent to the system log server. This value must be an integer 0 - 100000. The default is 1000 events per second.
pdu-verbosity <pdu-level> Type the level of verboseness you want to use in logging the Protocol Data Units (PDUs). The range is 1 - 5 where 5 is the most detailed. This parameter affects only protocol logs.
pdu-data <format> Type the output format for the PDU when logged as one of following formats:
- none - Displays results in raw or unformatted text.
- hex - Displays results in hexadecimal format.
- hex-ascii - Displays results in hexadecimal and ASCII format similar to a main frame dump.
event-verbosity <event_level> Type the level of detail you want to use in logging of events, that includes:
- min - Provides minimal information about the event, such as, event name, facility, event ID, severity level, data, and time.
- concise - Provides detailed information about the event, but does not provide the event source.
- full - Provides detailed information about the event and includes the source information that identifies the task or subsystem that generated the event.
- From the root prompt for the Exec mode, identify the session
for which the trace log is to be generated:
logging trace {callid <call_id> | ipaddr <IP address> | msid <ms_id> | name <username>}
The following table provides the necessary parameters:
Table 2. Trace log parameters Parameter
Description
callid <call_id> Indicates a trace log is generated for a session that is identified by the call identification number. This value is a 4-byte hexadecimal number.
ipaddr <IP address> Indicates a trace log is generated for a session that is identified by the specified IP address.
msid <ms_id> Indicates a trace log is generated for a session that is identified by the mobile station identification (MSID) number. This value must be 7 - 16 digits, which are specified as an IMSI, MIN, or RMI.
name <username> Indicates a trace log is generated for a session that is identified by the username. This value is the name of the subscriber that was previously configured.
- To write active logs to the active memory buffer, in the
config mode:
logging runtime buffer store all-events
- Configure a filter for the active logs:
logging filter active facility <facility> level <report_level> [critical-info | no-critical-info]
The following table provides the necessary parameters:
Table 3. Active log parameters Parameter
Description
facility <facility>
Type the facility message level. A facility is a protocol or task that is in use by the system. The local facility defines which logging options are applied for processes that run locally. The options are as follows:
- local0
- local1
- local2
- local3
- local4
- local5
- local6
- local7
The default is local7.
level <report_level> Type the log severity level, including:
- critical - Logs only those events that indicate a serious error is occurring and that is causing the system or a system component to cease functioning. Critical is the highest level severity.
- error - Logs events that indicate an error is occurring that is causing the system or a system component to operate in a degraded state. This level also logs events with a higher severity level.
- warning - Logs events that can indicate a potential problem. This level also logs events with a higher severity level.
- unusual - Logs events that are unusual and might need to be investigated. This level also logs events with a higher severity level.
- info - Logs informational events and events with a higher severity level.
- debug - Logs all events regardless of the severity.
It is suggested that a level of error or critical can be configured to maximize the value of the logged information and lower the quantity of logs that are generated.
critical-info The critical-info parameter identifies and displays events with a category attribute of critical information. Examples of these types of events can be seen at bootup when system processes or tasks are being initiated.
no-critical-info The no-critical-info parameter specifies that events with a category attribute of critical information are not displayed.
- Configure the monitor log targets:
logging monitor {msid <ms_id>|username <username>}
The following table provides the necessary parameters:
Table 4. Monitor log parameters Parameter
Description
msid <md_id> Type an msid to define that a monitor log is generated for a session that is identified by using the Mobile Station Identification (MDID) number. This value must be 7 - 16 digits that are specified as a IMSI, MIN, or RMI.
username <username> Type user name to identify a monitor log generated for a session by the user name. The user name is the name of the subscriber that was previously configured.
- You are now ready to configure the log source in QRadar.
To configure QRadar to receive events from a Starent device:
- From the Log Source Type list,
select the Starent Networks Home Agent (HA) option.
For more information about the device, see your vendor documentation.
- From the Log Source Type list,
select the Starent Networks Home Agent (HA) option.