Configuring Starent Networks device to forward syslog events to QRadar

The Starent Networks DSM for IBM QRadar accepts Event, Trace, Active, and Monitor events.

About this task

Before you configure a Starent Networks device in QRadar, you must configure your Starent Networks device to forward syslog events to QRadar.

Procedure

  1. Log in to your Starent Networks device.
  2. Configure the syslog server:

    logging syslog <IP address> [facility <facilities>] [<rate value>] [pdu-verbosity <pdu_level>] [pdu-data <format>] [event-verbosity <event_level>]

    The following table provides the necessary parameters:

    Table 1. Syslog server parameters

    Parameter

    Description

    syslog <IP address>

    Type the IP address of your QRadar

    facility <facilities>

    Type the local facility for which the logging options are applied. The options are as follows:

    • local0
    • local1
    • local2
    • local3
    • local4
    • local5
    • local6
    • local7

    The default is local7.

    rate value

    Type the rate that you want log entries to be sent to the system log server. This value must be an integer 0 - 100000. The default is 1000 events per second.

    pdu-verbosity <pdu-level>

    Type the level of verboseness you want to use in logging the Protocol Data Units (PDUs). The range is 1 - 5 where 5 is the most detailed. This parameter affects only protocol logs.

    pdu-data <format>

    Type the output format for the PDU when logged as one of following formats:

    • none - Displays results in raw or unformatted text.
    • hex - Displays results in hexadecimal format.
    • hex-ascii - Displays results in hexadecimal and ASCII format similar to a main frame dump.
    event-verbosity <event_level>

    Type the level of detail you want to use in logging of events, that includes:

    • min - Provides minimal information about the event, such as, event name, facility, event ID, severity level, data, and time.
    • concise - Provides detailed information about the event, but does not provide the event source.
    • full - Provides detailed information about the event and includes the source information that identifies the task or subsystem that generated the event.
  3. From the root prompt for the Exec mode, identify the session for which the trace log is to be generated:

    logging trace {callid <call_id> | ipaddr <IP address> | msid <ms_id> | name <username>}

    The following table provides the necessary parameters:

    Table 2. Trace log parameters

    Parameter

    Description

    callid <call_id>

    Indicates a trace log is generated for a session that is identified by the call identification number. This value is a 4-byte hexadecimal number.

    ipaddr <IP address>

    Indicates a trace log is generated for a session that is identified by the specified IP address.

    msid <ms_id>

    Indicates a trace log is generated for a session that is identified by the mobile station identification (MSID) number. This value must be 7 - 16 digits, which are specified as an IMSI, MIN, or RMI.

    name <username>

    Indicates a trace log is generated for a session that is identified by the username. This value is the name of the subscriber that was previously configured.

  4. To write active logs to the active memory buffer, in the config mode:

    logging runtime buffer store all-events

  5. Configure a filter for the active logs:

    logging filter active facility <facility> level <report_level> [critical-info | no-critical-info]

    The following table provides the necessary parameters:

    Table 3. Active log parameters

    Parameter

    Description

    facility <facility>

    Type the facility message level. A facility is a protocol or task that is in use by the system. The local facility defines which logging options are applied for processes that run locally. The options are as follows:

    • local0
    • local1
    • local2
    • local3
    • local4
    • local5
    • local6
    • local7

    The default is local7.

    level <report_level>

    Type the log severity level, including:

    • critical - Logs only those events that indicate a serious error is occurring and that is causing the system or a system component to cease functioning. Critical is the highest level severity.
    • error - Logs events that indicate an error is occurring that is causing the system or a system component to operate in a degraded state. This level also logs events with a higher severity level.
    • warning - Logs events that can indicate a potential problem. This level also logs events with a higher severity level.
    • unusual - Logs events that are unusual and might need to be investigated. This level also logs events with a higher severity level.
    • info - Logs informational events and events with a higher severity level.
    • debug - Logs all events regardless of the severity.

    It is suggested that a level of error or critical can be configured to maximize the value of the logged information and lower the quantity of logs that are generated.

    critical-info

    The critical-info parameter identifies and displays events with a category attribute of critical information. Examples of these types of events can be seen at bootup when system processes or tasks are being initiated.

    no-critical-info

    The no-critical-info parameter specifies that events with a category attribute of critical information are not displayed.

  6. Configure the monitor log targets:

    logging monitor {msid <ms_id>|username <username>}

    The following table provides the necessary parameters:

    Table 4. Monitor log parameters

    Parameter

    Description

    msid <md_id>

    Type an msid to define that a monitor log is generated for a session that is identified by using the Mobile Station Identification (MDID) number. This value must be 7 - 16 digits that are specified as a IMSI, MIN, or RMI.

    username <username>

    Type user name to identify a monitor log generated for a session by the user name. The user name is the name of the subscriber that was previously configured.

  7. You are now ready to configure the log source in QRadar.

    To configure QRadar to receive events from a Starent device:

    1. From the Log Source Type list, select the Starent Networks Home Agent (HA) option.

      For more information about the device, see your vendor documentation.