/cfg/slb/trevnt
Traffic Event Log Menu
You can configure Alteon to send an event log based on the traffic handled by a specific filter or virtual service. Alteon sends the log through the data port to a group of syslog servers. Traffic event logs are sent in ArcSight Common Event Log (CEF) format.
A traffic event policy defines which events Alteon logs, and to which group of syslog servers Alteon sends the event log. You can associate a traffic event log policy to filters or virtual services.
Note: Traffic event logging impacts performance. To reduce the performance impact, use sampling and/or disable or limit the number of events per second per severity (Normal or Exception).
To view the application-oriented traffic events dashboard via Cyber Controller (or APSolute Vision 4.x), perform the following steps:
1. Set up Cyber Controller (or APSolute Vision 4.x) to receive Alteon traffic events as follows:
a. Install an ADC analytics license. Traffic event-related services will start a few minutes after installing the license.
b. Configure the interface to receive Alteon events using the “net ip set” command. The interface can be the Cyber Controller (or APSolute Vision 4.x) management port or a dedicated port, except G4 which should not be used for traffic events.
c. Define the traffic events listening port. Radware recommends using the default 5140 port as it already enabled by default.
To use a different listening port:

Log in to the Cyber Controller (or APSolute Vision 4.x) command line interface as a root user.

Open the
/etc/td-agent/td-agent.conf and edit the line that indicates “port”. Only ports 1024-65535 are supported.

Run the td-agent restart service.

Open the listening port in the Cyber Controller (or APSolute Vision 4.x) firewall using the “net firewall open-port” command.
d. Verify that the relevant services are started. Make sure that the td-agent is running when invoking the “system vision-server status” command.
2. Set up Alteons to send traffic events. Perform the following for each Alteon device:
a. Make sure that you have a valid perform-subscription or secure-subscription license.
b. Globally enable the traffic event log at /cfg/slb/trevnt/on.
c. Configure remote logging at /cfg/slb/rlogging as follows:

Set the syslog server IP address to the required Cyber Controller (or APSolute Vision 4.x) interfaces (Client NAT must be defined for this server).

Use the TCP protocol (TLS is currently not supported).

Set the syslog port to the listening port defined in Cyber Controller (or APSolute Vision 4.x).
d. Configure your traffic event policy at /cfg/slb/trevnt/trevpol as follows:

Enable Unified Event. (Cyber Controller (or APSolute Vision 4.x) supports only the Unified Event type.)

Associate the remote logging to the traffic event policy.

If required, adjust the number of events per second sent per each event severity to reduce the performance impact and/or DB capacity utilization.
You can use the request per second chart available in the Application dashboard to identify the average number of requests that this application handles.
Note that Cyber Controller (or APSolute Vision 4.x) accepts up to 1000 events per second in total from all the applications.

Associate the traffic event policy to the required virtual services.
3. Make sure that the date and time are accurate in Alteon, Cyber Controller (or APSolute Vision 4.x), and your client PC.
[Traffic Event Log Menu] trevpol - Traffic Event Log Policy Menu on - Globally turn Traffic Event Logging ON off - Globally turn Traffic Event Logging OFF cur - Display current Traffic Event Log configuration |
Traffic Event Log Menu Options (/cfg/slb/trevnt)
Command Syntax and Usage |
---|
trevpol |
| Displays the Traffic Event Log Policy menu. To view this menu, see /cfg/slb/trevnt/trevpol Traffic Event Log Policy Menu. |
on |
| Enables traffic event logging. |
off |
| Disables traffic event logging. |
cur |
| Displays the current traffic event log configuration. |