/cfg/slb/rlogging
Remote Logging Menu
You can configure Alteon to send an event log based on the traffic handled by a specific filter or virtual service. Alteon sends the log through the data port to a group of syslog servers. Traffic event logs are sent in ArcSight Common Event Log (CEF) format.
A traffic event policy defines which events Alteon logs, and to which group of syslog servers Alteon sends the event log. You can associate a traffic event log policy to filters or virtual services.
Note: Traffic event logging impacts performance. To reduce the performance impact, use sampling and/or disable or limit the number of events per second per severity (Normal or Exception).
To view the application-oriented traffic events dashboard via Cyber Controller (or APSolute Vision 4.x), perform the following steps:
1. Set up Cyber Controller (or APSolute Vision 4.x) to receive Alteon traffic events as follows:
a. Install an ADC analytics license. Traffic event-related services will start a few minutes after installing the license.
b. Configure the interface to receive Alteon events using the “net ip set” command. The interface can be the Cyber Controller (or APSolute Vision 4.x) management port or a dedicated port, except G4 which should not be used for traffic events.
c. Define the traffic events listening port. Radware recommends using the default 5140 port as it already enabled by default.
To use a different listening port:

Log in to the Cyber Controller (or APSolute Vision 4.x) command line interface as a root user.

Open the
/etc/td-agent/td-agent.conf and edit the line that indicates “port”. Only ports 1024-65535 are supported.

Run the td-agent restart service.

Open the listening port in the Cyber Controller (or APSolute Vision 4.x) firewall using the “net firewall open-port” command.
d. Verify that the relevant services are started. Make sure that the td-agent is running when invoking the “system vision-server status” command.
2. Set up Alteons to send traffic events. Perform the following for each Alteon device:
a. Make sure that you have a valid perform-subscription or secure-subscription license.
b. Globally enable the traffic event log at /cfg/slb/trevnt/on.
c. Configure remote logging at /cfg/slb/rlogging as follows:

Set the syslog server IP address to the required Cyber Controller (or APSolute Vision 4.x) interfaces (Client NAT must be defined for this server).

Use the TCP protocol (TLS is currently not supported).

Set the syslog port to the listening port defined in Cyber Controller (or APSolute Vision 4.x).
d. Configure your traffic event policy at /cfg/slb/trevnt/trevpol as follows:

Enable Unified Event. (Cyber Controller (or APSolute Vision 4.x) supports only the Unified Event type.)

Associate the remote logging to the traffic event policy.

If required, adjust the number of events per second sent per each event severity to reduce the performance impact and/or DB capacity utilization.
You can use the request per second chart available in the Application dashboard to identify the average number of requests that this application handles.
Note that Cyber Controller (or APSolute Vision 4.x) accepts up to 1000 events per second in total from all the applications.

Associate the traffic event policy to the required virtual services.
3. Make sure that the date and time are accurate in Alteon, Cyber Controller (or APSolute Vision 4.x), and your client PC.
[Remote Logging 44 Menu] proto - Set remote logging protocol type port - Set remote logging server port path - Set remote logging path (management or data) group - Set remote logging group sslpol - Set remote logging SSL policy ena - Enable remote logging server dis - Disable remote logging server del - Delete remote logging ID cur - Display current remote logging configuration |
Remote Logging Menu Options (/cfg/slb/rlogging)
Command Syntax and Usage |
---|
proto [udp|tcp] |
| Specifies the protocol for connecting with the group of syslog servers. Default: udp |
port [1-65535] |
| Specifies the port for connecting with the group of syslog servers. Default: 514 |
path |
| Specifies the remote logging path-whether events are sent via the data port or the management port. Values: mgmt, data Default: data |
group |
| Specifies the group of syslog servers to which Alteon sends the event log.  For a UDP syslog group — The syslog group must be set with the round robin metric. The group health check must be ICMP or a Script health check that opens the UDP port (in this case also enable always).  For a TCP syslog group (Alteon version 32.2.1 and later only) — The client NAT must be set for the traffic to the syslog servers (either pip on real or pip per port). The SSL Policy ID is used to send traffic events over TLS. When using syslog over TCP, an SSL policy with back-end encryption enabled (and front-end encryption disabled) can be associated to the remote logging. |
sslpol |
| The SSL policy used to send traffic event over TLS. |
ena |
| Enables the current remote logging server. |
dis |
| Disables the current remote logging server. |
del |
| Deleted the current remote logging ID. |
cur |
| Displays the current remote logging configuration. |