Recommended SNMP and Syslog configuration for Security Monitoring

  • 0
  • 2
  • Question
  • Updated 3 months ago
  • Answered
We maintain a fleet of Extreme switches (predominantly Summit series). I'm looking for a best practice guide or similar for the configuration of SNMP and SYSLOG to ensure capture of the most important security-related events and metrics. Obviously there is much that could be enabled, but we're looking for the most valuable SNMP trap triggers and SYSLOG events, to feed into our log collection environment and SIEM platform.
Any assistance or guidance would be much appreciated.
Photo of Martin Shadbolt

Martin Shadbolt

  • 292 Points 250 badge 2x thumb

Posted 3 months ago

  • 0
  • 2
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 49,036 Points 20k badge 2x thumb
Photo of Martin Shadbolt

Martin Shadbolt

  • 292 Points 250 badge 2x thumb
Thanks Ron, but I'm trying to understand how to do SNMP or SYSLOG generally, but rather what the best SNMP and SYSLOG settings/levels are to collect relevant security information about devices.
Photo of Frank

Frank

  • 3,776 Points 3k badge 2x thumb
I don't have a "best anything" solution, but I'm using these settings:
configure log filter DefaultFilter add events BGP.NeighborMgr.PeerFSMDegrade 
configure log filter DefaultFilter add events BGP.NeighborMgr.PeerEstTrans 
configure syslog add x.x.x.x:514 vr VR-Mgmt local5
enable log target syslog x.x.x.x:514 vr VR-Mgmt local5
configure log target syslog x.x.x.x:514 vr VR-Mgmt local5 filter DefaultFilter severity Info
configure log target syslog x.x.x.x:514 vr VR-Mgmt local5 match Any 
XOS' "Info" setting isn't very spammy, but includes pretty much everything I want. And in my example, I'm interested in BGP peer states as well.

As to snmptraps, sorry, I use them only rarely. I'd rather have everything in one (syslog) place and grep the raw syslog (be that on a siem or standard syslog server or both), but that may just be me.

I know, I probably didn't help much at all, probably because I struggle with that on every device: "What is it that I could possibly want to know, how do I configure to log that, and why did I forget about that one thing that'll happen and NOT notify me". And yes, I guess you're in the same boat ;)