We maintain a fleet of Extreme switches (predominantly Summit series). I'm looking for a best practice guide or similar for the configuration of SNMP and SYSLOG to ensure capture of the most important security-related events and metrics. Obviously there is much that could be enabled, but we're looking for the most valuable SNMP trap triggers and SYSLOG events, to feed into our log collection environment and SIEM platform.
Any assistance or guidance would be much appreciated.
Userlevel 5
I don't have a "best anything" solution, but I'm using these settings:
configure log filter DefaultFilter add events BGP.NeighborMgr.PeerFSMDegrade configure log filter DefaultFilter add events BGP.NeighborMgr.PeerEstTrans configure syslog add x.x.x.x:514 vr VR-Mgmt local5 enable log target syslog x.x.x.x:514 vr VR-Mgmt local5 configure log target syslog x.x.x.x:514 vr VR-Mgmt local5 filter DefaultFilter severity Info configure log target syslog x.x.x.x:514 vr VR-Mgmt local5 match Any [/code]XOS' "Info" setting isn't very spammy, but includes pretty much everything I want. And in my example, I'm interested in BGP peer states as well.
As to snmptraps, sorry, I use them only rarely. I'd rather have everything in one (syslog) place and grep the raw syslog (be that on a siem or standard syslog server or both), but that may just be me.
I know, I probably didn't help much at all, probably because I struggle with that on every device: "What is it that I could possibly want to know, how do I configure to log that, and why did I forget about that one thing that'll happen and NOT notify me". And yes, I guess you're in the same boat
configure log filter DefaultFilter add events BGP.NeighborMgr.PeerFSMDegrade configure log filter DefaultFilter add events BGP.NeighborMgr.PeerEstTrans configure syslog add x.x.x.x:514 vr VR-Mgmt local5 enable log target syslog x.x.x.x:514 vr VR-Mgmt local5 configure log target syslog x.x.x.x:514 vr VR-Mgmt local5 filter DefaultFilter severity Info configure log target syslog x.x.x.x:514 vr VR-Mgmt local5 match Any [/code]XOS' "Info" setting isn't very spammy, but includes pretty much everything I want. And in my example, I'm interested in BGP peer states as well.
As to snmptraps, sorry, I use them only rarely. I'd rather have everything in one (syslog) place and grep the raw syslog (be that on a siem or standard syslog server or both), but that may just be me.
I know, I probably didn't help much at all, probably because I struggle with that on every device: "What is it that I could possibly want to know, how do I configure to log that, and why did I forget about that one thing that'll happen and NOT notify me". And yes, I guess you're in the same boat
Ron wrote:
Thanks Ron, but I'm trying to understand how to do SNMP or SYSLOG generally, but rather what the best SNMP and SYSLOG settings/levels are to collect relevant security information about devices.
Here a link to the KB articles....
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-a-syslog-server
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-set-up-SNMPv3-on-EXOS
-Ron
Userlevel 7
Reply
Help
Shortcuts
Bold
Ctrl-B or Cmd-B
Italic
Ctrl-I or Cmd-I
Underline
Ctrl-U or Cmd-U
@Mention
@username
Upload image
Maximum file size: 2MB. Allowed image types: .jpg, .png, .gif.
Embed media
Supported platforms: YouTube, Soundcloud, Deezer, Vimeo, Dailymotion.
Enter your username or e-mail address to receive an e-mail with instructions to reset your password.