topic RE: Recommended SNMP and Syslog configuration for Security Monitoring in ExtremeSwitching (EOS)

Recommended SNMP and Syslog configuration for Security Monitoring

Martin_Shadbolt — Thu, 14 Jun 2018 06:49:00 GMT

We maintain a fleet of Extreme switches (predominantly Summit series). I'm looking for a best practice guide or similar for the configuration of SNMP and SYSLOG to ensure capture of the most important security-related events and metrics. Obviously there is much that could be enabled, but we're looking for the most valuable SNMP trap triggers and SYSLOG events, to feed into our log collection environment and SIEM platform.
Any assistance or guidance would be much appreciated.

RE: Recommended SNMP and Syslog configuration for Security Monitoring

Ronald_Dvorak — Thu, 14 Jun 2018 13:28:00 GMT

Here a link to the KB articles....

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-a-syslog-server

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-set-up-SNMPv3-on-EXOS

-Ron

RE: Recommended SNMP and Syslog configuration for Security Monitoring

Martin_Shadbolt — Thu, 14 Jun 2018 13:28:00 GMT

Thanks Ron, but I'm trying to understand how to do SNMP or SYSLOG generally, but rather what the best SNMP and SYSLOG settings/levels are to collect relevant security information about devices.

RE: Recommended SNMP and Syslog configuration for Security Monitoring

Frank — Thu, 14 Jun 2018 13:39:00 GMT

I don't have a "best anything" solution, but I'm using these settings:
configure log filter DefaultFilter add events BGP.NeighborMgr.PeerFSMDegrade configure log filter DefaultFilter add events BGP.NeighborMgr.PeerEstTrans configure syslog add x.x.x.x:514 vr VR-Mgmt local5 enable log target syslog x.x.x.x:514 vr VR-Mgmt local5 configure log target syslog x.x.x.x:514 vr VR-Mgmt local5 filter DefaultFilter severity Info configure log target syslog x.x.x.x:514 vr VR-Mgmt local5 match Any XOS' "Info" setting isn't very spammy, but includes pretty much everything I want. And in my example, I'm interested in BGP peer states as well.

As to snmptraps, sorry, I use them only rarely. I'd rather have everything in one (syslog) place and grep the raw syslog (be that on a siem or standard syslog server or both), but that may just be me.

I know, I probably didn't help much at all, probably because I struggle with that on every device: "What is it that I could possibly want to know, how do I configure to log that, and why did I forget about that one thing that'll happen and NOT notify me". And yes, I guess you're in the same boat 😉