We maintain a fleet of Extreme switches (predominantly Summit series). I'm looking for a best practice guide or similar for the configuration of SNMP and SYSLOG to ensure capture of the most important security-related events and metrics. Obviously there is much that could be enabled, but we're looking for the most valuable SNMP trap triggers and SYSLOG events, to feed into our log collection environment and SIEM platform.
Any assistance or guidance would be much appreciated.
I don't have a "best anything" solution, but I'm using these settings:
configure log filter DefaultFilter add events BGP.NeighborMgr.PeerFSMDegrade configure log filter DefaultFilter add events BGP.NeighborMgr.PeerEstTrans configure syslog add x.x.x.x:514 vr VR-Mgmt local5 enable log target syslog x.x.x.x:514 vr VR-Mgmt local5 configure log target syslog x.x.x.x:514 vr VR-Mgmt local5 filter DefaultFilter severity Info configure log target syslog x.x.x.x:514 vr VR-Mgmt local5 match Any XOS' "Info" setting isn't very spammy, but includes pretty much everything I want. And in my example, I'm interested in BGP peer states as well.
As to snmptraps, sorry, I use them only rarely. I'd rather have everything in one (syslog) place and grep the raw syslog (be that on a siem or standard syslog server or both), but that may just be me.
I know, I probably didn't help much at all, probably because I struggle with that on every device: "What is it that I could possibly want to know, how do I configure to log that, and why did I forget about that one thing that'll happen and NOT notify me". And yes, I guess you're in the same boat 😉