Log Information Security

Function Description

Logs record information, such as user operations on devices and device running status. Stored as log files on devices, logs help network administrators monitor the running status of routers and diagnose network faults.

Security Policy

Log security is implemented by the access mode authentication and socket security. Only administrators have permission to view logs. Logs can be viewed in the following modes:

  1. A user accesses a device to view logs using command lines.

  2. A user copies log files to a local disk over SFTP.

  3. A user sends logs to the log server when a log host is configured.

In the preceding modes, users must be authenticated using the password, SSL, AAA, or public-key authentication mode and successfully access devices to view logs online or obtain log files.

To help securely transmit log files, using SSL encryption over TCP is recommended.

Configuration and Maintenance Methods

View configuration maintenance information in the console, Telnet, SSH, TFTP, and socket authentication modes.

Using the TCP-based SSL encryption mode for log transmission on a VPN is recommended.
  1. Configure a VPN.
    [~HUAWEI] ip vpn-instance vrf2
[*HUAWEI-vpn-instance-vrf2] route-distinguisher 2:2
[*HUAWEI-vpn-instance-vrf2-af-ipv4] commit
[~HUAWEI-vpn-instance-vrf2-af-ipv4] quit
[~HUAWEI-vpn-instance-vrf2] vpn-target 2:2
IVT Assignment result:
Info: VPN-Target assignment is successful.
EVT Assignment result:
Info: VPN-Target assignment is successful.
[*HUAWEI-vpn-instance-vrf2] commit
[~HUAWEI-vpn-instance-vrf2] quit
[~HUAWEI] interface gigabitethernet0/1/0
[~HUAWEI-GigabitEthernet0/1/0] ip binding vpn-instance vrf2
[*HUAWEI-GigabitEthernet0/1/0] ip address 10.137.130.245 255.255.254.0
[*HUAWEI-GigabitEthernet0/1/0] commit
  2. Configure an SSL policy and load certificates.
    [~HUAWEI] ssl policy huawei2014
[*HUAWEI-ssl-policy-huawei2014] certificate load pem-cert servercert.pem key-pair dsa key-file serverkey.pem auth-code cipher huawei-123456
[*HUAWEI-ssl-policy-huawei2014] crl load pem-crl server.pem
[*HUAWEI-ssl-policy-huawei2014] trusted-ca load asn1-ca servercert.der
[*HUAWEI-ssl-policy-huawei2014] commit
[~HUAWEI-ssl-policy-huawei2014] quit
  3. Configure a log host with a VPN attribute, with the TCP-based SSL encryption mode for log transmission.
    [~HUAWEI] info-center loghost 10.137.130.245 vpn-instance vrf2 transport tcp ssl-policy huawei2014
[*HUAWEI] commit

Configuration and Maintenance Suggestions

See configuration and maintenance suggestions on console, Telnet, SSH, FTP, TFTP, and socket. Using TCP-based SSL encryption to transmit log files helps prevent unauthorized users from obtaining packets.

Parent Topic: Management Plane
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >