cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Employee
Employee

Logging OSPF FULL transition events to syslog

I was working with an organization recently who wanted to log OSPF transition events on their Check Point gateways to syslog so that they could alert on them using the same method as their routers and switches.  After turning on Remote System Logging in Gaia Web UI, their syslog server was getting inundated with Check Point messages.  The one gateway that was enabled was accounting for well over 30% of their total logs, and this was the first of 30+ gateways in a device pool of several hundred devices.  Needless to say, they didn't want all the noise in syslog but what to do?

I'll save you all the pain of most of the trial and error and just get to the good stuff.  The end result is that we successfully are now logging only events that transition from FULL -> something else, or return back to FULL status and this is exactly what the customer needed.

  • To begin, we know that OSPF events are logged to /var/log/routed.log and we will need to extract them from there.

# tail -n 0 -F /var/log/routed.log

  • And, we know that we only want transition events where there has been a neighbor change to/from FULL state

# tail -n 0 -F /var/log/routed.log | grep -E 'FULL ->|-> FULL'

But now how to get it to syslog?

You may or may not be familiar with the command logger, but simply put: logger makes entries in the system log.  Read all about it here.

So now we put it all together and it works, right?

# tail -n 0 -F /var/log/routed.log | grep -E 'FULL ->|-> FULL' | logger

Not quite.  It's moving messages to syslog, but they are showing up as info messages.  Configuring the Remote System Logging to send only info messages still sends an inordinate amount of chatter.  But there is hope, in the form of the switch -p / --priority.

  • So now we add the classification to make it an emergency message and configure Remote System Logging to send only emergency messages.

# tail -n 0 -F /var/log/routed.log | grep -E 'FULL ->|-> FULL' | logger -p syslog.emerg

Almost there.  This is simple enough to run at the command line and does what we want it to, but we need it automated.  We don't want to have to start this manually, however, so we need to add this as a schedule job.

Weird behavior, and I didn't troubleshoot this at all, but for some reason the command above does not work as a scheduled job.  I think it's because of the multi-pipe, and as such devised a two-step approach to accomplish the same thing.

Job 1

# tail -n 0 -F /var/log/routed.log | grep --line-buffered -E 'FULL ->|-> FULL' >> /var/log/OSPF_script.log

*Note the addition of the --line-buffered switch on the grep command, and this is because we are now appending to a file.

Job 2

# tail -n 0 -F /var/log/OSPF_script.log | logger -p syslog.emerg

Run both jobs on startup and reboot, then voila!  Now OSPF FULL transition events are being sent to the syslog server of choice. Many thanks to Jian Wu‌, @Sundeep Mudgal, and @Thurston Zhu for working through the tail and grep commands with me until we got the right combo 🙂

This may not be the most elegant way to do this, so comments are always appreciated.  Ultimately, the solution works and the customer is happy so I figured I would share with the world since we couldn't find anything similar online and asking around yielded some suggestions but nothing concrete.

7 Replies
Vladimir
Pearl

Re: Logging OSPF FULL transition events to syslog

Well, I am not sure if this approach will be any less convoluted, but it may be worth looking into.

According to:

You should be able to define SNMP traps for OSPF, which (again) should include state transition trap.

It could be piped into SmartEvent and subsequently to Cplog2Syslog utility running on management server and then to SIEM.

0 Kudos
Highlighted
Employee
Employee

Re: Logging OSPF FULL transition events to syslog

Hi Vladimir, I did some testing in R77.30 and R80.10, but didn't get the specific alerts for OSPF up/down events.  If you found something built into the Gaia portal or CLI options then we would love to hear what the magic trick is.

0 Kudos
Vladimir
Pearl

Re: Logging OSPF FULL transition events to syslog

You didn't really expect to simply chose the preconfigured trap? Smiley Happy

Look in to 

(IV-2) Advanced SNMP configuration - Custom SNMP traps

in sk90860

You may have to load OSPF mibs yourself and reference appropriate OIDs

0 Kudos
Employee
Employee

Re: Logging OSPF FULL transition events to syslog

Thanks Vladimir.  The custom SNMP trap looks like a good idea.  However, I am having trouble finding OID information related to routing/OSPF.  Maybe someone on this forum can point us in the right direction. 

I did find some useful sites that might help others with Check Point MIB:
-MIB Depot-
http://www.mibdepot.com/cgi-bin/getmib3.cgi?win=mib_a&i=1&n=CHECKPOINT-MIB&r=checkpoint&f=CHECKPOINT...

-Check Point MIB files-

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

It looks like someone in the community found the OID for routeD, but I am not sure where they got it from:
https://community.checkpoint.com/thread/6920-routed-process-util-checkmonitor

0 Kudos
Vladimir
Pearl

Re: Logging OSPF FULL transition events to syslog

I suspect that you may actually have a better luck with a TAC ticket. They should know where to route this query.

Some of the heavy hitters are at Bangkok now and it may take them a while to get back to you.

Vladimir Yakovlev

973.558.2738

vlad@eversecgroup.com

0 Kudos
VENKAT_S_P
Copper

Re: Logging OSPF FULL transition events to syslog

Try this OID to get the Neighbor state
.1.3.6.1.2.1.14.10.1.6

 

MIB location:
/usr/share/snmp/mibs


##########

ospfNbrState OBJECT-TYPE
SYNTAX INTEGER {
down (1),
attempt (2),
init (3),
twoWay (4),
exchangeStart (5),
exchange (6),
loading (7),
full (8)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The state of the relationship with this neighbor."
REFERENCE
"OSPF Version 2, Section 10.1 Neighbor States"
DEFVAL { down }
::= { ospfNbrEntry 6 }
##########

0 Kudos
Admin
Admin

Re: Logging OSPF FULL transition events to syslog

Reminds me of the old way we used to send firewall logs to syslog Smiley Happy

0 Kudos