5. Logging

5.1. On the console

To enable logs, use the following command.

vrouter running config# vrf main cg-nat logging enabled true
vrouter running config# commit

This command displays the CG-NAT logs on the console:

vrouter running config# show log service cg-nat
-- Logs begin at Thu 2019-07-18 11:50:25 UTC, end at Thu 2019-07-18 15:28:05 UTC. --
Jun 11 08:02:46 vrouter systemd[1]: Started Fast Path cgnat log daemon.
Jun 11 08:02:46 vrouter fp-cgnat-logd@main[4269]: CGNAT Log listen on 5001
Jun 11 08:03:09 vrouter fp-cgnat-logd@main[4269]: USER 100.64.0.1 (matching rule 1): NEW BLOCK (ip public 32.96.119.1, proto 6, port 1024 - 1536) at Tue Jun 11 08:03:09 2019
Jun 11 08:07:30 vrouter fp-cgnat-logd@main[4269]: USER 100.64.0.1 (matching rule 1): DESTROY BLOCK (ip public 32.96.119.1, proto 6, port 1024 - 1536) at Tue Jun 11 08:07:30 2019

See also

See the User’s Guide for more information regarding:

5.2. Towards an external framework

In this section, we will explain how to export CG-NAT logs to an external logging framework. As an example, we will use the ELK stack (ElasticSearch, Logstash and Kibana) from the Elastic Stack to gather the logs and display them in a user-friendly way.

We assume that Elastic, Logstash and Kibana have been installed on a server accessible on the 172.16.0.2 IP address, following the Elastic documentation.

Note

The following configuration was done with the 6.x branch of this framework.

Here is the Logstash configuration we will be using, including the IP address and port of the syslog server and filters to parse and format the CG-NAT log messages before storing them in Elastic:

input {
  udp {
    host => "172.16.0.2"
    port => 10514
    type => syslog
  }
}

filter {
  if [type] == "syslog" {
    grok {
        match => { "message" => "%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
        add_field => [ "received_at", "%{@timestamp}" ]
        add_field => [ "received_from", "%{host}" ]
    }
    date {
          match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

# Second level of filtering specific for CG-NAT logs
filter {
    if [type] == "syslog" {
        if [syslog_program] =~ /^fp-cgnat-logd.*/ {
            grok {
                break_on_match => false
                match => [ "message", "USER %{IP:prv_ip} \(matching rule %{POSINT:rule}\)\: %{DATA:action} BLOCK \(ip public %{IP:pub_ip}\, proto %{POSINT:proto}\, port %{POSINT:start_port} \- %{POSINT:end_port}\) at %{GREEDYDATA:time}"]
                match => [ "syslog_program", "^fp-cgnat-logd@%{GREEDYDATA:vrf_name}$" ]
            }

            if "_grokparsefailure" in [tags] { drop {} }
            date {
                match => [ "time", "EEE MMM dd HH:mm:ss YYYY", "EEE MMM  d HH:mm:ss YYYY", "ISO8601" ]
                timezone => "Etc/GMT"
                target => "action_date"
            }
            mutate { add_tag => [ "CG-NAT log" ] }
            translate {
                field => "proto"
                destination => "sproto"
                dictionary => {
                    "1" => "ICMP"
                    "6" => "TCP"
                    "17" => "UDP"
                }
            }
        }
    }
}

output {
    if [type] == "syslog" {
        if [syslog_program] =~ /^fp-cgnat-logd.*/ {
            elasticsearch { hosts => [ "127.0.0.1:9200" ] }
            stdout { codec => rubydebug }
        }
    }
}

On the vRouter, logging to Logstash can be enabled with the following configuration.

vrouter running config# / vrf main logging syslog remote-server 172.16.0.2
vrouter running remote-server 172.16.0.2# protocol udp
vrouter running remote-server 172.16.0.2# port 10514
vrouter running remote-server 172.16.0.2# commit

Let’s now connect to Kibana using a web browser, pointing at http://172.16.0.2:5601. Click Management, Index Patterns, type logstash in the Index pattern text box, then click Next step.

../_images/elk1.png

Select action_date as the Time Filter field name and click Create index pattern.

../_images/elk2.png

A logstash index was already created by logstash and appears in the Elasticsearch Index Management page:

../_images/elk3.png

Click on Discover in the left menu; some logs are now displayed in the Kibana dashboard.

../_images/elk4.png

The final step is to clean the logs output. Add the following available fields: action, prv_ip, sproto, pub_ip, start_port, end_port.

../_images/elk5.png

Search can now be used to filter the logs on a public IP and port, for example using “pub_ip:32.96.119.1 AND start_port:[* TO 1200] AND end_port:[1200 TO * ]” to search public IP 32.96.119.1 and port 1200.

../_images/elk6.png