配置向日志主机输出SSL加密后的Log信息示例

操作步骤

1. 配置客户端型SSL策略

   <HUAWEI> system-view
   [~HUAWEI] sysname SwitchA
   [*HUAWEI] commit
   [~SwitchA] ssl policy syslog_client
   [*SwitchA-ssl-policy-syslog_client] trusted-ca load pem-ca 1_cacert_pem_rsa.pem
   [*SwitchA-ssl-policy-syslog_client] trusted-ca load pem-ca 1_rootcert_pem_rsa.pem
   [*SwitchA-ssl-policy-syslog_client] commit
   [~SwitchA-ssl-policy-syslog_client] quit
   

   上述步骤成功配置后，在SwitchA上执行命令display ssl policy，可以看到加载的信任证书机构文件详细信息。

   [~SwitchA] display ssl policy
   
          SSL Policy Name: syslog_client 
        Policy Applicants: 
            Key-pair Type:
    Certificate File Type:
         Certificate Type:
     Certificate Filename:
        Key-file Filename:
                 CRL File:
          Trusted-CA File:
        Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem
        Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem

2. 使能信息中心功能

   [~SwitchA] info-center enable
   [*SwitchA] commit
   

3. 配置向日志主机发送Log信息的信息通道和输出规则

   # 命名信息通道。

   [~SwitchA] info-center channel 6 name loghost1
   [*SwitchA] info-center channel 7 name loghost2
   [*SwitchA] commit
   

   # 配置Log信息输出到日志主机所使用的安全信息通道。

   [~SwitchA] info-center loghost 10.1.1.1 channel loghost1 transport tcp ssl-policy syslog_client
   [*SwitchA] info-center loghost 10.1.1.2 channel loghost1 transport tcp ssl-policy syslog_client
   [*SwitchA] info-center loghost 10.2.1.1 channel loghost2 transport tcp ssl-policy syslog_client
   [*SwitchA] info-center loghost 10.2.1.2 channel loghost2 transport tcp ssl-policy syslog_client
   [*SwitchA] commit
   

   # 配置向日志主机通道输出Log信息的规则。

   [~SwitchA] info-center source arp channel loghost1 log level notification
   [*SwitchA] info-center source aaa channel loghost2 log level warning
   [*SwitchA] commit
   

4. 配置发送日志信息的源接口

   # 配置发送Log信息的源接口。

   [~SwitchA] info-center loghost source vlanif 100
   [*SwitchA] commit
   

5. 在Server端配置日志主机

   设备会产生大量的Log信息，而设备本身的存储空间相对有限，就需要配置日志主机实现对设备Log信息的收集。

   日志主机可以是安装UNIX或LINUX操作系统的主机，也可以是安装第三方日志软件的主机，具体配置步骤请参见相关手册。

6. 检测配置结果

   # 查看已经配置的日志主机。

   [~SwitchA] display info-center
   Information Center:enabled
   Log host: 
           10.1.1.1, channel number 6, channel name loghost1,
   language English , host facility local7, transport tcp ssl-policy syslog_client
           10.1.1.2, channel number 6, channel name loghost1, 
   language English , host facility local7, transport tcp ssl-policy syslog_client
           10.2.1.1, channel number 7, channel name loghost2,
   language English , host facility local7, transport tcp ssl-policy syslog_client
           10.2.1.2, channel number 7, channel name loghost2, 
   language English , host facility local7, transport tcp ssl-policy syslog_client
   Console: 
           channel number : 0, channel name : console 
   Monitor: 
           channel number : 1, channel name : monitor  
   SNMP Agent:  
           channel number : 5, channel name : snmpagent 
   Log buffer:  
           enabled,max buffer size 10240, current buffer size 512,
   current messages 316, channel number : 4, channel name : logbuffer 
   dropped messages 0, overwritten messages 0
   Trap buffer: 
           enabled,max buffer size 1024, current buffer size 256,
   current messages 256, channel number:3, channel name:trapbuffer
   dropped messages 0, overwritten messages 53
   logfile: 
           channel number : 9, channel name : channel9, language : English
   Information timestamp setting:
           log - date, trap - date, debug - date millisecond