< Home

System Log Security

Overview

Logs record such device information as user operations and device running status, and are stored on devices as log files. Logs help network administrators monitor device running status and diagnose network faults.

Logs on the device are classified into the following types:

  • System logs: in syslog format
  • Session logs: in binary, syslog, or Netflow format
  • Packet discard logs: in syslog format
  • Service logs: in Dataflow or syslog format

Log security is protected through access mode-specific authentication and socket security. You can view device logs in either of the following ways:

  • Log in to the device and view logs through the CLI or web UI. For details about how to configure device login security, see Device Login Security.
  • Log information is sent to the log server through the log host (TLS encryption is recommended).

The device provides different encryption modes for each log format to prevent information leaks caused in log transmission between the device and log server.

  • For syslogs, the device and log server use TLS for encryption before transmission.
  • For binary, Netflow, and Dataflow logs, the device and log server (eLog) use a pre-shared key for encryption before transmission.

Impact on the System

None

Procedure

  1. Enter the system view.

    system-view

  2. Configure an SSL policy and enter its view.

    ssl policy policy-name

    For details about SSL policies, see "ssl policy" in Command Reference > System Management Commands > File Transfer Commands.

  3. Exit the SSL policy view.

    quit

  4. Apply the SSL policy to output logs to log hosts.

    • Configure the device to output logs to an IPv4 log host.
      info-center loghost ipv4-address transport tcp ssl-policy policy-name

    • Configure the device to output logs to an IPv6 log host.
      info-center loghost ipv6 ipv6-address  transport tcp ssl-policy policy-name

    • Configure the device to output logs to a log host with the specified domain name.
      info-center loghost domain domain-name transport tcp ssl-policy policy-name

      For details about how to output logs to a log host, see "Outputting Logs to a Log Host" in Configuration Guide > Monitoring and Troubleshooting > Logs > Configuring the Output of System Logs> Sending System Logs to the Log Host Through the Information Center.

  5. Set a CA certificate for a log server.

    pki import-certificate ca pem filename filename 
log ca-certificate filename

  6. Configure the encryption function for the device to send logs and configure the shared key for encrypted transmission.

    firewall log password password

Checking the Security Hardening Result

Run the display ssl policy command to check the SSL policy configuration.

Parent Topic: Management Plane Security (Level-2)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >