4 Security Logging and Visualization
vSTP provides the SS7 Firewall Logging support. The logging support offers a holistic view of all the interconnect transactions and helps identify possible threats.
The logging data can be exported to an external server. It can also be ingested and analyzed in any 3rd party analytics or visualization platform.
Feature Description
The vSTP Security Logging feature generates and sends log messages from the vSTP MPs to an external visualization server. vSTP can export the feature logs for defined variables and generated logs to an external platform for analysis and visualization.
- Support for 10k basic GTT traffic logging per MP
- Support for 2.5k SFAPP traffic logging per MP
- Support for 50K message logging per site.
Overview
.csv format, which can be ingested, stored and visualized by an
external analytics tool. The logging is divided into two tasks:
-
SCCP/SFAPP Task: This task includes:
- Copying all the required fields in logging event in the format as present on vSTP
- Sending the logging event to the logging task
-
Logging Task: This task includes:
- Fetching data from logging event
- Performing data transformation, filling location information and category type
- Writing the data in a
.csvfile and transferring the files to an external server
Logging Rate and TPS supported per vSTP MP:
- Support for 10k basic GTT traffic logging per MP
- Support for 2.5k SFAPP traffic logging per MP
- Support for 50K message logging per site
Supported Operation Codes
The following lists define the supported Operation Codes (OpCodes) with vSTP Security Logging.
The category includes messages that should only be received from within the same network and/or are unauthorized at interconnect level and should not be sent between operators unless there is an explicit bilateral agreement between the operators to do so.
Category 1
This category includes messages that should only be received from within the same network and/or are unauthorized at interconnect level and should not be sent between operators unless there is an explicit bilateral agreement between the operators to do so.
- provideRoamingNumber
- sendParameters
- registerSS
- eraseSS
- activateSS
- deactivateSS
- interrogateSS
- registerPassword
- getPassword
- processUnstructuredSS-Data
- sendRoutingInfo
- sendRoutingInfoForGprs
- sendIdentification
- sendIMSI
- processUnstructuredSS-Request
- unstructuredSS-Request
- unstructuredSS-Notify
- anyTimeModification
- anyTimeInterrogation
- sendRoutingInfoForLCS
- subscriberLocationReport
Category 2
This category includes messages received from visiting subscribers' home networks. These messages are typically received from an inbound roamer's home network.
- provideRoamingNumber
- provideSubscriberInfo
- provideSubscriberLocation
- insertSubscriberData
- deleteSubscriberData
- cancelLocation
- getPassword
- reset
- unstructuredSS-Request
- unstructuredSS-Notify
- informServiceCentre
Category 3
This category of messages is received from the subscriber’s visited network. Specifically, MAP packets authorized to be sent on interconnect between mobile operators.
- updateLocation
- updateGprsLocation
- sendParameters
- registerSS
- eraseSS
- activateSS
- deactivateSS
- interrogateSS
- registerPassword
- processUnstructuredSS-Data
- mo-forwardSM
- mt-forwardSM
- beginSubscriberActivity
- restoreData
- processUnstructuredSS-Request
- purgeMS
- sendRoutingInfoForSM
- sendAuthenticationInfo
- reportSmDeliveryStatus
- NoteMM-Event
Feature Configuration
MMI Managed Objects for Security Logging
MMI information associated with Security Logging support is accessed from a DSR NOAM or SOAM from.
Once the MMI API Guide gets opened, use the application navigation to locate specific vSTP managed object information.
The following table lists the managed objects and operations supported for security logging.
Table 4-1 Security Logging support Managed Objects and Supported Operations
| Managed Object Name | Supported Operations |
|---|---|
| linksets | Inser, Update, Delete |
| securitylogconfig | Update |
linksets
For this feature, the securityLogging parameter is added to the linkset MO.
- OFF: No Logging will be done when traffic is run through the linkset.
- ALL: Logging of all messages on the particular linkset will be done.
- RISKY: Logging of only risky opcode messages coming on that linkset will be done.
The example output for Display of linkset MO:
{
"asNotification": true,
"asls8": false,
"cgGtmod": false,
"configurationLevel": "32",
"enableBroadcastException": true,
"gttmode": "Fcd",
"islsrsb": 1,
"ituTransferRestricted": false,
"l2TimerSetName": "Default",
"l3TimerSetName": "Default",
"linkTransactionsPerSecond": 10000,
"linksetAccMeasOption": "No",
"localSignalingPointName": "LSP1",
"name": "Linkset777",
"numberSignalingLinkAllowedThreshold": 1,
"numberSignalingLinkProhibitedThreshold": 1,
"randsls": "Off",
"remoteSignalingPointName": "RSP777",
"routingContext": 8,
"rsls8": false,
"securityLogging": "All",
"slsci": false,
"slsrsb": 1,
"type": "M3ua"
}
securitylogconfig
Table 4-2 securitylogconfig MO Paramaters
| Parameter Name | Description |
|---|---|
| securityLoggingFeature | This is the global parameter for this feature.
Users have to enable this parameter before configuring the
securityLogging parameter
for linkset.
When disabled, there is no logging on that linkset. Also, the other parameters for this MO can only be modified after disabling this parameter. Allowed values: On, Off |
| siteIdentifier | This parameter identifies the logging site. The
value entered here will be logged in the .CSV logs formed and
can be used to identify the logging site.
Allowed values: Alphanumeric characters of maximum length 20 |
| logMpDirPath | The path at MP, where the user wants to form
temporarily form .CSV logs before they are
transferred to SOAM.
Example:
|
| logFileTimeout | The maximum time interval in seconds until which
the MP waits before starting to open new
.CSV log files.
Allowed Values: Integer values from 60-120 |
| maxLogsPerFile | Maximum messages to be logged in a single
.CSV log file before closing it and
bginning a new one for logging.
Allowed Values: Integer values from 600000 up to 3000000 |
| minDiskSpaceForLogging | Minimum disk space required for logging as % of
available disk space in filemanagement area. An alarm is raised
if available disk space is below the configured % value.
Allowed Values: Integer values from 10 up to 100 |
The example output for Display of securitylogconfig MO:
{
"logFileTimeout": 90,
"logMpDirPath": "/var/TKLC/db/filemgmt/securityLog",
"maxLogsPerFile": 1500000,
"minDiskSpaceForLogging": 30,
"securityLoggingFeature": "On",
"siteIdentifier": “ABC"
}
GUI Configuration
- On the Active System OAM (SOAM), select VSTP, navigate to Configuration and click Security Log Config.
- On the Security Log Config page perform the configurations that governs the functionality of security logging in the file directory of SOAM. For more details, refer to Security Log Config section in vSTP User's Guide.
- On the Active System OAM (SOAM), select Diameter
Common click Visualization Server.
Figure 4-1 Visualization Server Page
The following table describes the key parameters on this page:
Table 4-3 Visualization Server Parameter Description
Parameter Description Allowed Values Task Name Name of the task. Alphanumeric Characters of maximum length 32 Hostname List IPv4 addresses of Remote Server for Log transfer. Maximum of 8 remote servers can be configured. Username Username to access remote server. Alphanumeric Character words of maximum length 10 Key Exchange Status Shows the keyexchange status for the remote servers with SO. This field cannot be edited.
Source Directory Name of the source directory. VSTP or DSA Note: The VSTP Option is displayed in the dropdown when Security Logging Feature is enabled in VSTP using the option VSTP by selecting Configuration and clicking on Security Log Config GUI page.
Upload Frequency Time interval between which logs are exported from SOAM to Remote Server. This field cannot be edited.
Use this page to configure IP Addresses (IPv4) of remote servers and perform SSH Keyexchange of the SO with the Remote servers so that the export of logs (.CSV) happens without hassle. The remote server must have a common username and password combination, as the GUI screen allows a single username for all the remote servers.
After filling all the required details in the GUI Screen and performing SSH Keyexchange, the log files present at the source directory of SOAM are moved to the destination directory of remote server every 2 minutes time interval.
The page supports Insert, Edit, Delete, and SSH Key exchange operations.
- This completes the Security Logging feature configurations for vSTP.
Alarms and Measurement
Alarms
| Alarm ID | Alarm Name |
|---|---|
| 70437 | VstpSecuLogEventQueue |
| 70438 | VstpSecuLogErro |
| 70439 | VstpSecuLogFetchError |
| 70440 | VstpSecuLogRemoteServerError |
For more details related to Alarms, refer to Alarms and KPIs Guidelines document.
Measurements
| Measurement ID | Measurement Name |
|---|---|
| 21977 | VstpSecuLogDiscQueueFull |
| 21978 | VstpSecuLogQueuePeak |
| 21979 | VstpSecuLogQueueAvg |
| 21980 | VstpSecuLogRate |
| 21981 | VstpSecuLogRatePeak |
| 21982 | VstpSecuLogRateAvg |
For more details related to measurements, refer to Measurement Reference Guide.
Troubleshooting
In case of the error scenarios, the measurements specific to Seurity Logging and Visualization feature are pegged. For information related to CAT2 SS7 Security measurements, see Alarms and Measurement.
Dependencies
The Security Logging and Visualization feature for vSTP has no dependency on any other vSTP operation.
- If MP crashes and does not comes up, then the log files present on that MP gets lost.
- The VM profile does not have space to store logs at 30 minutes on SOAM at 50K site TPS. Hence if the transfer of logs to the remote server fails, logging may stop due to low disk space.