1. Diameter Security Application User Guide with UDR
  2. DSA Vulnerable Message Logging Details

9.1 DSA Vulnerable Message Logging Details

Enable or disable option has been provided to log vulnerable message details into a log file on MPs. For more information, refer to Enable tracing option in System_Config_Options Table. After enabling logging, active SO collects these log files from the MPs and exports them to the SO path /var/TKLC/db/filemgmt/export/SecurityLogs/dca_logs.

MPs create the file containing vulnerable message details at /var/TKLC/db/filemgmt/dca_logs.

  • Each vulnerable message detail can be of maximum of 2000 characters.
  • Each log file can contain a maximum of 30000 vulnerable message details. Also, each log file is open for a maximum of 1 hour for logging. When the maximum number of entries is logged into a log file or on the expiry of the 1 hour timeout, the file gets closed for logging and a new log file is created for subsequent logs.
  • MPs suspends logging if the available disk space of /var/TKLC/db/filemgmt/dca_logs on MP is less than 30%. The logging resumes again once the available disk space increases.
  • MPs also suspends logging if the vulnerable message logging rate is above 25000 per second. The logging resumes again when the vulnerable message logging rate decreases.
  • An Alarm is raised to notify the user if the logging is suspended on the MP(s). The alarm gets cleared when the logging resumes.
  • Naming Convention of Log File on DAMP is:
    • [DCA AppShort Name] + [Task Id] + “_” + [start time] + “-“ + [End Time]+”_”+ “_logs.csv”

      For example: “DSA4_1527243681-1527247282_logs.csv”

  • The log file has the value of “Timestamp, Applied CounterMeasure Name, category, Applied Action (Discarded/Rejected/Detected), Message Type (Request or Response), Session id, command code, Application id, peer name, Subscriber- Type, Imsi/User-name, MCC, ORIG_HOST, ORIG_REALM, DEST_HOST, DEST_REALM, VPLMNID, and Error text.” in comma separated format. The message shall contain only field value and no field name.
  • Naming Convention of Log File on Active SOAM is:
    • [DAMP Server Name] + [Time Stamp]+ “_dsa.tar.gz”
    • The snapshot of a sample logs:

      Figure 9-1 Sample Log

      sample log

      The active SO suspends collecting the logs from MP if the available disk space of /var/TKLC/db/filemgmt/export/SecurityLogs/dca_logs on active SO is less than 30%. The collection resumes again once the available disk space increases.

  • The active SO also suspends collecting the logs from MP if any error occurs during the log collection process. The collection resumes again once the error is resolved.
  • An alarm is raised to notify the user if log collection is suspended on SO due to any error. The alarm gets cleared once the error is resolved.