1. Security Guide
  2. Syslog

G Syslog

You can configure the Session Border Controller (SBC) to send system event logs to logging servers [1]. Oracle recommends that you configure as few logging servers as required to reduce impact on SBC performance. Monitoring through SNMP is the preferred option over using syslog. The syslog messages are not as efficient because they may contain many extraneous informational messages that need to be filtered out or parsed. SNMP has the advantage of sending clearly defined trap notifications only in the event of a problem, and you can configure the system-config and trap-receiver settings to filter on specific SNMP traps to send.

If a syslog parser is used to escalate SBC issues, it is easy to classify syslog events preceded with a MAJOR or CRITICAL designation as issues that require further investigation. Be cautious of writing any parsing rules for events that are classified as GENERAL, REDUNDANCY, CONFIG WARNING, ERROR, or MINOR (among others). Some of these may be important to escalate, but others may be strictly informational in nature.

The following table shows a sample of some of the common syslog messages that you may see. Note that IDS_LOG examples given require the IDS Reporting Feature Group license discussed in Appendix F. Some of the examples may seem redundant because sometimes more than one message may be written to syslog as the result of an event.

An unsuccessful log in attempt was detected on the console port. 
Jun 16 15:26:02.355 [GENERAL] (0) loginLocal: [0:2801] user: admin authenticate
Jun 16 15:26:02.800 [MINOR] (0) loginLocal:[0:2801] user: admin failed to log in to console
An endpoint exceeded a defined constraint and was blocklisted. This is the result of DoS configuration with the IDS license. 
Nov 28 17:53:47 172.41.3.41 CSE-4500-6 sipd[2dcc32a4] ERROR [IDS_LOG] SigAddr[access:192.168.101.120:0=low:DENY] ttl=86400 exp=30 Demoted to BLock-List (Too many messages) last msg rcvd=REGISTER sip:192.168.66.2 SIP/2.0
Nov 28 17:53:47 172.41.3.41 CSE-4500-6 sipd[2dcc32a4] ERROR Via: SIP/2.0/UDP 192.168.190.144:20928;branch=z9hG4bKdeadb33f
Nov 28 17:53:47 172.41.3.41 CSE-4500-6 sipd[2dcc32a4] ERROR From: hacker <sip:47097@192.168.190.144:20928>
Nov 28 17:53:47 172.41.3.41 CSE-4500-6 sipd[2dcc32a4] ERROR To: <sip:47097@192.168.66.2:5060>
Nov 28 17:53:47 172.41.3.41 CSE-4500-6 sipd[2dcc32a4] ERROR Call-ID: f9844fbe7dec140ca36500a0c9119870@192.168.66.2
Nov 28 17:53:47 172.41.3.41 CSE-4500-6 sipd[2dcc32a4] ERROR CSeq: 1 REGISTER
Nov 28 17:53:47 172.41.3.41 CSE-4500-6 sipd[2dcc32a4] ERROR Contact: <sip:47097@192.168.190.144>
Nov 28 17:53:47 172.41.3.41 CSE-4500-6 sipd[2dcc32a4] ERROR User-agent: Flooder_script
Nov 28 17:53:47 172.41.3.41 CSE-4500-6 sipd[2dcc32a4] ERROR Max-Forwards: 5
Nov 28 17:53:47 172.41.3.41 CSE-4500-6 sipd[2dcc32a4] ERROR Content-Length: 0
An endpoint exceeded a defined constraint and was blocklisted. This message is a result of DoS configuration without the IDS license. 
Jan 15 16:29:46.289 sipd@SBC1: FLOW[15] SigAddr[Access:192.168.135.29:0=low:DENY] ttl=86400 guard=50 exp=30 Demoted to Block-List; send SNMP trap
An endpoint exceeded a defined constraint and was demoted from trusted to untrusted. 
Apr  1 11:36:53.377 sipd@CSE-4500-6: WARNING SigAddr[access:172.41.0.3:5060=medium:PERMIT] ttl=64 exp=57 Demoted to Grey-List (errors)
The sipShield SPL plug-in (v1.3) detected a message from a known SIP scanner and dropped it.
Mar 28 15:05:42.500 sipd@CSE-4500-6: WARNING Scanner or attack field detected! Src IP: 172.41.0.3, User-Agent: smap 0.6.0
OR
Mar 28 15:05:42.500 sipd@CSE-4500-6: WARNING Scanner or attack field detected! Src IP: 172.41.0.3, To: victim@example.edu
OR
Mar 28 15:05:42.500 sipd@CSE-4500-6: WARNING Scanner or attack field detected! Src IP: 172.41.0.3, From: user@example.edu
OR
Mar 28 15:05:42.500 sipd@CSE-4500-6: WARNING Scanner or attack field detected! Src IP: 172.41.0.3, Subject: SiVuS

A message was rejected by the SD. The status code and reason given in parenthesis will change based on the type of malformation. Examples given here include:

An INVITE received from a forbidden endpoint. In this case, allow-anonymous on the SIP interface was set to agents-only, and the INVITE was not from an agent.

An INVITE had a Max-Forwards parameter that had decremented to zero, and the SBC could not forward it further

Four examples of malformed messages that were generated from a Protos attack (too large, missing header, bad request URI, unsupported URI). 
Apr  1 11:26:27.603 sipd@CSE-4500-6: IDS[64] [IDS_LOG]INVITE from source 172.41.0.3:5060 to dest 172.41.0.2:5060[UDP] realm=access; From=sipp <sip:sipp@127.0.1.1:5060>;tag=10387SIPpTag001; target=sip:service@172.41.0.2:5060 rejected!; status=403 (Forbidden)
OR
Nov 28 19:52:40 172.41.3.41 CSE-4500-6 sipd[2dcc32a4] ERROR [IDS_LOG]INVITE from source 192.168.66.54:5060 to dest 192.168.66.2:5060[UDP] realm=access; From="hacker"<sip:666@192.168.66.54:30000>; target=sip:9195551212@192.168.66.2 rejected!; status=483 (Too Many Hops); error=invalid message
OR
IDS_LOG]INVITE from source 192.168.222.1:5060 to dest 192.168.222.50:5060[UDP] realm=access; From=227 <sip:evil@127.0.1.1>;tag=227; target=sip <omitted message> rejected!; status=513 (Message Too Big)
OR
May 22 14:40:39.033 sipd@: IDS[64] [IDS_LOG]INVITE from source 192.168.222.1:5060 to dest 192.168.222.50:5060[UDP] realm=access; From=389 <sip:evil@127.0.1.1>;tag=389; target=sip:1111@192.168.222.50 rejected!; status=400 (Invalid/Missing Via Header)
OR
May 22 15:08:02.015 sipd@: IDS[64] [IDS_LOG]INVITE from source 192.168.222.1:5060 to dest 192.168.222.50:5060[UDP] realm=access; From=206 <sip:evil@127.0.1.1>;tag=206; target=%s%s%s%s%s:noone@sip.no.invalid rejected!; status=400 (Bad Request-URI)
OR
May 22 15:08:01.088 sipd@: IDS[64] [IDS_LOG]INVITE from source 192.168.222.1:5060 to dest 192.168.222.50:5060[UDP] realm=access; From=197 <sip:evil@127.0.1.1>;tag=197; target=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:noone@sip.no.invalid rejected!; status=416 (Unsupported URI Scheme)
A user entered enable mode (administrator level). This is not necessarily an issue, but may be an interesting event. 
May  3 17:06:37 172.41.3.90 CSE-4500-20 acliConsole[31ac9b6c]  raised privileges on session from acliConsole
A user enabled SIP debugging traces. This can use large amounts of CPU if run on a production network or potentially reveal sensitive information. This is not necessarily an issue, but may be an interesting event. 
May  3 17:09:26 172.41.3.90 CSE-4500-20 sipd[2fa7cc00] SIP enable SIP Debugging
The configuration file was updated. This should be investigated if changes were not authorized. 
Dec 19 13:28:27.060 lemd@SBC1: CONFIG[32] Save Config has completed successfully
A new configuration was activated. This should be investigated if changes were not authorized. 
Dec 19 13:28:29.863 lemd@SBC1: CONFIG[32] Configuration successfully activated
OR
Dec 19 13:28:31.864 lemd@SBC1: CONFIG[32] Activate Config Successfully Complete
OR
Mar 20 10:11:02.919 acliSSH0@: CONFIG[34] ACTIVATE-CONFIG done
One or more licenses has expired and unit functionality may be impacted. 
Apr  1 00:00:10.523 brokerd@CSE-4500-6: MINOR ALARM[00050016] Task[0615c064] 1 license has expired!
One or more licenses is nearing expiration. 
Mar 31 00:00:10.521 sysmand@CSE-4500-6: MINOR License will expire in less than 7 days.
The number of sessions is approaching licensed capacity. 
Jan  1 00:02:57.480 brokerd@SBC1: MAJOR ALARM[00050004] Task[0cf72188] total number of sessions (1977) is approaching licensed capacity (2000)
The unit was powered on. This may be an indication that a power failure occurred. 
Jan  8 11:33:06.545 bootstrap@SBC1: GENERAL[0] Bringing up box...
The SIP protocol stack is now active. This may be an indication that a power failure occurred or that the SIP process crashed and restarted. 
May  3 17:30:08 172.41.3.90 CSE-4500-20 sipd[2fa7cc00] SIP Change to In-Service state and Start accepting messages...
Unit CPU usage has reached a critical threshold. 
Oct  8 19:02:02.381 brokerd@SBC1: CRITICAL ALARM[0002001b] Task[0578324c] cpu usage 93 percent is over critical threshold of 90 percent.
Unit CPU usage has reached a major threshold. 
Oct  8 19:02:12.708 brokerd@SBC1: MAJOR ALARM[0002001b] Task[0578324c] cpu usage 87 percent is over major threshold of 80 percent.
Unit CPU usage has reached a minor threshold. 
Oct  8 19:06:57.062 brokerd@SBC1: MINOR ALARM[0002001b] Task[0578324c] cpu usage 74 percent is over minor threshold of 70 percent.
A high-availability switchover was detected from the active unit. If this was not an administrative failover then it is likely that a port or process was unsuccessful.
Dec  3 17:30:46.275 berpd@SBC1: CRITICAL ALARM[00020021] Task[2834f658] Switchover, Active to RelinquishingActive
The standby unit has become the active unit. If this was not a result of an administrative action then a port or process on the active unit likely stopped responding. 
Jan  8 11:34:41.652 berpd@SBC1: CRITICAL ALARM[00020020] Task[03c3a840] Switchover, Standby to BecomingActive, active peer SBC2 has timed out
The standby unit is having difficulty reaching the active unit. Verify that all wancom ports are operational. 
Dec  3 17:33:46.384 berpd@SBC1: CRITICAL ALARM[00020023] Task[2834f658] Unable to synchronize with Active redundant peer within BecomingStandby timeout, going OutOfService
An ethernet port used for management has stopped responding. 
Jan  8 11:34:42.171 brokerd@SBC1: MAJOR ALARM[00020009] Task[0e723a98] wancom1 link down
A ethernet port used for management has recovered from failure. 
Jan  8 11:34:44.788 brokerd@SBC1: MINOR ALARM[00020006] Task[0e723a98] wancom1 link up
An ethernet port used for services has stopped responding. Note that slot and port numbers will vary. 
Mar 20 21:56:29.504 brokerd@: MAJOR ALARM[00020027] Task[00000003] Slot 1 Port 0 DOWN
All servers that can receive accounting files (CDR) are not available 
May  3 17:20:11 172.41.3.90 CSE-4500-20 brokerd[10661b38] CRITICAL All of collector's push receivers are down
Transfer of an HDR file was unsuccessful because the key used for authentication is incorrect. 
May  3 17:20:11 172.41.3.90 CSE-4500-20 collect[2eb37454] WARNING Error: HDR push failed due to bad host key.
An error occurred when attempting to transfer accounting logs. 
Dec 31 07:47:53.192 collect@SBC1: MINOR Error pushing collected data to 172.17.5.24 for group: system
Transfer of an HDR file was unsuccessful due to invalid authentication. 
May  3 17:20:11 172.41.3.90 CSE-4500-20 collect[2eb37454] ERROR Error: Could not log in to host '172.41.1.118
Media port usage is exceeding capacity. Calls may not succeed or experience audio issues. The severity is based on the percentage of unsuccessful attempts to allocate a steering port. Jan 17 12:14:26.513 mbcd@SBC1: MINOR ALARM[00040006] Task[1b963548] out of steering ports for realm 'CORE'; 296 of 592 failed (50%) 
OR
Jan 17 12:18:14.865 mbcd@SBC1: WARNING ALARM[00040006] Task[1b963548] out of steering ports for realm 'CORE'; 80 of 310 failed (25%)
A session agent (SIP server) did not pass a health check and has been taken out of service. 
Jan 15 16:28:19.901 sipd@SBC1: SIP[13] SA 192.168.136.69[PBX1]PING TRANSACTION TIMEOUT to 192.168.136.69
Jan 15 16:28:19.902 sipd@SBC1: SIP[13]   was 'In Service'; set to 'Out of Service' status
A session agent (SIP server) did not pass a health check and has been taken out of service.
Jan 15 16:28:22.969 sipd@SBC1: SIP[13] SA 192.168.135.29[PBX2]Non-Ping TRANSACTION TIMEOUT to 192.168.135.29
Jan 15 16:28:22.970 sipd@SBC1: SIP[13]   was 'In Service'; set to 'Out of Service' status
There were no routes found for an incoming session. This may mean that the called destination is out of service, the destination address is incorrect, or that the routing table is not sufficient. 
Mar 30 15:02:27.307 sipd@CSE-4500-6: IDS[64] [IDS_LOG]INVITE from source 192.168.60.10:5061 to dest 192.168.60.2:5060[UDP] realm=core; From=sipp <sip:sipp@127.0.0.1:5061>;tag=9165SIPpTag00143; target=sip:service@192.168.60.2:5060 rejected!; status=480 (No Routes Found)