Diagnostics, System Alerts, Audit Trail | Cisco Systems 5, NAM

Chapter 5 User and System Administration

Diagnostics

Table 5-7	Preferences (continued)

Field		Description

Audit Trail		The Audit Trail option displays a listing of recent critical
		activities that have been recorded in an internal syslog log
		file. Syslog messages can also be sent to an external log.

Capture File Download Format		Choose ENC (.enc) or PCAP (.pcap) format for captured
		files.

Diagnostics

The Diagnostics option of the Administration menu provides tools to aid in troubleshooting. You can use these tools when you have a problem that might require assistance from the Cisco Technical Assistance Center (TAC). There are options for:

•System Alerts, page 5-14

•Audit Trail, page 5-14

•Tech Support, page 5-15

System Alerts

You can view any failures or problems that the NAM Traffic Analyzer has detected during normal operations. To view System Alerts, choose Administration > Diagnostics > System Alerts.

Each alert includes a date, the time the alert occurred, and a message describing the alert. The NAM displays up to one thousand (1,000) of the most-recent alerts. If more than 1,000 alerts have occurred, you need to use the NAM CLI command show tech support to see all of the alerts.

If you notice an alert condition and troubleshoot and attempt to solve the condition causing the alert, you might want to click Clear to remove the list of alerts to see if additional alerts occur.

Audit Trail

The Audit Trail option displays a listing of recent critical activities that have been recorded in an internal syslog log file. Syslog messages can also be sent to an external log.

The following user activities are logged in the audit trail:

•All CLI commands

•User logins (including failed attempts)

•Unauthorized access attempts

•SPAN changes

•NDE data source changes

•Enabling and disabling data collections

•Starting and stopping captures

•Adding and deleting users

Each log entry will contain the following:

	User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
5-14	OL-22617-01

Image 202

Cisco Systems 5, NAM manual Diagnostics, System Alerts, Audit Trail, Tech Support

Contents

Americas Headquarters Text Part Number OL-22617-01Page N T E N T S Span Network Sites URL Nbar System Administration Resources Audit Trail Understanding Traffic Patterns at the Network Layer About This Guide Chapter Overview Convention AudienceConventions Boldface font Obtaining Documentation and Submitting a Service Request Xiv Introducing NAM Traffic Analyzer A P T E R Dashboards Logical Site New Application Classification Architecture Standards-Based NBI NetFlow v9 Data Export Historical Analysis WS-SVC-NAM-1-250S Snmp v3 Support -- NAM to Router/Switch SupportOverview of the NAM Platforms WS-SVC-NAM-2-250S Cisco Branch Routers Common Navigation and Control Elements LoggingNavigating the User Interface Menu Bar Detailed Views Context Menus Quick Capture Chart View / Grid View Interactive Report Zoom/Pan Charts Mouse-Over for Details Bytes / Packets Sort GridStatistics Understanding How the NAM Works Context-Sensitive Online Help Configuration/guide/nde.html Configuration/guide/span.htmlPorts VLANs Module Cisco IOS Software Understanding How the NAM Uses SpanUnderstanding How the NAM Uses VACLs Guide/span.html Understanding How the NAM Uses NDE Guide/vacl.html Understanding How the NAM Uses Waas Configuration Overview Action Description GUI Location User Guide Location Setup Network Sites Administration SystemSetup Data Export Setup Alarms Actions Capture Packet Configuring and Viewing DataAdministration Users Capture/Decode Cisco Waas NAM Virtual Service Blade Default Functions Traffic Analysis Application Response Time Metrics Voice Signaling/RTP Stream MonitoringAnalyze Media Voice Call Statistics About Span Sessions TrafficTraffic Usage Statistics SPAN, Data Sources, Hardware Deduplication, NAM Traffic Analyzer the NAM GUI Switch CLIMethod Usage Notes Supervisor portCopyTable Snmp Column Description Creating a Span Session State Description Field Description Editing a Span Session Choose Setup Traffic Span SessionsDialog Box Deleting a Span Session Data SourcesSPAN, ERSPAN, VACL, NetFlow, WAAS, Fields are explained in -7, NAM Data Sources Router or switch or WAE deviceOr Disabled Data Port if it is a local physical port, or the IP address Enabling Auto-Creation of Erspan Data Sources Using the CLI Click Setup Traffic NAM Data Sources Disabling Auto-Creation of Erspan Data Sources Using the CLI Creating Erspan Data Sources Using the Web GUI Creating Erspan Data Sources Using the CLI Enter the device ID from Step Deleting Erspan Data Sources Using the Web GUIEnter the name you would like for the data source required Use the no data-sourcecommand to delete the data source Deleting Erspan Data Sources Using the CLIClick the Delete button along the bottom of the window Sample Configuration of Erspan Source Configuring Erspan on DevicesUse the no device command to delete the device Sample Configuration of Erspan Destination Configuring Vacl on a WAN Interface Sample Configuration Configuring Vacl on a LAN Vlan NetFlow Understanding NetFlow Interfaces Understanding NetFlow Flow Records Managing NetFlow Data Sources Configuring NetFlow on DevicesOutput Interface Are Flows Reported? For Devices Running Cisco IOS For NAMs Located in a Device Slot Enabling Auto-Creation of NetFlow Data Sources Using the CLI Creating NetFlow Data Sources Using the Web GUI Snmp Credentials Creating NetFlow Data Sources Using the CLI Security Level Deleting NetFlow Data Sources Using the Web GUI Deleting NetFlow Data Sources Using the CLI Testing NetFlow Devices Contact information for the device Understanding WaasSnmp read test result. For the local device only Point, configure a Client WAN data source Setting DescriptionConfigure a Client data source Configure a Server WAN data source Monitoring Server Data Sources Monitoring Client Data SourcesMonitoring WAN Data Sources Server data source Deployment Scenarios Managing Waas DevicesDeployment Scenario Choose Setup Traffic NAM Data Sources Adding Data Sources for New Waas Device Editing Waas Data Sources Deleting a Waas Data Source Hardware Deduplication Choose Setup Traffic Hardware DeduplicationAuto Create of New Waas Devices Alarm Actions AlarmsAlarm Actions, Thresholds, User Scenario, Alarm Action Configuration Deleting Alarm Actions Editing Alarm ActionsChoose Setup Alarms Actions Application associated with this threshold ThresholdsName of the threshold Site associated with this threshold Choose Setup Alarms Thresholds Setting Host ThresholdsAlarm Summary dashboard Monitor Overview Alarm Summary Field Setting Conversation Thresholds Setting Application Thresholds Dashboard Monitor Overview Alarm Summary , where you Setting Response Time Thresholds Dashboard Monitor Overview Alarm Summary, where you Setting Dscp ThresholdsGive the Dscp Alarm Threshold a name Chose a Dscp value from the list High, Low, or High and Low alarms Setting RTP Stream ThresholdsGive the RTP Streams Alarm Threshold a name Alarm actions Setting Voice Signaling Thresholds Give the NDE Interface Alarm Threshold a name Setting NDE Interface ThresholdsDashboard Monitor Overview Alarm Summary , where you can Choose a data source from the list Editing an Alarm Threshold Deleting a NAM Threshold NetFlow Data ExportUser Scenario NetFlow, Scheduled Exports, Custom Export, Choose Setup Data Export NetFlow Viewing Configured NetFlow ExportsNetFlow Exports screen appears shown in Figure Port number of the device to be exported to Configuring NetFlow Data ExportDescription of the NetFlow Export Valid characters 1-9. Length Min 1, Max Host Record types supported by NAM for NetFlow areApplication ART Client Server Application Editing NetFlow Data Export Scheduled ExportsClick Editing a Scheduled Export Choose Setup Data Export Scheduled ExportsDeleting a Scheduled Export Custom Export Managed DeviceDevice Information Name of the network administrator for the router Choose Setup Managed Device Device InformationTotal time the switch has been running Name of the Snmp read-write community string configured on Nbar Protocol Discovery Field / Operation Description NetworkSites Sites, NDE Interface Capacity, Dscp Groups, Specifying a Site Using WAE devices Waas Data Sources Specifying a Site Using SubnetsDefinition Rules Viewing Defined Sites Specifying a Site Using Multiple RulesResolving Ambiguity Overlapping Site Definitions Name of the site Shows if the site is Enabled or DisabledDefining a Site Description of what the site includes Optional text string for describing site See -7for an exampleUnique text string for naming a site Subnet Detection Subnet Detection Editing a SiteEnter an IPv4 or IPv6 address Dscp Groups NDE Interface CapacityCreating an NDE Interface Field Description Usage Notes Choose Setup Network Dscp GroupsCreating a Dscp Group Through Dscp AF/EF/CS Format Bit Field Format Editing a Dscp Group ClassificationDeleting a Dscp Group Applications 8shows an example of what the screen may look like Choose Setup Classification Applications Creating a New Application That list, highlight it and click the left arrow Editing an ApplicationRepeat through as many times as desired Deleting a Protocol Choose Setup Classification Application GroupsApplication Groups Creating an Application Group Deleting an Application Group URL-based ApplicationsEditing an Application Group To edit an application group Choose Setup Classification URL-based Applications Example Editing a URL-Based Application Deleting a URL-based Application Encapsulations Choose Setup Classification EncapsulationsMonitoring Aggregation Intervals, Response Time, Voice, RTP Filter, Aggregation Intervals Choose Setup Monitoring Aggregation IntervalsURL, Waas Monitored Servers, Short-Term Long-Term Choose Setup Monitoring Response TimeResponse Time Normal Minimum Voice Choose Setup Monitoring VoiceMonitor Setup Window Field Appliance 10,000 500 1,750 000 1,000 250 Choose Setup Monitoring RTP FilterRTP Filter Enabling a URL Collection Changing a URL Collection Enabling a URL Collection Choose Setup Monitoring URLDisabling a URL Collection To change a URL collection Changing a URL CollectionElement Description Usage Notes URL page -10displays Disabling a URL Collection Choose Setup Monitoring URL CollectionWaas Monitored Servers Adding a Waas Monitored Server Deleting a Waas Monitored Server Choose Setup Monitoring Waas ServersTo delete a Waas monitored server data source Monitor Navigation,Analyze Navigation Interactive Report Saving Filter Parameters Saving Filter Information Traffic Summary Response Time Summary Alarm Summary Site Summary Top N Applications by Alarm Count Top N Sites by Alarm CountTop N Hosts by Site and Alarm Count Top N Applications by Site and Alarm Count Analyzing Traffic Application Hosts Detail Host Applications Detail Monitored as a whole NDE Interface Traffic AnalysisApplication group set of applications that can be Traffic rate number of bytes per second Dscp Detail Viewing Interface DetailsDscp value Application Groups Detail Applicable site or Unassigned if no site Filtering a URL Collection List URL HitsViewing Collected URLs Viewing Collected URLs Filtering a URL Collection List Network Conversation Host ConversationsTop Application Traffic Top Application Traffic Application Traffic By Host WAN OptimizationTop Talkers Detail Application Performance Analysis Conversation Multi-Segments Response Time NAM Application Response Time Measurements 7lists and describes the ART metrics measured by NAM Metric Description Metric Description Network Response Time Application Response TimeNetwork Client-Server Response Time Server Response TimeClient Response Time Server Application Responses Server Application Transactions Detailed Views Server Application Transactions Server Network Responses Client-Server Application Responses Client-Server Application Transactions Server-response packet, excluding retransmission time Client-Server Network ResponsesPacket as observed at NAM probing point Interface, Interfaces Stats Table InterfaceHealth, NBAR, Health Switch HealthInterface Statistics Over Time CPU usage Chassis HealthChassis Information Backplane Utilization Crossbar Switching Fabric Ternary Content Addressable Memory Information Router Health Router Health Router Information Media Information on how to contact this personCurrent state of the power supply being instrumented Time in hundredths of a second since the network management RTP Stream Information RTP StreamsPurpose RTP Stream Stats Summary Monitoring RTP Streams Voice Call StatisticsRTP Stream Stats Details Called number as it appears in the signaling protocol Calling number as it appears in the signaling protocolCalls Table Time when the call was detected to start From inspecting the call signaling protocolInspecting call signaling protocol Time when the call was detected to end RTP Conversation Field Purpose NAM calculated score that takes into account Synchronization source number as it appear in the RTPHeader Duration of the stream OL-22617-01 Capturing and Decoding Packet Data Quick Capture Sessions Many times as necessary Viewing Capture SessionsName of the capture session Size of the session Operation Description Configuring Capture SessionsChoose Capture Packet/Capture Decode Sessions Configure Capture Session Window Name of the capture Enter a capture name Maximum Capture Session Sizes for NAM Platforms Administration System Capture Data StorageMaximum Session NAM Platform Size NAM Platform Size Software FiltersMaximum Session 300 MB Choose Capture Packet Capture/Decode Sessions Creating a Software FilterSoftware Filter Dialog -4 displays For MAC address, enter hh hh hh hh hh hh, where hh is a IPv4 address in dotted-quad format n.n.n.n, where n is 0 toDefault if blank is Hexadecimal number from 0 to 9 or a to f. The default is Choose GTP.IPv6 for IPV6 address for tunneled packet over Editing a Software Capture Filter To edit software capture filters Hardware Assisted Filters Configuring a Hardware FilterTo cancel the changes, click Cancel Vlan and IP IP and TCP/UDP IP and Payload Data Vlan and IP List is also shown in Figure IP and TCP/UDP IP and Payload Data Files Payload Data Display the packets in a file Delete files Displays a graphic image of network traffic KB/second Error ScanAnalyzing Capture Files Displays packets and bytes transferred for each protocol Downloading Capture Files Choose Capture Packet Capture/Decode Files Deleting a Capture File Deleting Multiple Files Load and decode the previous block of packets from the NAM Viewing Packet Decode InformationStop packet loading Load and decode the next block of packets from the NAM Filtering Packets Displayed in the Packet Decoder Choose a Filter ModeBrowsing Packets in the Packet Decoder Choose an Address Filter Viewing Detailed Protocol Decode Information Define a Protocol Filter Creating Custom Display Filters Using Alarm-Triggered CapturesCustom Display Filters To create custom display filters Custom Decode Filter Dialog Box Operator Meaning Tips for Creating Custom Decode Filter ExpressionsSee Tips for Creating Custom Decode Filter Expressions Format Examples of Custom Decode Filter Expressions Editing Custom Display FiltersField Filter By Format Choose Capture Packet Capture/Decode Display Filters Deleting Custom Display Filters To delete custom display filters OL-22617-01 User and System Administration System Administration Resources Choose Administration System Network ParametersNetwork Parameters Snmp Agent Creating NAM Community Strings Choose Administration System Snmp AgentWorking with NAM Community Strings Snmp Agent Dialog Box displays Deleting NAM Community Strings Testing the Router Community StringsSystem Time To delete the NAM community strings Synchronizing the NAM System Time Locally Synchronizing the NAM System Time with the Switch or RouterChoose Administration System System Time Clock set hhmmss mm/dd/yyyy Configuring the NAM System Time with an NTP Server Mail SettingChoose Administration System E-Mail Setting Web Data Publication To enable Web Data PublishingChoose Administration System Web Data Publication Capture Data Storage Configuring the NFS Storage Location on the NAM Configuring the NFS ServerCreating NFS Storage Locations Editing NFS Storage Locations Editing iSCSI Storage Locations ISCSI target name configured on the remote iSCSI serverCreating iSCSI Storage Locations Name of the remote storage entry Choose Administration System Syslog Setting Syslog SettingSnmp Trap Setting Choose Administration System Snmp Trap Setting Editing a NAM Trap Destination PreferencesDeleting a NAM Trap Destination Audit Trail DiagnosticsSystem Alerts System Alerts, Audit Trail, Tech Support, Tech Support Choose Administration Diagnostics Audit TrailChoose Administration Diagnostics Tech Support Downloading Core Files Privilege Access Level User AdministrationRecovering Passwords Local Database Creating a New User Choose Administration Users Local DatabaseTo create a new user Editing a User Choose the Administration Users Local DatabaseDeleting a User Establishing TACACS+ Authentication and Authorization Field Usage Notes For Windows NT and 2000 Systems Configuring a Cisco ACS TACACS+ ServerClick Network Configuration Click Add Entry Click Submit/Restart Configuring a Generic TACACS+ Server Adding a NAM User or User Group Current User Sessions Parameter Enter NAM Traffic Analyzer 5.0 Usage Scenarios Deploying NAMs for Voice/Video applications DeploymentDeploying NAMs in the Branch Deploying NAMs for WAN Optimization Creating Custom Applications Autodiscovery Capabilities of NAMIntegrating NAM with Third Party Reporting Tools See Dscp Groups, Integrating NAM with LMSUnderstanding Traffic Patterns at the Network Layer See Application Response Time, See Thresholds, Troubleshooting Using NAM for Problem Isolation Using NAM for SmartGrid Visibility Troubleshooting General NAM Issues Packet Drops Error MessagesDoes the session from the switch/router work? NAM Not Responding Waas Troubleshooting NAM Behavior OL-19530-02 Supported MIBs Module Object Identifier OID and Description Source Mib-21.rmon16.tokenRing10.ringStation RFC Mib-21.rmon16.tokenRing10.ringStationConfig RFCObjects10 Power, Temperature and Fan Status Mib-21.rmon16.tokenRing10.ringStation RFC OrderTable3 Cat6kXbarMIBObjects1 Cisco9.workgroup5.ciscoStackMIB1.ciscoStatckCiscoMgmt9.ciscoCat6kCrossbarMIB217.cisco Crossbar statistics OL-22617-01 Custom display filters Capture settings, configuringDownloading to a file Creating Configuring as datasource IN-2 Alarm thresholds Ipesp IPIP4 Creating Deleting Editing Spanning, directing traffic for IN-4 Authentication and authorization, establishing Server, configuring to support NAM Voice data Collecting Viewing Voice signaling thresholds See Virtual Switch Software Waas data sources