Steps for diagnosing the cause for missing IP security or defensive filter syslogd output

Determine the cause for missing IP security or defensive filter syslogd output.

Perform the following steps:

1. Ensure that Policy Agent is running on this system if IP security policy is defined.
2. Ensure that TRMD is running for this stack on this system. Consider using TCPIP PROFILE Autolog for TRMD. See Diagnosing TRMD problems for more information.
3. Ensure that syslogd is running on this system.
4. Ensure that syslogd is configured for IP security and defensive filter output. TRMD always writes IP security and defensive filter log records to the syslog local4 facility.

   Table 1. IPSec messages logged by TRMD

   Message	Priority
   EZD0827I Remote port translated	Debug
   EZD0811I Decapsulation failed (reason codes 8 and 9)	Debug
   All other IPSec messages logged by TRMD.	Info

   Note:

   1. If IP security policy is configured to log permits and denies, TRMD sends those messages to syslogd using facility local4.
   2. If IKED is configured for logging, IKED messages are sent to syslogd using facility local4 and varied priorities.

   Table 2. Defensive filter messages logged by TRMD

   Message	Priority
   Defensive filter messages logged by TRMD	Info

   Note:

   1. If a defensive filter indicates that a filter match should be logged, TRMD sends those messages to syslogd using facility local4.
   2. If the DMD is configured for logging, DMD messages are sent to syslogd using facility local4 and varied priorities.
   Tips:

   • If TRMD is logging Intrusion Detection Services (IDS) messages, as well as IP Security (IPSec) messages and defensive filter messages, consider using the facility to separate the IDS messages from the IPSec and defensive filter messages. IDS messages are written to the daemon facility. IPSec and defensive filter messages are written to the Local4 facility.
   • If running multiple TRMDs, consider using the syslogd -u option when starting syslogd. The -u option causes the job name of the application writing the syslogd record to be included in the syslogd record.
   • If running multiple TRMDs, consider using the trmd jobname prefix to separate IPSec output by stack.
   Guidelines:

   • Ensure that syslogd is configured to write TRMD and IKED messages for IP security.
   • Ensure that syslogd is configured to write TRMD and DMD messages for defensive filters.
   • For example, the following lines could be added to the syslogd configuration file to organize TRMD, IKED, and DMD messages:

     *.*.local4.* /tmp/logs/filter.log
     *.IKED*.local4.* /tmp/logs/IKED.log
     *.DMD*.local4.* /tmp/logs/DMD.log
     *.trmd*.local4.* /tmp/logs/trmdfilt.log
     *.trmd*.daemon.* /tmp/logs/ids.log

     In the example, IKED, DMD, and TRMD IP security and defensive filter messages are all written to the log file /tmp/logs/filter.log. IKED messages are also written to the log file /tmp/logs/IKED.log. DMD messages are also written to the log file /tmp/logs/DMD.log. IP security and defensive filter TRMD messages are also written to the log file /tmp/logs/trmdfilt.log. If TRMD is logging IDS messages, those messages are written to /tmp/logs/ids.log.

   • Ensure that the log files exist or syslogd is configured to create them using the -c option.
   • Ensure that the log files are writable.
   • Ensure that there is adequate space on the file system for writing to the log files.

     Perform the following steps to reduce the amount of syslogd output for IP security and defensive filters.

     1. Ensure that the logging levels for the IKE daemon are set appropriately in the IKE daemon configuration file.
        • IkeSyslogLevel - During day-to-day operation, this value should be set no higher than the default of 1. A higher value should be used for temporary diagnostic purposes only. IkeSyslogLevel can also be set to 0 to disable IKE syslog messages entirely.
        • PagentSyslogLevel - During day-to-day operation, this value should be set to the default of 0. A higher value should be used for temporary diagnostic purposes only.
     2. Ensure that the logging levels for the DMD are set appropriately in the DMD configuration file.
        • SyslogLevel - During day-to-day operation, this value should be set no higher than 7. A higher value should be used for temporary diagnostic purposes only. SyslogLevel can also be set to 1 for minimum logging or 0 to disable DMD syslog messages entirely.
     3. Ensure that filter logging controls are set appropriately for IP security filters.
        • Filter logging generates a message each time an inbound or outbound packet matches the filter. Exhaustive logging of IP traffic can have a negative effect on performance. Filter logging can be controlled at the individual rule level, including the ability to specify whether to log permitted traffic, denied traffic, or both.
        • To disable filter logging for profile filter rules:
          • To disable logging for a configured filter rule, set NOLOG on the IPSECRULE or IPSEC6RULE statement.
          • To disable logging for the implicit filter rules that deny all traffic not permitted by a configured rule, set NOLOGIMPLICIT on the IPSEC statement.
          • To disable filter logging for all profile filter rules, set LOGDISABLE on the IPSEC statement.
        • To disable filter logging for policy filter rules configured using the Policy Agent:
          • To disable logging for a configured filter rule, set IpFilterLogging No on the IpGenericFilterAction statement.
          • To disable logging for the implicit filter rules that deny all traffic that does not match a configured rule, set IpFilterLogImplicit No on the IpFilterPolicy statement.
          • To disable filter logging for all policy filter rules, set FilterLogging Off on the IpFilterPolicy statement.
        • To disable filter logging for policy filter rules configured with the IBM® Configuration Assistant for z/OS® Communications Server:
          • To disable logging for a configured filter rule, set filter logging to No for the Connectivity Rule.
          • To disable logging for the implicit filter rules that deny all traffic that does not match a configured rule, select Do NOT log implicit deny events on the IPSec: Stack Level Settings panel.
          • To disable filter logging for all policy filter rules, select Disable all filter logging on the IPSec: Stack Level Settings panel.
        • The following messages are controlled by the configured filter logging settings described above:
          • EZD0814I Packet permitted
          • EZD0815I Packet denied by policy
          • EZD0821I Packet denied, no tunnel
          • EZD0822I Packet denied, tunnel inactive
          • EZD0832I Packet denied by NAT Traversal Processing
          • EZD0833I Packet denied, tunnel mismatch
     4. Ensure that filter logging controls are set appropriately for defensive filters.
        • Filter logging generates a message each time an inbound or outbound packet matches the defensive filter. Exhaustive logging of IP traffic can have a negative effect on performance. Filter logging can be controlled at the individual defensive filter rule level.
        • To disable filter logging for a defensive filter rule, use the ipsec -F update command with log no specified.
        • To limit filter logging for a defensive filter rule, use the ipsec -F update command with the loglimit keyword specified with a value of 1 - 9999. See the ipsec -F command in z/OS Communications Server: IP System Administrator's Commands for more information about the ipsec -F update command.
        • The following messages are controlled by the defensive filter's log and loglimit settings:
          • EZD1721I Packet denied by defensive filter
          • EZD1722I Packet would have been denied by defensive filter
     5. Ensure that IP security and defensive filter messages being logged by the TRMD daemon are being handled appropriately.
        • The TCP/IP stack invokes the TRMD daemon to log IP security and defensive filter messages to syslog. The filter logging messages described above are logged by the TRMD daemon. TRMD also logs messages that are not associated with a specific filter. For example, when a tunnel is successfully negotiated, TRMD logs message "EZD0818I Tunnel added". Also, when an IP security policy update is processed, TRMD logs message "EZD0816I IPSec Policy updated". When a defensive filter is added to the stack, TRMD logs message "EZD1723I Defensive filter added".
        • There is no explicit configuration option to turn off logging for TRMD messages that are not associated with a specific filter. However, the syslog configuration file can be updated to exclude some or all TRMD messages. See Table 1 for information about the syslog priority used to log TRMD messages. See Table 2 for information about the syslog priority used to log defensive filter TRMD messages.
        • Include the following line in your syslog configuration file to exclude IP security TRMD messages logged with a priority of debug. IP security and defensive filter TRMD messages with a priority of info or higher would be written to /tmp/trmdlog. Messages with a priority of debug would not be written to the file.

          *.TRMD*.local4.info  /tmp/trmdlog

        • Include the following line in your syslog configuration to exclude all IP security and defensive filter TRMD messages.

          *.TRMD*.*.*;*.TRMD*.local4.none   /tmp/trmdlog  

          All messages with job name TRMD* would be selected. Then all TRMD messages using facility local4 would be excluded. In effect this excludes all IP security and defensive filter TRMD messages from being written to /tmp/trmdlog.