Friday, June 12, 2009

Setting Up Logging in the SAProuter

To get an overview of the function and capacity of the SAProuter, a log can be kept of all the connections established and actions performed via the SAProuter.

Procedure

You can configure the log using Option -G. Here you create the name of the log file and specify where it is to be created.

Structure of the Log File

The log file is structured line by line. Each line contains the following information:

  • Date and time: week day, month, day, time, year

  • Action: Possible actions are INIT LOGFILE (start of log file), READ ROUTTAB (read Route Permission Table), CONNECT FROM/TO (set up connection from/to), DISCONNECT (close connection), PERM DENIED (connection not permitted by route permission table).

After the action there is always a handle pair n/m, whereby the letter means whether the action was initialized by the client or the server, and the two numbers refer to the internal NI handle numbers.

Example Example

The handle pair 'C1/2' means that this log refers to the connection with handle 1 to the client (the first number) and with handle 2 to the server (second number). The C at the front means that the action was initialized by the client. A CONNECT FROM is therefore always written with C; a CONNECT TO with S. With a DISCONNECT each page closed by the connection is specified. The IP address and port always refer to the connection’s counter page (peer). A log with a handle pair C1/- means that no server-side connection between a pair exists yet.

End of the example.

The most important log entries are described below.

Example

Actions

Assuming that logging has been activated, the following actions are executed through the SAProuter. The SAProuter stands between the physical hosts ldp007 with the IP address 10.21.72.60 and binmain (IP address 10.21.82.77).

  1. Connection is opened between host ldp007 (10.21.72.60) and host binmain (10.21.82.77) with port sapmsBIN, which is closed by the client again.

  2. Administrator calls up local SAProuter to display the list of connections ( saprouter -l).

  3. Connection is established between host ldp007 (10.21.72.60) and the same host ldp007 with port 3298, which is closed by the server again.

  4. Attempt to open connection from host ldp007 (10.21.72.60) to the same host with telnet port 23 is rejected by the SAProuter.

Route Permission Table

The route permission table in this example allows connections from any host to host 10.21.82.77 with port sapmsBIN, as well as to host 10.21.72.60 with port 3298:

P * 10.21.82.77 sapmsBIN

P * 10.21.72.60 3298

Log File

After these actions have been executed, the log file would look like the following (the line numbers are not displayed, but are added here to help with the description).

(1) Wed Dec 7 13:13:59 2005 INIT LOGFILE

(2) Wed Dec 7 13:13:59 2005 READ ROUTTAB ./saprouttab o.k.

(3) Wed Dec 7 13:14:05 2005 CONNECT FROM C1/- host 10.21.72.60/1245 (ldp007.wdf.sap.corp)

(4) Wed Dec 7 13:14:05 2005 CONNECT TO S1/2 host 10.21.82.77/sapmsBIN (binmain)

(5) Wed Dec 7 13:14:05 2005 DISCONNECT C1/2 host 10.21.72.60/1245 (ldp007.wdf.sap.corp)

(6) Wed Dec 7 13:14:13 2005 CONNECT FROM C2/- host 127.0.0.1/44997 (local host)

(7) Wed Dec 7 13:14:13 2005 SEND INFO TO C2/-

(8) Wed Dec 7 13:14:13 2005 DISCONNECT C2/- host 127.0.0.1/44997 (localhost)

(9) Wed Dec 7 13:14:23 2005 CONNECT FROM C2/- host 10.21.72.60/1276 (ldp007.wdf.sap.corp)

(10) Wed Dec 7 13:14:23 2005 CONNECT TO S2/1 host 10.21.72.60/3298 (ldp007)

(11) Wed Dec 7 13:14:24 2005 DISCONNECT S2/1 host 10.21.72.60/3298 (ldp007)

(12) Wed Dec 7 13:14:31 2005 CONNECT FROM C2/- host 10.21.72.60/1352 (ldp007.wdf.sap.corp)

(13) Wed Dec 7 13:14:31 2005 PERM DENIED C2/- host 10.21.72.60 (ldp007.wdf.sap.corp) to ldp007/23

(14) Wed Dec 7 13:14:31 2005 DISCONNECT C2/- host 10.21.72.60/1352 (ldp007.wdf.sap.corp)

Meaning

The lines mean the following:

Line(s)

Meaning

(1), (2)

The first two lines are always at the start of the log file. The first line marks the start, the second means that the Route Permission Table has been read in successfully.

(3), (4)

The client (host 10.21.72.60, port 1245) connects to the SAProuter and through this host it can connect to host 10.21.82.77, port sapmsBIN, since this connection is permitted according to the route permission table.

(5)

The connection between host 10.21.72.60, port 1245 and host 110.21.82.77, port sapmsBIN is closed by the client.

(6)

On the local host (IP address 127.0.0.1, port 44997) the connection list display is called up (saprouter -l). The connection is opened with the SAProuter.

(7)

The SAProuter sends the client the requested connection information.

(8)

The connection is closed again. As it is not a client/server connection via the SAProuter, the connection is closed by the SAProuter.

(9), (10)

Client host 10.21.72.60, port 1276 wants to connect to server 10.21.72.60, port 3298 via the SAProuter, which is permitted according to the route permission table. The SAProuter opens the connection.

(11)

The connection is closed again (from the server).

(12), (13)

Client host 10.21.72.60, port 1352 wants to connect to server 10.21.72.60, port 23 (telnet) via the SAProuter, which is not permitted according to the route permission table. The SAProuter returns message, "permission denied".

(14)

The connection is closed by the SAProuter. (With unpermitted connections and in error situations the SAProuter closes the connections.)

Blog Archive