NetYCE Documentation
Design
Build
Operate
Admin
FAQ
User guides
Reference
Downloads
Release notes
Setup
NetYCE accounts
NetYCE Documentation
Design
Build
Operate
Admin
FAQ
User guides
Reference
Downloads
Release notes
Setup
NetYCE accounts
NeYCE supports some settings that can be modified by the customer to change specific behaviour. Usually these are procedure or policy related.
This article describes the Tweaks that are accessible in using the Admin - Lookup menu under the “Tweaks” class.
See the generic article on the Lookup form on how to use it.
Custom reports will decrypt passwords only for those user-levels present in String (eg: '456'). Default is '456'. The Num value has no function and is ignored.
The NetYCE database has many encrypted columns that are decrypted for front-end and back-end purposes on the fly. This tweak controls the same dynamic decryption behaviour for user custom reports. Given the confidentiality of some of the information, these reports could easily circumvent the security policies of the customer. By specifying the user-levels permitted to get access to this dynamic encryption, the policies can be enforced.
These user-levels correspond to the Global Permission Level defined in the User Group the operator is a member of. The levels range from 0 to 6, mapping respectively to: 'disabled', 'browser', 'operator', 'engineer', 'modeller', 'manager', and 'system'.
When number set <>0, editing of production template revision is allowed. Default is '0'. The String value has no function and is ignored.
The tweak removes the strict enforcing of the requirement that for any template change, a new revision must be created, providing a fully traceable change log of the templates. However for test- and development-environments this quickly results in overkill and a cumbersome process.
For Client_type in <String>, permit Service_type to add many topo links on a port when <Num> not 0.
The front-end and the Service-types do not allow a device port to have multiple topology connections since they are point-to-point by nature.
However, for migration purposes a feature to selectively allow multiple links per port is desirable. For this purpose the Lookup tweak 'Allow_topo_multipoint' is intended. It can allow or deny this behaviour per Client-type.
The default Tweak has no Client-type specified in the String value, indicating its setting applies to all Client-types. The Num value determines the setting itself: a zero for the normal not-permitted action (conform existing policies) and a non-zero for the permitted action.
A tweak record with this name (Allow_topo_multipoint) can be added for each Client-type, overruling this setting using the Num value. This permits the configuration where the default action is not-permitted, but where for one or two Client-types this operation is granted.
When Num value is not 0, a Hostname change is not restricted to its node-type function
The Node details form will normally not allow you to alter a Hostname because it was generated within the constraints of the Node-type definitions.
If this tweak is enabled, the Hostname can be changed into any free hostname.
Without this tweak, the permitted name changes will be limited to the Node-type definition restraints.
Maximum age in days before ending any NetYCE debug mode. Default = 1 day (24h), Forever = 0
NetYCE uses two flag-files to control the debugging level of nearly all of its components. The debug level is enabled by creating the file /opt/yce/etc/yce_debug
. When it exists, the various daemons will create additional log files in /var/opt/yce/logs/
which will have file names like yce_<daemon>_debug.log
.
The development level is enabled by creating the file /opt/yce/etc/yce_development
. When it exists, the file /var/opt/yce/yce_dev_debug.log
is created. It will mostly contain very detailed information on the interaction with the devices.
Due to the amount of information that will be created in these log files, they are automatically emptied out daily by the log_maint.pl
script at 22:15 (see Logging aging tweaks).
To prevent the generation of debug and development log files over longer periods of time, the tweak 'Debug_max_days' is by default set to 1 day. This implies that the yce_debug and yce_development flag files will be removed 24 hours after they were created.
Only when these logging levels are required for longer periods should this tweak be set to more days. If set to '0', the flag files will never be removed.
Num_value defines the initial site status (1=active, 2=planned, 0=obsolete, ..
When creating a new site it must have an initial status. This initial status is defined using this tweak. The default is '1' which is translated to 'active'. These translations are also defined in the Lookup form but under the class 'Translation'. The entries using de variable SiteStatus
define the available site statuses and their corresponding translations.
Enabling this tweak will delete the supernets from the database when no longer in use. The default behavior will not delete these supernets, so they are available for re-use without re-adding them. This also allows for reservations which are to be used at a later point in time.
With this setting you are able to define when an email is send, if it should go to the user defined email address, the group defined email address or both.
When the setting is set to 'user' and the email address is not defined it is send to the group email address.
This setting can disable the distributed schedulers “node-lock” behaviour. Jobs will be kept in a 'waiting' state while another job on that same node is still running. These global node-locks are released after 10 minutes.
The scheduler will not wait for jobs running on same node when Num_value > 0. The default is '0'. This setting applies to all NetYCE servers and requires the 'yce_sched' process on each server to be restarted to take effect.
NetYCE maintains many log files and logging data tables on its system(s) and database. All logs are size/age rotated or capped by a maximum age. The Tweaks in this category allow the system owner to modify the default aging parameters for the various logging types.
All (numeric) values are in days.
The logging aging is maintained by the daily logging cleanup script, bin/log_maint.pl
, that is executed daily using the cron
facility. It starts at 22:15 by default.
This logging cleanup script itself logs all its actions in /var/opt/yce/logs/yce_maint.log
. This logfile rotates at 500.000 bytes.
The default crontab entry (from the yce
user!) is listed below:
#--- YCE daily maintenance --------------------------------- # Log, Job and Output directory cleanup 15 22 * * * /opt/yce/bin/log_maint.pl > /dev/null 2>&1
Do not keep Action_log entries older than Num_value days. Default = 400. The String value has no function and is ignored.
The Action_log is a table in the database where user activity is logged. It also has the entries created by jobs using scenarios with the “log_action” command.
This tweak is used by the daily logging cleanup script, bin/log_maint.pl
.
Do not keep Config_log entries older than Num_value days. Default = 100. The String value has no function and is ignored.
The Config_log is a table in the database where Job configuration sessions are logged.
This tweak is used by the daily logging cleanup script, bin/log_maint.pl
.
Do not keep Nccm configuration entries older than Num_value days. Default = 800. The String value has no function and is ignored.
The Nccm log is a table in the database where polled node configuration changes are logged.
This tweak is used by the daily logging cleanup script, bin/log_maint.pl
.
Do not keep Node_log entries older than Num_value days. Default = 400. The String value has no function and is ignored.
The Node_log is a table in the database where the responses to node 'show'-type commands are logged.
This tweak is used by the daily logging cleanup script, bin/log_maint.pl
.
Do not keep Custom report results older than Num_value days. Default = 30. The String value has no function and is ignored.
Custom report results are removed from the database when they exceed this age. This applies to all individual report result entries. A one-off report is removed when it was created after this many days as is the dated report (with the <date> appended). The date listed in the YCE.Images.Image_filename is used as the creation date and applies only where YCE.Images.Image_name ends in “.rep”.
This tweak is used by the daily logging cleanup script, bin/log_maint.pl
.
Do not keep Job log files older than Num_value days. Default = 30. The String value has no function and is ignored.
The result files are primarily the local Job log files. Each job that is executed on a server has a unique environment (the Job_id) under /var/opt/yce/jobs/
where running files are maintained. This tweak affects the period that these files are preserved.
This tweak is used by the daily logging cleanup script, bin/log_maint.pl
.
Do not keep Task_log entries older than Num_value days. Default = 100. The String value has no function and is ignored.
The Task_log is a table in the database where the AMP API requests and responses are logged.
This tweak is used by the daily logging cleanup script, bin/log_maint.pl
.
Do not keep temp files older than Num_value days. Default = 15. The String value has no function and are ignored.
The temp files are primarily the local Job session files. Each job that is executed on a server has a unique environment (the Job_id) under /var/opt/yce/jobs/
where running files are maintained. This tweak affects the period that these files are preserved.
This tweak is used by the daily logging cleanup script, bin/log_maint.pl
.
The NetYCE database archive tools maintain the number of archives that may exist for the archive types, YCE and NCCM. Automatic daily archives of both YCE and NCCM are now standard and takes place at 23:00 or 23:20 by default (for primary or secondary server respectively).
The maximum number of archives for each type are controlled using Tweaks in the Lookup form. The 'Archive_count_yce' variable defines the number of historical YCE database archives that are maintained. The default is '15'.
All archives of each type count against these values, regardless if they were created manually, uploaded, or created automatically. The only archives NOT counted (and therefore not deleted) are uploaded archives where the filename was modified.
The deletion of excess archives takes place after each archive creation, regardless of type.
This tweak is used by the database archive tool /opt/yce/bin/dbarchive.pl
.
The NetYCE database archive tools maintain the number of archives that may exist for the archive types, YCE and NCCM. Automatic daily archives of both YCE and NCCM are now standard and takes place at 23:00 or 23:20 by default (for primary or secondary server respectively).
The maximum number of archives for each type are controlled using Tweaks in the Lookup form. The 'Archive_count_nccm' variable defines the number of historical NCCM database archives that are maintained. The default is '15'.
All archives of each type count against these values, regardless if they were created manually, uploaded, or created automatically. The only archives NOT counted (and therefore not deleted) are uploaded archives where the filename was modified.
The deletion of excess archives takes place after each archive creation, regardless of type.
This tweak is used by the database archive tool /opt/yce/bin/dbarchive.pl
.
NetYCE uses its database to maintain its main logging entries. Since these logs are not directly available for logging analysis tools like Splunk, a facility was created to export these logging tables to parsable logging files. The next three tweaks enable or disable this facility for each of the three logging tables.
The exporting facility is implemented in the NetYCE daemon process yce_skulker
. Amongst its many tasks is the exporting of the log files. It will examine the logging tables marked for export every five minutes and append the new items to the export files.
At date rollover, new files will be opened and the older renamed to provide a 10-day history (as all log files are rotated within NetYCE).
When number set <> 0, the Action_logs (users) will be exported to log files
The exported log file is /var/opt/yce/logs/yce_action.log
. Daily rollover will create ten files using the extensions '.0' thru '.9'.
When number set <> 0, the Config_logs (jobs) will be exported to log files
The exported log file is /var/opt/yce/logs/yce_config.log
. Daily rollover will create ten files using the extensions '.0' thru '.9'.
When number set <> 0, the Task_logs (api) will be exported to log files
The exported log file is /var/opt/yce/logs/yce_task.log
. Daily rollover will create ten files using the extensions '.0' thru '.9'.
The NCCM process retrieves periodically the life configuration of devices and stores them to report on observed differences over time.
The NCCM uses a number pollers to retrieve the configuration from the devices. Each poller is tasked to sequentially contact a series of nodes and interactively retrieve the config, find any differences and stores them if any.
The user defines the polling interval and the total of number of nodes the server has to poll using the NCCM front-end tools. The system then determines how many pollers is needs based on the number of nodes and the time a poll requires.
Each time a configuration is retrieved, the new configuration is compared against a base-configuration. Any differences between the the base and the current is then stored. After a while a new base config is established and the differences against that base are then stored. This method of configuration storage has the benefit of low storage volume and minimal retrieval processing (never more than 4 records and two re-builds).
To determine if a new base configuration should be created or only the differences stored, three criteria are used: number of diffs, age of the base, and size of the diff. These three criteria are set using three corresponding tweaks.
To control the number of pollers two tweaks are provided: to limit the maximum number of pollers and the average time to poll a node.
Maximum age in days of a base-configuration. Set the Num_value. Default = 7
When the current base configuration exceeds this age in days, a new base configuration is created.
Maximum number of stored config-diffs before a new base-config is created. Set Num_value. Default = 36
When there are more than this number of diffs stored for the current base configuration, a new base configuration is created.
Maximum size in bytes of a config-diff before a new base-config is created. Set Num_value. Default = 8192
When the diff exceeds this number of bytes, a new base configuration is created.
Maximum number of NCCM pollers per system. Set the Num_value. Default = 12
By default no more than 12 pollers are permitted to run on a server. If more pollers are required for the number of nodes, additional server(s) could be configured to poll the remaining nodes. Or the polling interval could be increased.
The limit of 12 is based on the common hardware specifications of the NetYCE servers, but could require tuning for the systems used or the load given for other tasks.
Average duration in seconds of a NCCM config-poll. To calculate required number of pollers. Default = 15
In practice, the average duration of a configuration retrieval is 15 seconds. For slower devices, larger configurations or restricted bandwidth, this number might be increased.
If set too low, the pollers will still poll all their nodes but will simply skip any idle periods that is will otherwise use to maintain the desired pace. The effect is that the polling interval will be (somewhat) longer than the configured number of hours.
The maximum number of cmpl children the nccmd daemon can spawn. The nccmd daemon spawns a number of compliance and nccm children to take care of its tasks concurrently, and they both have their own upper limit on how many children can be spawned. For compliance this is Cmpl_max_children.
Whenever you delete a polling group:
Controls the values for the next poll interval dropdown in the polling groups form. Options are separated by '|'-pipes, and separated by commas. The first item denotes the number of hours until the next poll, the second the label.
Note that if you enter the wrong syntax, it will mess up the form, so be sure to make a backup if you want to modify this value.
The maximum number of cmpl children the nccmd daemon can spawn. The nccmd daemon spawns a number of compliance and nccm children to take care of its tasks concurrently, and they both have their own upper limit on how many children can be spawned. For nccm this is Nccm_max_children.
Rules have their own severity, and their own colors to denote low priority compliance erros, medium, high and serious. You can customize this and their colours with these options.
When a new rule is created, this is the severity that it will have by default, corresponding to the numerical value of Cmpl_rule_severity. By default it is set to 1 (Medium)
When a new policy is created, these are its signal triggers that are set by default. There is a record set for every state change possible. The string values correspond to:
If the value is set to 1, a signal will be triggered on this state change. If not, a signal will not be triggered.
Sets the default signal type. A signal type is a bitwise value, where the first four bits matter. Their meanings are:
The default is set to 1, sending just a trap message.
NOTE: we do not recommend setting the third bit, Email. Compliance result signals are sent out per node, per policy. If you don't watch out you could set off a ddos attack with an overwhelming number of emails.
Denotes whether or not we should use censored configs (1) or uncensored configs (0) when checking compliance for a node.
The default value is 0.
Censored configs have all passwords and sensitive information filtered away as censored, preventing this information from returning into your reports. If this is not an issue you can set it to 0.
With these tweaks you are able to specify the default sub-menu to open when selecting either of the main menus. E.g. Opening the Service-types page by default when selecting the Design menu.
The values are case sensitive.
NOTE: After modifying a value it is required to run theyce_setup.pl -r
or from the GUI: Admin > System > System status >'Regenerate config'
Set Str_value to (internal) id name to make it the default.
Defines the initially activated menu for the Design menu. Valid entries are:
client_types site_types par_groups node_types service_types ipv4plans ipv6plans hardware ipserverplans relations relations_test template_trace
Default is empty, resulting in the NetYCE page with license information.
Set Str_value to (internal) id name to make it the default.
Defines the initially activated menu for the Build menu. Valid entries are:
build regions domain ipsecgre servers templates mpls osversions
Default is build
.
Set Str_value to (internal) id name to make it the default.
Defines the initially activated menu for the Operate menu. Valid entries are:
jobs job_logs logs node_groups tools node_config service_config reports cmdb NCCM compliancy scenarios
Default is empty, resulting in the NetYCE page with license information.
Set Str_value to (internal) id name to make it the default.
Defines the initially activated menu for the Admin menu. Valid entries are:
users logs task_logs custom_data lookup dnsipam administration system
Default is empty, resulting in the NetYCE page with license information.
Many of the items in the 'Operate' menu have a selection of operational tools presented in a sub-menu. One of these tools is selected when selecting the menu.
The tool initially selected can be customized per installation. To this end a series of Lookup entries have been added in the 'Tweaks' class, one for each sub-menu.
The tool name specified in the tweaks string-value will override the standard default tool selection. The various Lookup variable names all use the 'Default_tool_' prepended to the menu name. Thus, 'Default_tool_report' specifies the tool name initially selected in the 'Report' menu, and 'Default_tool_node_config' will do the same for the 'Node config' menu.
When changes are made to these settings, the yce_setup.pl -r
CLI tool will need to executed
to re-create the menu and configuration files needed. This action is automatically included
when installing a software update using the GUI.
Set Str_value to (internal) tool name to make it the default.
Defines the initially activated tool for the Operate - Tools menu. Valid entries are:
view_conf resolve_ip ping_nodes ping6_nodes os_upgrades group_test
Default is view_conf
.
Set Str_value to (internal) tool name to make it the default.
Defines the initially activated tool for the Operate - Node config menu. Valid entries are:
basic_cmd cmd_jobs port_cfg startup_cfg mig_node tpl_usage
Default is cmd_jobs
.
Set Str_value to (internal) tool name to make it the default.
Defines the initially activated tool for the Operate - Service config menu. Valid entries are:
connect_dce connect_c3 connect_cen connect_hfc connect_cramer cmts_combine csv_api
Default is csv_api
.
Since most of these entries relate to customer specials, only those are actually selectable that have been installed.
Set Str_value to (internal) tool name to make it the default.
Defines the initially activated tool for the Operate - RN3 core menu. Valid entries are:
rx_vlan evpn_scan sla_monitor rx_failover
Default is rx_vlan
.
All these these entries relate to customer specials, only those are actually selectable that have been installed.
Set Str_value to (internal) tool name to make it the default.
Defines the initially activated tool for the Operate - Reports menu. Valid entries are:
client_report query_results query_add query_del
Default is client_report
.
Set Str_value to (internal) tool name to make it the default.
Defines the initially activated tool for the Operate - NCCM menu. Valid entries are:
nccm_nodes nccm_report nccm_daemon_cfg diff_cfg
Default is nccm_nodes
.
Set Str_value to (internal) tool name to make it the default.
Defines the initially activated tool for the Admin - DNS and IPAM menu. Valid entries are:
ipam_update dns_add dhcp_cancel
Default is ipam_update
.
All these these entries relate to customer specials, only those are actually selectable that have been installed.
Set Str_value to (internal) tool name to make it the default.
Defines the initially activated tool for the Admin - Administration menu. Valid entries are:
files_support tftp_files user_perms
Default is tftp_files
.
Set Str_value to (internal) tool name to make it the default.
Defines the initially activated tool for the Admin - System menu. Valid entries are:
system_status db_archives nccm_archives edit_configs xch_test
Default is system_status
.
Password validation rules are defined using the Lookup class “Password”. These settings are described in Lookup Password