Versions Compared

Old Version 10

changes.mady.by.user Shirly Tsang

Saved on

compared with

New Version 11

changes.mady.by.user Shirly Tsang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Syslog is a widely used mechanism for logging system events. NIOS appliances generate syslog messages that you can view through the Syslog viewer and download to a directory on your management station. In addition, you can configure a NIOS appliance to send the messages to one or more external syslog servers for later analysis. Syslog messages provide information about appliance operations and processes. NIOS appliances include syslog messages generated by the bloxTools service. You can choose logging categories to send specific syslog messages. The prefixes in the syslog messages are based on the logging categories you configure in the syslog. Note that syslog messages are prefixed only when you select logging categories. For information about how to configure logging categories, see bookmark2781 Specifying Syslog Servers. You can also include audit log messages and specific BIND messages among the messages the appliance sends to the syslog server.
In addition to saving system messages to a remote syslog server, a NIOS appliance also stores the system messages locally. When the syslog file reaches its maximum size, which is 300 MB for Infoblox appliances and VMware virtual appliances, and 20 MB for Riverbed virtual appliances, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1.
Files are compressed during the rotation process, adding a.gz extension following the numerical increment (file.#.gz). The sequential incrementation goes from zero through nine. When the eleventh file is started, the tenth log file (file.9.gz) is deleted, and subsequent files are renumbered accordingly. For example, the current log file moves to file.0.gz, the previous file.0.gz moves to file.1.gz, and so on through file.9.gz. A maximum of 10 log files (0-9) are kept.
You can set syslog parameters at the Grid and member levels. At the member level, you can override Grid-level syslog settings and enable syslog proxy.
You can configure the appliance to back up rotated syslog files to external servers through FTP or SCP. When you do so, the appliance forwards the rotated syslog files to the external servers that you configure. You can configure up to 10 external syslog backup servers each at the Grid and member levels. You can also override the Grid-level server configuration at the member level. For information about configuring syslog backup servers, see Configuring Syslog Backup Servers.

This section includes the following topics:

...

    • Syslog size (MB): Specify the maximum size for a syslog file. Enter a value between 10 and 300. The default is 300.
      When the syslog file reaches the size you enter here, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1.
    • Log to External Syslog Servers: Select this to enable the appliance to send messages to a specified syslog server. Grid Manager displays the current syslog servers in the table. To define a new syslog server, click the Add icon and complete the following:
      • Address: Enter the IP address of the syslog server. Entries may be an IPv4 or IPv6 address.
      • Transport: From the drop-down list, select whether the appliance uses Secure TCP, TCP or UDP to connect to the external syslog server.
      • Server Certificate: Click Select to upload a self-signed or a CA-signed server certificate. In the Upload dialog, click Select and navigate to the certificate file, and then click Upload. Note that this is valid only for Secure TCP transport.
      • Interface: From the drop-down list, select the interface through which the appliance sends syslog messages to the syslog server.
        • Any: The appliance chooses any port that is available for sending syslog messages.
        • LAN: The appliance uses the LAN1 port to send syslog messages.
        • MGMT: The appliance uses the MGMT port if it has been configured. Otherwise, it uses the LAN1 port.
      • Source: From the drop-down list, select which syslog messages the appliance sends to the external syslog server:
        • Any: The appliance sends both internal and external syslog messages.
        • Internal: The appliance sends syslog messages that it generates.
        • External: The appliance sends syslog messages that it receives from other devices, such as syslog servers and routers.
      • Node ID: Specify the host or node identification string that identifies the appliance from which syslog messages are originated. This string appears in the header message of the syslog packet. Select one of the following:
        • LAN: Use the LAN1 IP address of the appliance. For an HA pair, this is the LAN1 address of the active or passive node. This is the default.
        • Host Name: Use the host name of the appliance in FQDN format.
        • IP and Host Name: Use both the FQDN and the IP address of the appliance. The IP address can be the LAN1 or MGMT IP address depending on whether the MGMT port has been configured. Note that if the MGMT port is not configured, the LAN1 IP address is used. bookmark2787 Specifying Syslog Servers provides more information about which IP address is used in the syslog configuration file when the MGMT port has been configured.
        • MGMT: Use the MGMT IP address, if the port has been configured. If the MGMT port is not configured, the LAN1 IP address is used. This can be an IPv4 or IPv6 address.
      • Port: Enter the destination port number. The default is 514 for TCP and UDP. For Secure TCP, the default port is 6514.
      • Severity: Choose a severity filter from the drop-down list. When you choose a severity level, the appliance sends log messages with the selected level and the levels above it. The severity levels range from the lowest, debug, to the highest, emerg. For example, if you choose debug, the appliance sends all syslog messages to the server. If you choose err, the appliance sends messages with severity levels err, crit, alert, and emerg.
        • emerg: Panic or emergency conditions. The system may be unusable.
        • alert: Alerts, such as NTP service failures, that require immediate actions.
        • crit: Critical conditions, such as hardware failures.
        • err: Error messages, such as client update failures and duplicate leases.
        • warning: Warning messages, such as missing keepalive options in a server configuration.
        • notice: Informational messages regarding routine system events, such as "starting BIND".
        • info: Informational messages, such as DHCPACK messages and discovery status.
        • debug: Messages that contain information for debugging purposes, such as changes in the latency timer settings and AD authentication failures for specific users.
      • Logging Category: Select one of the following logging categories:
        • Send all: Select this to log all syslog messages, irrespective of categories to which it belongs. When you select this option, the appliance logs syslog messages for all the events, including all DNS and Infoblox related events. However, the syslog messages are not prefixed when you select this option.
        • Send selected categories: Select this to configure logging categories from the list of available logging categories. Use the arrows to move logging categories from the Available table to the Selected table and vice versa. The appliance sends syslog messages for the categories that are in the Selected table. When you select this option, you must add at least one logging category. The syslog messages are prefixed with a category name to which it belongs. Also, the RPZ events logged in the syslog messages uses specific prefixes for the selected categories. Note that the syslog messages are prefixed when you set logging categories for at least one external syslog server, even if you set other external syslog servers as Send All. For information about syslog prefixes, see bookmark2785 Syslog Message Prefixes.

...

Note: The syslog categories you specify here is different from that of logging categories specified in the Logging tab in the Grid DNS Properties or Member DNS Properties editor. The external server preserves contents of the selected categories even when selection is changed from Send all to Send selected categories and vice versa.

...

You can configure the syslog external backup servers to send (archive) syslog files to different destinations by their logging categories. This allows you to split syslog files based on the service and efficiently perform troubleshooting. For example, you can archive all DNS related logs on Server 1, and all DHCP related logs on Server 2. For information about how to configure an external syslog backup server, see bookmark2781 Configuring Syslog Backup Server.
When you select the Send selected categories option, the syslog messages are prefixed with a category name to which it belongs.

For syslog message prefixes to be enabled, you must check the Log to External Syslog Servers check box in Grid Properties > Monitoring. Also, the external syslog server (which can be a virtual or a physical server) must have at least one of the syslog categories selected instead of the Send all option selected in the Logging Category field. 

...

Note: When you set Send all in the Logging Category, the appliance logs syslog messages for all the events and they are not prefixed. The syslog messages are prefixed even if one external syslog server is set with the Send selected categories option.

...

  1. From the Grid tab, select the Grid Manager tab -> Members tab -> member check box, and then click the Edit icon.
  2. In the Grid Member Properties editor, select the Monitoring tab -> Basic tab, click Override in the Syslog section, and then complete the fields as described in bookmark2781 Configuring Syslog Servers.
    In addition to storing the system log on a Grid member, you can configure a member to send the log to a syslog server.
  3. Select the Advanced tab and complete the following:
    • Enable syslog proxy: Select this to enable the appliance to receive syslog messages from other devices, such as syslog servers and routers, and then forward these messages to an external syslog server.
      • Enable listening on TCP: Select this if the appliance uses TCP to receive messages from other devices. Enter the number of the port through which the appliance receives syslog messages from other devices. 
      • Enable listening on UDP: Select this if the appliance uses UDP to receive messages from other devices. Enter the number of the port through which the appliance receives syslog messages from other devices.

...

You can specify logging categories you want the syslog to capture. Furthermore, you can filter these messages by severity at the Grid and member levels. For information about severity types, see bookmark2781 Configuring Syslog Servers.
To specify logging categories:

...

    •  : The Action icon column is displayed only when you have installed the RPZ license. Click this to view threat details in the RPZ Threat Details dialog box. For information, see bookmark2797bookmark2797 Viewing the RPZ Threat Details
    • Timestamp: The date, time, and time zone of the log message. The time zone is the time zone configured on the member.
    • Facility: The location on the syslog server that determines the processes and daemons from which the log messages are generated.
    • Level: The severity of the message. This can be ALERT, CRITICAL, DEBUG, EMERGENCY, ERROR, INFO, NOTICE, or WARNING.
    • Server: The name of the server that logs this message, plus the process ID.
    • Message: Detailed information about the task performed. For Cloud Network Automation, this contains comma separated values of the admin, source, action, object, object type and message values. Note that source is defined only if the cloud API request was proxied by the Cloud Platform Appliance. The format for this field is proxied from:host,IP where host and IP are the host name and IP address of the proxy.

...