/
Using a Syslog Server
Document toolboxDocument toolbox

Using a Syslog Server

Owned by Panna .
Last updated: Dec 20, 2024 by Shwetha S (Deactivated)
7 min read

Syslog is a widely used mechanism for logging system events. The appliances generate syslog messages that you can view through the Syslog viewer and download to a directory on your management station. In addition, you can configure an appliance to send the messages to one or more external syslog servers for later analysis. Syslog messages provide information about appliance operations and processes. The appliances include syslog messages generated by the bloxTools service. You can also include audit log messages and specific BIND messages among the messages the appliance sends to the syslog server.
In addition to saving system messages to a remote syslog server, the appliance also stores the system messages locally. When the syslog file reaches its maximum size, which is 300 MB for Infoblox appliances and VMware virtual appliances, and 20 MB for Riverbed virtual appliances, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1.
Files are compressed during the rotation process, adding a .gz extension following the numerical increment (file.#.gz). The sequential incrementation goes from zero through nine. When the eleventh file is started, the tenth log file (file.9.gz) is deleted, and subsequent files are renumbered accordingly. For example, the current log file moves to file.0.gz, the previous file.0.gz moves to file.1.gz, and so on through file.9.gz. A maximum of 10 log files (0-9) are kept.
This section includes the following topics:

Specifying Syslog Servers

To configure the appliance to send messages to a syslog server:

  1. From the Master Grid tab, select the Members tab, and then click Master Grid Properties -> Edit from the Toolbar.

  2. In the Master Grid Properties editor, select the Monitoring tab, and then complete the following:
    Syslog
    In addition to storing the syslog on a Master Grid member, you can configure the Master Grid to send the log to an external syslog server.

  3. Syslog size (MB): Specify the maximum size for a syslog file. Enter a value between 10 and 300. The default is 300.

    • When the syslog file reaches the size you enter here, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1.

    • Log to External Syslog Servers: Select this to enable the appliance to send messages to a specified syslog server.

    • Multi-Grid Manager displays the current syslog servers in the table. To define a new syslog server, click the Add icon. Multi-Grid Manager adds a row to the table. Enter the following by clicking each field in the row:

      • Address: Enter the IP address of a syslog server.

      • Transport: From the drop-down list, select whether the appliance uses TCP or UDP to connect to the external syslog server.

      • Interface: From the drop-down list, select the interface through which the appliance sends syslog messages to the syslog server.

      • Source: From the drop-down list, select which syslog messages the appliance sends to the external syslog server:

        • Internal: The appliance sends syslog messages that it generates.

        • External: The appliance sends syslog messages that it receives from other devices, such as syslog servers and routers.

        • Any: The appliance sends both internal and external syslog messages.

      • Port: Enter the destination port number. The default is 514.

      • Severity: Choose a severity filter from the drop-down list. When you choose a severity level, the appliance sends log messages with the selected level and the levels above it. The severity levels range from the lowest, debug, to the highest, emerg. For example, if you choose debug, the appliance sends all syslog messages to the server. If you choose err, the appliance sends messages with severity levels err, crit, alert, and emerg.

        • emerg: Panic or emergency conditions. The system may be unusable.

        • alert: Alerts, such as NTP service failures, that require immediate actions.

        • crit: Critical conditions, such as hardware failures.

        • err: Error messages, such as client update failures and duplicate leases.

        • warning: Warning messages, such as missing keepalive options in a server configuration.

        • notice: Informational messages regarding routine system events, such as "starting BIND".

        • info: Informational messages, such as DHCPACK messages and discovery status.

        • debug: Messages that contain information for debugging purposes, such as changes in the latency timer settings and AD authentication failures for specific users.

    • Copy Audit Log Messages to Syslog: Select this for the appliance to include audit log messages it sends to the syslog server. This function can be helpful for monitoring administrative activities on multiple appliances from a central location.

      • Syslog Facility: This is enabled when you select Copy audit log messages to syslog. Select the facility that determines the processes and daemons from which the log messages are generated.

  4. Save the configuration.

Configuring Syslog for Master Grid Members

You can override the Master Grid syslog settings and enable syslog proxy for individual members. When you enable syslog proxy, the member receives syslog messages from specified devices, such as syslog servers and routers, and then forwards these messages to an external syslog server. You can also enable appliances to use TCP for sending syslog messages. Using TCP is more reliable than using UDP; this reliability is important for security, accounting, and auditing messages sent through the syslog.
To configure syslog parameters for a Master Grid member:

  1. From the Master Grid tab, select the Members tab -> master_grid_member checkbox, and then click the Edit icon.

  2. In the Master Grid Member Properties editor, select the Monitoring tab -> Basic tab, click Override in the Syslog section, and then complete the fields as described in Specifying Syslog Servers.
    In addition to storing the system log on a Master Grid member, you can configure a member to send the log to a syslog server.

  3. Select the Advanced tab and complete the following:

    • Enable syslog proxy: Select this to enable the appliance to receive syslog messages from other devices, such as syslog servers and routers, and then forward these messages to an external syslog server.

    • Enable listening on TCP: Select this if the appliance uses TCP to receive messages from other devices.

    • Enter the number of the port through which the appliance receives syslog messages from other devices.

    • Enable listening on UDP: Select this if the appliance uses UDP to receive messages from other devices.

    • Enter the number of the port through which the appliance receives syslog messages from other devices.

    • Proxy Access Control: Click the Add icon. Multi-Grid Manager adds a row to the table. Complete the following:

      • Allow Access From: Enter the IP address and subnet mask of the appliance or network.

  4. Save the configuration.

Viewing the Syslog

  1. From the Administration tab, select the Logs tab -> Syslog tab.

  2. From the drop-down list at the upper right corner, select the Master Grid member on which you want to view the syslog.

  3. Optionally, use the filters to narrow down the system messages you want to view. Click Show Filters to enable the filters. Configure the filter criteria, and then click Apply.
    Based on your filter criteria (if any), Multi-Grid Manager displays the following in the Syslog viewer:

  • Timestamp: The date, time, and time zone of the log message. The time zone is the time zone configured on the member.

  • Facility: The location on the syslog server that determines the processes and daemons from which the log messages are generated.

  • Level: The severity of the message. This can be ALERT, CRITICAL, DEBUG, EMERGENCY, ERROR, INFO, NOTICE, or WARNING.

  • Server: The name of the server that logs this message, plus the process ID.

  • Message: Detailed information about the task performed.
    Note: If the selected member is an HA pair, Multi-Grid Manager displays the syslog in two tabs—Active and Passive. Click the corresponding tab to view the syslog for each node.

  • You can also do the following in the Syslog viewer:

  • Toggle between the single line view and the multi-line view for display.

  • Navigate to the next or last page of the file using the paging buttons.

  • Refresh the syslog output with newly logged messages.

  • Click the Follow icon to have the appliance automatically refresh the log every five seconds.

  • Clear the contents of the syslog.

  • Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.

  • Create a quick filter to save frequently used filter criteria. For information, see Using Quick Filters.

  • Print the report or export it in CSV format.

  • Bookmark the syslog page.

Searching in the Syslog

Instead of paging through the syslog to locate messages, you can have the appliance search for syslog messages with certain text strings. To search for specific messages:

  • Enter a search value in the search field below the filters, and then click the Search icon.
    The appliance searches through the syslog and highlights the search value in the viewer. You can use the arrow keys next to the Search icon to locate the previous or next message that contains the search value.

Downloading the Syslog File

You can download the syslog file to a specified directory, if you want to analyze it later.

  1. From the Administration tab, select the Logs tab -> Syslog tab, and then click the Download icon.

  2. Navigate to a directory where you want to save the file, optionally change the file name (the default names are node_1_sysLog.tar.gz and node_2_sysLog.tar.gz), and then click OK. If you want to download multiple syslog files to the same location, rename each downloaded file before downloading the next.

    Note: If your browser has a pop-up blocker enabled, you must turn off the pop-up blocker or configure your browser to allow pop-ups for downloading files.