- Syslog size (MB): Specify the maximum size for a syslog file. Enter a value between 10 and 300. The default is 300.
When the syslog file reaches the size you enter here, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1.
- Log to External Syslog Servers: Select this to enable the appliance to send messages to a specified syslog server. Grid Manager displays the current syslog servers in the table. To define a new syslog server, click the Add icon and complete the following:
- Address: Enter the IP address of the syslog server. Entries may be an IPv4 or IPv6 address.
- Transport: From the drop-down list, select whether the appliance uses Secure TCP, TCP or UDP to connect to the external syslog server.
- Server Certificate: Click Select to upload a self-signed or a CA-signed server certificate. In the Upload dialog, click Select and navigate to the certificate file, and then click Upload. Note that this is valid only for Secure TCP transport.
- Interface: From the drop-down list, select the interface through which the appliance sends syslog messages to the syslog server.
- Any: The appliance chooses any port that is available for sending syslog messages.
- LAN: The appliance uses the LAN1 port to send syslog messages.
- MGMT: The appliance uses the MGMT port if it has been configured. Otherwise, it uses the LAN1 port.
- Source: From the drop-down list, select which syslog messages the appliance sends to the external syslog server:
- Any: The appliance sends both internal and external syslog messages.
- Internal: The appliance sends syslog messages that it generates.
- External: The appliance sends syslog messages that it receives from other devices, such as syslog servers and routers.
- Node ID: Specify the host or node identification string that identifies the appliance from which syslog messages are originated. This string appears in the header message of the syslog packet. Select one of the following:
- LAN: Use the LAN1 IP address of the appliance. For an HA pair, this is the LAN1 address of the active or passive node. This is the default.
- Host Name: Use the host name of the appliance in FQDN format.
- IP and Host Name: Use both the FQDN and the IP address of the appliance. The IP address can be the LAN1 or MGMT IP address depending on whether the MGMT port has been configured. Note that if the MGMT port is not configured, the LAN1 IP address is used.
- MGMT: Use the MGMT IP address, if the port has been configured. If the MGMT port is not configured, the LAN1 IP address is used. This can be an IPv4 or IPv6 address.
- Port: Enter the destination port number. The default is 514 for TCP and UDP. For Secure TCP, the default port is 6514.
- Severity: Choose a severity filter from the drop-down list. When you choose a severity level, the appliance sends log messages with the selected level and the levels above it. The severity levels range from the lowest, debug, to the highest, emerg. For example, if you choose debug, the appliance sends all syslog messages to the server. If you choose err, the appliance sends messages with severity levels err, crit, alert, and emerg.
- emerg: Panic or emergency conditions. The system may be unusable.
- alert: Alerts, such as NTP service failures, that require immediate actions.
- crit: Critical conditions, such as hardware failures.
- err: Error messages, such as client update failures and duplicate leases.
- warning: Warning messages, such as missing keepalive options in a server configuration.
- notice: Informational messages regarding routine system events, such as "starting BIND".
- info: Informational messages, such as DHCPACK messages and discovery status.
- debug: Messages that contain information for debugging purposes, such as changes in the latency timer settings and AD authentication failures for specific users.
- Logging Category: Select one of the following logging categories:
- Send all: Select this to log all syslog messages, irrespective of categories to which it belongs. When you select this option, the appliance logs syslog messages for all the events, including all DNS and Infoblox related events. However, the syslog messages are not prefixed when you select this option.
- Send selected categories: Select this to configure logging categories from the list of available logging categories. Use the arrows to move logging categories from the Available table to the Selected table and vice versa. The appliance sends syslog messages for the categories that are in the Selected table. When you select this option, you must add at least one logging category. The syslog messages are prefixed with a category name to which it belongs. Also, the RPZ events logged in the syslog messages uses specific prefixes for the selected categories. Note that the syslog messages are prefixed when you set logging categories for at least one external syslog server, even if you set other external syslog servers as Send All. For information about syslog prefixes, see Syslog Message Prefixes.
The syslog categories you specify here is different from that of logging categories specified in
editor. The external server preserves contents of the selected categories even when selection is changed
to Send selected categories
- Click Add to add the external syslog server information.
- Copy Audit Log Messages to Syslog: Select this for the appliance to include audit log messages it sends to the syslog server. This function can be helpful for monitoring administrative activities on multiple appliances from a central location.
- Syslog Facility: This is enabled when you select Copy audit log messages to syslog. Select the facility that determines the processes and daemons from which the log messages are generated.
For syslog message prefixes to be enabled, you must check the Log to External Syslog Servers check box in Grid Properties > Monitoring. Also, the external syslog server (which can be a virtual or a physical server) must have at least one of the syslog categories selected instead of the Send all option selected in the Logging Category field.
in the Logging Category, the appliance logs syslog messages for all the events and they are not prefixed. The syslog messages are prefixed even if one external syslog server is set with
the Send selected categories
Following are the prefixes used for different logging categories:
- ADP: All Infoblox related messages use prefix
There is no prefix for RPZ syslog messages that does not belong to the DNS or ADP category.
- DHCP: All DHCP related messages use the following prefixes:
dhcpd, omshell, dhcrelay, and
- RPZ Threat Details dialog box. For information, see Viewing the RPZ Threat Details. : The Action icon column is displayed only when you have installed the RPZ license. Click this to view threat details in the
- Timestamp: The date, time, and time zone of the log message. The time zone is the time zone configured on the member.
- Facility: The location on the syslog server that determines the processes and daemons from which the log messages are generated.
- Level: The severity of the message. This can be ALERT, CRITICAL, DEBUG, EMERGENCY, ERROR, INFO, NOTICE, or WARNING.
- Server: The name of the server that logs this message, plus the process ID.
- Message: Detailed information about the task performed. For Cloud Network Automation, this contains comma separated values of the admin, source, action, object, object type and message values. Note that source is defined only if the cloud API request was proxied by the Cloud Platform Appliance. The format for this field is
proxied from:host,IP where
IP are the host name and IP address of the proxy.
If the selected member is an HA pair, Grid Manager displays the syslog in two tabs —
Active and Passive.
Click the corresponding tab to view the syslog for each node.
|Viewing the RPZ Threat Details|
|Viewing the RPZ Threat Details|
Viewing the RPZ Threat Details
- From the Administration tab, select the Logs tab -> Syslog tab.
- Click the Action icon and select View Threat Context to open the RPZ Threat Details dialog. The View Threat Context option is disabled if there is no RPZ rule.
- RPZ Rule: Displays the name of the RPZ rule.
- First Identified: The date and timestamp of the first occasion that the threat was detected.
- Short Description: The brief description of the threat.
- Description: The description of the RPZ rule.
The RPZ Threat Details dialog box may display Unknown if threat is unknown
if threat is known and threat details are not available.
3. Click the Close icon to close the RPZ Threat Details dialog.
- From the Administration tab, select the Logs tab -> Syslog tab, and then click the Download icon.
- Navigate to a directory where you want to save the file, optionally change the file name (the default names are node_1_sysLog.tar.gz and node_2_sysLog.tar.gz), and then click OK. If you want to download multiple syslog files to the same location, rename each downloaded file before downloading the next.
If your browser has a pop-up blocker enabled, you must turn off the pop-up blocker or configure your browser to allow pop-ups for downloading files.