Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Syslog is a widely used mechanism for logging system events. NIOS appliances generate syslog messages that you can view through the Syslog viewer and download to a directory on your management station. In addition, you can configure a NIOS appliance to send the messages to one or more external syslog servers for later analysis. Syslog messages provide information about appliance operations and processes. NIOS appliances include syslog messages generated by the BloxTools service. You can choose logging categories to send specific syslog messages. The prefixes in the syslog messages are based on the logging categories you configure in the syslog. Note that syslog messages are prefixed only when you select logging categories. For information about how to configure logging categories, see Specifying Syslog Servers. You can also include audit log messages and specific BIND messages among the messages the appliance sends to the syslog server.

In addition to saving system messages to a remote syslog server, a NIOS appliance also stores the system messages locally. When the syslog file reaches its maximum size, which is 300 MB for Infoblox appliances and VMware virtual appliances, and 20 MB for Riverbed virtual appliances, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1.

Files are compressed during the rotation process, adding a.gz extension following the numerical increment (file.#.gz). The sequential incrementation goes from zero through nine. When the eleventh file is started, the tenth log file (file.9.gz) is deleted, and subsequent files are renumbered accordingly. For example, the current log file moves to file.0.gz, the previous file.0.gz moves to file.1.gz, and so on through file.9.gz. A maximum of 10 log files (0-9) are kept.

You can set syslog parameters for RPZ at the Grid, member, and zone levels. At the member level, you can override Grid-level syslog settings and enable syslog proxy, also you can override Grid-level settings to zone level. For more information see, Modifying RPZs.

You can configure the appliance to back up rotated syslog files to external servers through FTP or SCP. When you do so, the appliance forwards the rotated syslog files to the external servers that you configure. You can configure up to 10 external syslog backup servers each at the Grid, member, and zone levels. You can also override the Grid-level server configuration at the member level. For information about configuring syslog backup servers, see Configuring Syslog Backup Servers.

This section includes the following topics:

...

  1. From the Grid tab, select the Grid Manager tab -> Members tab, and then click Grid Properties -> Edit from the Toolbar.
  2. In the Grid Properties editor, select the Monitoring tab, and then complete the following: 
    • Syslog: In addition to storing the syslog on a Grid member, you can configure the Grid to send the log to an external syslog server.
    • Syslog size (MB): Specify the maximum size for a syslog file. Enter a value between 10 and 300. The default is 300.
      When the syslog file reaches the size you enter here, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1.
    • Log to External Syslog Servers: Select this to enable the appliance to send messages to a specified syslog server. Grid Manager displays the current syslog servers in the table. To define a new syslog server, click the Add icon and complete the following:
      • Address: Enter the IP address of the syslog server. Entries may be an IPv4 or IPv6 address.
      • Transport: From the drop-down list, select whether the appliance uses Secure TCP, TCP, or UDP to connect to the external syslog server.
      • Server Certificate: Click Select to upload a self-signed or a CA-signed server certificate. In the Upload dialog, click Select and navigate to the certificate file, and then click Upload. Note that this is valid only for Secure TCP transport.
      • Interface: From the drop-down list, select the interface through which the appliance sends syslog messages to the syslog server.
        • Any: The appliance chooses any port that is available for sending syslog messages.
        • LAN: The appliance uses the LAN1 port to send syslog messages.
        • MGMT: The appliance uses the MGMT port if it has been configured. Otherwise, it uses the LAN1 port.
      • Source: From the drop-down list, select which syslog messages the appliance sends to the external syslog server:
        • Any: The appliance sends both internal and external syslog messages.
        • Internal: The appliance sends syslog messages that it generates.
        • External: The appliance sends syslog messages that it receives from other devices, such as syslog servers and routers.
      • Node ID: Specify the host or node identification string that identifies the appliance from which syslog messages are originated. This string appears in the header message of the syslog packet. Select one of the following:
        • LAN: Use the LAN1 IP address of the appliance. For an HA pair, this is the LAN1 address of the active or passive node. This is the default.
        • Host Name: Use the host name of the appliance in FQDN format.
        • IP and Host Name: Use both the FQDN and the IP address of the appliance. The IP address can be the LAN1 or MGMT IP address depending on whether the MGMT port has been configured. Note that if the MGMT port is not configured, the LAN1 IP address is used. 
        • MGMT: Use the MGMT IP address, if the port has been configured. If the MGMT port is not configured, the LAN1 IP address is used. This can be an IPv4 or IPv6 address.
      • Port: Enter the destination port number. The default is 514 for TCP and UDP. For Secure TCP, the default port is 6514.
      • Severity: Choose a severity filter from the drop-down list. When you choose a severity level, the appliance sends log messages with the selected level and the levels above it. The severity levels range from the lowest, debug, to the highest, emerg. For example, if you choose debug, the appliance sends all syslog messages to the server. If you choose err, the appliance sends messages with severity levels err, crit, alert, and emerg.
        • emerg: Panic or emergency conditions. The system may be unusable.
        • alert: Alerts, such as NTP service failures, that require immediate actions.
        • crit: Critical conditions, such as hardware failures.
        • err: Error messages, such as client update failures and duplicate leases.
        • warning: Warning messages, such as missing keepalive options in a server configuration.
        • notice: Informational messages regarding routine system events, such as "starting BIND".
        • info: Informational messages, such as DHCPACK messages and discovery status.
        • debug: Messages that contain information for debugging purposes, such as changes in the latency timer settings and AD authentication failures for specific users.
      • Logging Category: Select one of the following logging categories:
        • Send all: Select this to log all syslog messages, irrespective of categories to which it belongs. When you select this option, the appliance logs syslog messages for all the events, including all DNS and Infoblox related events. However, the syslog messages are not prefixed when you select this option.
        • Send selected categories: Select this to configure logging categories from the list of available logging categories. Use the arrows to move logging categories from the Available table to the Selected table and vice versa. The appliance sends syslog messages for the categories that are in the Selected table. When you select this option, you must add at least one logging category. The syslog messages are prefixed with a category name to which it belongs. Also, the RPZ events logged in the syslog messages uses specific prefixes for the selected categories. Note that the syslog messages are prefixed when you set logging categories for at least one external syslog server, even if you set other external syslog servers as Send All. For more information about syslog prefixes, see Syslog Message Prefixes.
Note
titleNote

The syslog categories you specify here are different from the logging categories specified in the Logging tab in the Grid DNS Properties or Member DNS Properties editor. The external server preserves contents of the selected categories even when selection is changed from Send all to Send selected categories and vice versa.

...

You can configure the syslog external backup servers to send (archive) syslog files to different destinations by their logging categories. This allows you to split syslog files based on the service and efficiently perform troubleshooting. For example, you can archive all DNS related logs on Server 1, and all DHCP related logs on Server 2. For information about how to configure an external syslog backup server, see Specifying Syslog Servers.

When you select the Send selected categories option, the syslog messages are prefixed with a category name to which it belongs.

...

  1. From the Grid tab, select the Grid Manager tab -> Members tab -> member check box, and then click the Edit icon.
  2. In the Grid Member Properties editor, select the Monitoring tab -> Basic tab, click Override in the Syslog section, and then complete the fields as described in Specifying Syslog Servers.
    In addition to storing the system log on a Grid member, you can configure a member to send the log to a syslog server.
  3. Select the Advanced tab and complete the following:
    • Enable syslog proxy: Select this to enable the appliance to receive syslog messages from other devices, such as syslog servers and routers, and then forward these messages to an external syslog server.
      • Enable listening on TCP: Select this if the appliance uses TCP to receive messages from other devices. Enter the number of the port through which the appliance receives syslog messages from other devices. 
      • Enable listening on UDP: Select this if the appliance uses UDP to receive messages from other devices. Enter the number of the port through which the appliance receives syslog messages from other devices.

...

You can specify logging categories you want the syslog to capture. Furthermore, you can filter these messages by severity at the Grid and member levels. For information about severity types, see Specifying Syslog Servers.

To specify logging categories, complete the following:

...

    •  : The Action icon column is displayed only when you have installed the RPZ license. Click this to view threat details in the RPZ Threat Details dialog box. For more information, see Viewing the RPZ Threat Details.
    • Timestamp: The date, time, and time zone of the log message. The time zone is the time zone configured on the member.
    • Facility: The location on the syslog server that determines the processes and daemons from which the log messages are generated.
    • Level: The severity of the message. This can be ALERT, CRITICAL, DEBUG, EMERGENCY, ERROR, INFO, NOTICE, or WARNING.
    • Server: The name of the server that logs this message, plus the process ID.
    • Message: Detailed information about the task performed. For Cloud Network Automation, this contains comma separated values of the admin, source, action, object, object type, and message values. Note that source is defined only if the cloud API request was proxied by the Cloud Platform Appliance. The format for this field is proxied from:host,IP where host and IP are the host name and IP address of the proxy.

...