Overview
Multiexcerpt |
---|
MultiExcerptName | Event Log Mapping |
---|
|
Use the Event Log object to create, configure, disable and enable system and subsystem level log files to capture system, security, debug, packet, trace and accounting events. Caption |
---|
0 | Table |
---|
1 | Event Types |
---|
3 | Event Types |
---|
| Event | Facility |
---|
System | 16 | local0 | Debug | 17 | local1 | Trace | 18 | local2 | Security | 19 | local3 | Audit | 20 | local4 | AcctAccounting | 22 | local6 |
|
Note |
---|
| Note Facility 21 and local5 are used by /var/log/fips.log. |
For each event type, an event class (subsystem) and severity threshold can be configured. Event classes include: - Audit
- Call processing
- Directory services
- Network management
- Policy
- Resource management
- Network routing
- Security
- Signaling
- System management
- Call trace
The ROLLFILE facility provides a means of closing the active log file and opening a new one with an incremented (name) suffix. This facilitates real-time analysis of system events by performing the analysis on closed, rather than opened and growing, files. |
The Event Log object allows you to create event log filters to capture debug, security, system, trace, and accounting events using following parameters:
- Filter Admin – Filter configuration for each event log type and event class
- Filter Status – View filter status per each event log type and event class (using the request command)
- INFO Level Logging Enable – Re-enable INFO level logging if it becomes disabled due to system congestion
- Platform Audit Logs – View platform audit logs of administrative, privileged, and security actions
- Subsystem Admin – Filter configuration for each subsystem
- Type Admin – Event log for configuration items related to each event log type
Include Page |
---|
| Platform Audit Logs | 23 | local7 | Console log | | lpr | SFTP log | | ftp | Kern Log | | kern | User Log | | user | Daemon Log | | daemon | Auth Log | | auth, authpriv | Syslog Log | | news | NTP Log | | uucp | Cron Log | | cron | FIPS Log | | local5 |
|
Include Page |
---|
| _FIPS_Releases |
---|
| _FIPS_Releases |
---|
|
For each event type, an event class (subsystem) and severity threshold can be configured. Event classes include: - Audit
- Call processing
- Directory services
- Network management
- Policy
- Resource management
- Network routing
- Platform Rsyslog
- Security
- Signaling
- System management
- Call trace
The ROLLFILE facility provides a means of closing the active log file and opening a new one with an incremented (name) suffix. This facilitates real-time analysis of system events by performing the analysis on closed, rather than opened and growing, files. |
For more information on SBC's support for remote syslog servers and the supported log types, refer to Supported Log Types.The Event Log object allows you to create event log filters to capture debug, security, system, trace, and accounting events using following parameters:
- Filter Admin – Filter configuration for each event log type and event class
- Filter Status – View filter status per each event log type and event class (using the request command)
- INFO Level Logging Enable – Re-enable INFO level logging if it becomes disabled due to system congestion
- Memory Usage – Measure memory usage of each process
- Platform Audit Logs – View platform audit logs of administrative, privileged, and security actions
- Platform Rsyslog – Method of sending event messages to a syslog server.
- Subsystem Admin – Filter configuration for each subsystem
- Type Admin – Event log for configuration items related to each event log type
Include Page |
---|
| Netconf_security_protection |
---|
| Netconf_security_protection |
---|
|
Multiexcerpt include |
---|
MultiExcerptName | UniqueHomeDirectory_6.0 |
---|
PageWithExcerpt | ALLDOC:SBC Core Groups and Passwords |
---|
|
Filter Admin Multiexcerpt include |
---|
MultiExcerptName | Debug_Event_Log_Overview |
---|
PageWithExcerpt | Troubleshooting SBC Using Debug Event Logs |
---|
|
Command Syntax
Code Block |
---|
|
% set oam eventLog filterAdmin <node name>
<event_type: audit | debug | memusage | security | system | trace>
<event_class: audit | callproc | directory | netmgmt | policy | resmgmt | routing | security | signaling | sysmgmt | trace>
level <info | major | minor | noevents>
state <off | on> |
Command Parameters
Multiexcerpt |
---|
MultiExcerptName | filterAdmin |
---|
|
Caption |
---|
0 | Table |
---|
1 | Filter Admin Event Log Parameters |
---|
3 | Filter Admin Event Log Parameters |
---|
| Parameter | Description |
---|
filterAdmin
| Event Log Class Filter configuration table. | <node name>
| SBC node name. | <event type>
| The type of event log to configure: audit – System audit data. These files contain a record of all management interactions that modify the state of the system, and includes all the changes made via the CLI and the Netconf interface. These files use .AUD extensions.debug – System debugging data. These files have .DBG extensions.memusage – Process heap memory usage data. These files have .MEM extensions.security – Security level events. These files have .SEC extensions.system – System level events. These files have .SYS extensions.trace – System trace data. These files have .TRC extensions.
| <event class>
| For each event type, configure one of the following event: audit – Audit subsystem.callproc – Call Processing subsystem.directory – Directory Services subsystem.netmgmt – Network Management subsystem.policy – Policy subsystem.resmgmt – Resource Management subsystem.routing – Network Routing subsystem.security – Security subsystem.signaling – Signaling subsystem.sysmgmt – System Management subsystem.trace – Call Trace subsystem.
| level
| Minimum severity level threshold for event logging: critical – log only critical events.info – log all events.major – log major and critical events.minor – log all events other than info.noevents – do not log any events.
Note: Info level logs which are traps or faults are always reported in the system logs. | state
| Administrative state of event logging for this event type. Set to “on” if filter entry should take precedence over per-node settings. off (default) – Logging is not activated.on – Logging is activated.
|
|
|
Filter StatusCommand Syntax
Code Block |
---|
|
% request oam eventLog filterStatus <node name>
<event_type: audit | debug | memusage | security | system | trace>
<event_class: audit | callproc | directory | netmgmt | policy | resmgmt | routing | security | signaling | sysmgmt | trace>
resetStats |
Command Parameters
Multiexcerpt |
---|
MultiExcerptName | filterStatus |
---|
|
Caption |
---|
0 | Table |
---|
1 | Filter Status Event Log Parameters |
---|
| Parameter | Description |
---|
filterStatus
| Event log class filter status table. | <system name>
| SBC system name. | <event type>
| The type of event log: audit – System audit data. These files contain a record of all management interactions that modify the state of the system, and includes all the changes made via the CLI and the Netconf interface. These files use .AUD extensions.debug – System debugging data. These files have .DBG extensions.memusage – Process heap memory usage data. These files have .MEM extensions.security – Security level events. These files have .SEC extensions.system – System level events. These files have .SYS extensions.trace – System trace data. These files have .TRC extensions.
| <event class>
| Event class for each event type: audit – Audit subsystem.callproc – Call Processing subsystem.directory – Directory Services subsystem.netmgmt – Network Management subsystem.policy – Policy subsystem.resmgmt – Resource Management subsystem.routing – Network Routing subsystem.security – Security subsystem.signaling – Signaling subsystem.sysmgmt – System Management subsystem.trace – Call Trace subsystem.
| resetStats
| Use this control to reset the value of Events Filtered column of the filterStatus display. |
|
|
Anchor |
---|
| InfoLevelLoggingEnable |
---|
| InfoLevelLoggingEnable |
---|
|
INFO Level Logging EnableThe active and standby SBC are designed to turn off INFO level logging if the system becomes congested. The "request oam eventLog infoLevelLoggingEnable clearInfoLevelLoggingDisabled
" command is used to re-enable INFO level logging once it is disabled. See sonusCpEventLogInfoLevelLoggingDisabledNotfication - MAJOR for associated trap details.
To view INFO LEVEL LOGGING DISABLED state, run the following command.
Code Block |
---|
language | none |
---|
title | 'show table oam eventLog typeStatus' Example |
---|
|
> show table oam eventLog typeStatus
|
Dedicated_home_directory | Dedicated_home_directory | Anchor |
---|
FilterAdmin | FilterAdmin | Filter AdminCommand Syntax
Mandatory parameters required to configure an administrative Event log filter:
Code Block |
---|
|
% set oam eventLog filterAdmin <node name>
<event_type: audit | debug | security | system | trace>
<event_class: audit | callproc | directory | netmgmt | policy | resmgmt | routing | security | signaling | sysmgmt | trace> |
Non-mandatory parameters for Event log filter:
Code Block |
---|
|
% set oam eventLog filterAdmin <node name> <event_type> <event_class>
level <critical | info | major | minor | noevents>
state <off | on> |
Command Parameters
Multiexcerpt |
---|
MultiExcerptName | filterAdmin |
---|
|
Caption |
---|
0 | Table |
---|
1 | Filter Admin Event Log Parameters |
---|
3 | Filter Admin Event Log Parameters |
---|
| |
Parameter | Description |
---|
Mandatory parameters: | filterAdmin
| Event Log Class Filter configuration table. | <node name>
| SBC node name. | <event type>
| The type of event log to configure: audit – System audit data. These files contain a record of all management interactions that modify the state of the system, and includes all the changes made via the CLI and the Netconf interface. These files use .AUD extensions.debug – System debugging data. These files have .DBG extensions.security – Security level events. These files have .SEC extensions.system – System level events. These files have .SYS extensions.trace – System trace data. These files have .TRC extensions.
| <event class>
| For each event type, configure one of the following event: audit – Audit subsystem.callproc – Call Processing subsystem.directory – Directory Services subsystem.netmgmt – Network Management subsystem.policy – Policy subsystem.resmgmt – Resource Management subsystem.routing – Network Routing subsystem.security – Security subsystem.signaling – Signaling subsystem.sysmgmt – System Management subsystem.trace – Call Trace subsystem.
| level
| Minimum severity level threshold for event logging: critical – log only critical events.info – log all events.major – log major and critical events.minor – log all events other than info.noevents – do not log any events.
Note |
---|
Info level logs which are traps or faults are always reported in the system logs. |
| state
| Administrative state of event logging for this event type. Set to “on” if filter entry should take precedence over per-node settings. off (default) – Logging is not activated.on – Logging is activated.
|
|
Anchor |
---|
FilterStatus | FilterStatus | Filter StatusCommand Syntax
Code Block |
---|
|
% request oam eventLog filterStatus <node name>
<event_type: audit | debug | security | system | trace>
<event_class: audit | callproc | directory | netmgmt | policy | resmgmt | routing | security | signaling | sysmgmt | trace>
resetStats |
Command Parameters
Multiexcerpt |
---|
MultiExcerptName | filterStatus |
---|
|
Caption |
---|
0 | Table |
---|
1 | Filter Status Event Log Parameters |
---|
| Parameter | Description |
---|
filterStatus
| Event log class filter status table. | <system name>
| SBC system name. | <event type>
| The type of event log: audit – System audit data. These files contain a record of all management interactions that modify the state of the system, and includes all the changes made via the CLI and the Netconf interface. These files use .AUD extensions.debug – System debugging data. These files have .DBG extensions.security – Security level events. These files have .SEC extensions.system – System level events. These files have .SYS extensions.trace – System trace data. These files have .TRC extensions.
| <event class>
| Event class for each event type: audit – Audit subsystem.callproc – Call Processing subsystem.directory – Directory Services subsystem.netmgmt – Network Management subsystem.policy – Policy subsystem.resmgmt – Resource Management subsystem.routing – Network Routing subsystem.security – Security subsystem.signaling – Signaling subsystem.sysmgmt – System Management subsystem.trace – Call Trace subsystem.
| resetStats
| Use this control to reset the value of Events Filtered column of the filterStatus display. |
|
|
Anchor |
---|
InfoLevelLoggingEnable | InfoLevelLoggingEnable | INFO Level Logging EnableThe active and standby SBC are designed to turn off INFO level logging if the system becomes congested. The "request oam eventLog infoLevelLoggingEnable clearInfoLevelLoggingDisabled
" command is used to re-enable INFO level logging once it is disabled. See sonusCpEventLogInfoLevelLoggingDisabledNotfication - MAJOR for associated trap details.
To view INFO LEVEL LOGGING DISABLED state, run the following command.
Code Block |
---|
language | none |
---|
title | 'show table oam eventLog typeStatus' Example |
---|
|
> show table oam eventLog typeStatus
INFO
TOTAL LEVEL
CURRENT FILE FILE TOTAL FILE INFO
FILES NEXT LOG TOTAL LOGGING
TYPE FILE RECORDS BYTES FILES BYTES DROPPED ROLLOVER DESTINATION LAST FILE DROP DISABLED
--------------------------------------------------------------------------LEVEL
CURRENT FILE FILE TOTAL FILE FILES NEXT LOG LOGGING
TYPE FILE RECORDS BYTES FILES BYTES DROPPED ROLLOVER DESTINATION LAST FILE DROP DISABLED
------------------------------------------------------------
system 1000005------------------------------------------------------------------
system 1000005.SYS 216 31756 32 1032744 0 0 localDisk 0000-00-00T00:00:00+00:00 false
debug 1000014.DBG 1601 188964 32 27489838 0 0 localDisk 0000-00-00T00:00:00+00:00 false
trace 1000005.TRC 0 128 32 5224 0 0 localDisk 0000-00-00T00:00:00+00:00 false
acct 1000085.ACT 1 202 32 7592 0 0 localDisk 0000-00-00T00:00:00+00:00 false
security 1000005.SEC 7 1047 32 23610 0 0 localDisk 0000-00-00T00:00:00+00:00 false
audit 1000005.AUD 1002 186238 32 4267027 0 0 localDisk 0000-00-00T00:00:00+00:00 false
packet 1000005.PKT 0 128 32 872 0 0 localDisk 0000-00-00T00:00:00+00:00 false |
Command Syntax
Code Block |
---|
|
% request oam eventLog infoLevelLoggingEnable clearInfoLevelLoggingDisabled |
Command Parameter
Multiexcerpt |
---|
MultiExcerptName | infoLevelLoggingEnable |
---|
|
Caption |
---|
0 | Table |
---|
1 | Info Level Logging Enable Event Log Parameter |
---|
| | Parameter | Description |
---|
clearInfoLevelLoggingDisabled
| Use this command to re-enable info level logging after it becomes disabled due to system congestion. If this command is executed while the system is still congested, this may cause the system to become further congested. |
|
Note |
---|
Note: Only issue this command once system congestion dissipates. The system may become further congested if this command is executed while the system is still congested |
| . |
PlatformAuditLogsPlatformAuditLogs | Platform Audit LogsMemory Usage Multiexcerpt include |
---|
MultiExcerptName | Memory Usage |
---|
PageWithExcerpt | Resource Monitoring and Statistics |
---|
|
Command Syntax
Code Block |
---|
|
% set oam eventLog platformAuditLogs state <disabled | enabled> process memusage
state <enable | disable>
level <summary | detailed>
interval <0...140> |
Command Parameters
Multiexcerpt |
---|
MultiExcerptName | platformAuditLogsMemUsage |
---|
|
Caption |
---|
0 | Table |
---|
1 | Memory Usage Parameters |
---|
3 | Memory Usage Platform Audit Logs Parameters |
---|
| Parameter | Length/Range | Description |
---|
platformAuditLogs
| Use this command to enable/disable platform audit logging of administrative, privileged, and security actions. state disabled (default)enabled
|
|
|
Anchor |
---|
SubsystemAdmin | SubsystemAdmin | Subsystem AdminCommand Syntax
Mandatory parameters required to configure an Event log subsystem event type:memusage | N/A | The peer process memory usage configuration details. | state
| N/A | Enable this flag to measure the memory usage of each active process. | level | N/A | Specifies the level of details to be displayed. summary (default)detailed
| Interval | 0-1440 minutes | The time interval, in minutes, to elapse between the recording of each memory usage file to the hard drive. (Default = 5) Note: An interval of 1440 minutes (24 hours) equates to one log entry per day for a process. |
|
|
Anchor |
---|
| PlatformAuditLogs |
---|
| PlatformAuditLogs |
---|
|
Platform Audit LogsCommand Syntax
Code Block |
---|
|
% set oam eventLog subsystemAdmin <system_name> <subsys_ID>
|
Non-mandatory parameters to configure an Event log subsystem event type:
Code Block |
---|
|
% set oam eventLog subsystemAdmin <system_name> <subsys_ID>
infoLogState <disabled | enabled>
maxEventID <0-4.294967295E9>
minEventID <0-4.294967295E9> |
Command Parameters
platformAuditLogs
state <disabled | enabled> |
Command Parameters
Multiexcerpt |
---|
MultiExcerptName | platformAuditLogs |
---|
|
Multiexcerpt |
---|
MultiExcerptName | subsystemAdmin |
---|
|
Caption |
---|
0 | Table |
---|
1 | Subsystem Admin Event Log Platform Audit Logs Parameters |
---|
| | Parameter |
subsystemAdmin
| Subsystem event logging configuration. |
Mandatory parameters: |
<system_name>
| Name of system. |
<subsys_ID>
| The subsystem/task ID. See table below for a list of subsystem IDs. |
Non-mandatory parameters: |
infoLogState
| Use this flag to enable/disable event logging of INFO level messages to DBG and SYS logs for the specified subsystem. By default, infoLogSate is enabled for all subsystems. disabled enabled (default)
Note |
---|
- If infoLogState is disabled for CHM, nothing is written to AUD logs.
- If infoLogState is disabled for CPX, request commands are not recorded to AUD logs.
|
|
Caption |
---|
|
acm | arma | asg | atmrm | brm | cam | cassg | cc | chm | cli | cmtsg | cnh | cpx | dbug | diamc | dnsc | drm | ds | ema | enm | fm | frm | grm | gwfe | gwsg | h323sg | icmsvc | ike | im | ipacl | ipm | lvm | mgsg | mtp2 | mtrm | ncm | ncomm | nim | nrm | nrma | nrs | ntp | pathchk | pes | pfa | pipe | pipehook | prm | reserved | rtcp | rtm | scpa | sec | sfm | sg | sgisdn | sgisup | sipfe | sipsg | sm | sma | ssa | trm | xrm | | |
|
Anchor |
---|
TypeAdmin | TypeAdmin | Type AdminplatformAuditLogs | N/A | Use this object to configure a remote server IP address, port, and protocol type to push the platform audit logs to a remote server. | state
| N/A | Enable this flag to allow platform audit logging of administrative, privileged, and security actions. disabled (default)enabled
|
|
|
Platform RsyslogUse Rsyslog to configure a remote server IP address, port, and protocol type to push platform logs of administrative, privileged, and security actions to a remote server.
When platformRsyslog
is enabled, the /etc/
rsyslog.conf
file is configured to send the configured platform logs to the remote syslog server. The remote server's /etc/rsyslog.conf
file must match the configuration of the SBC to receive platform logs. The SBC automatically adds an Access Control List (ACL) rule to send the audit logs through the application layer to the remote server.
Info |
---|
The following logs will not be supported: Monit, Mail, Printer, dpkg and the /var/log/messages file. |
Info |
---|
|
The ACL rule is removed automatically from the default ACL rules when platformRsyslog is disabled. |
Info |
---|
|
For a High Availability (HA) pair, the /etc/ rsyslog.conf file is updated both on the Active and the Standby SBCs to push the audit logs to the remote server. |
Command Syntax
To create a new Server configuration table:
Code Block |
---|
set oam eventLog platformRsyslog servers server<no> remoteHost<host_ip> protocolType<protocol> port <port> |
Command Parameters
Info |
---|
|
Ensure the Platform Rsyslog state is set to "disabled" before configuring/re-configuring the IP address, port, and/or protocol type of the remote server. |
Caption |
---|
0 | Table |
---|
1 | Parameters for Configuring New Remote Syslog Servers |
---|
|
Parameter | Length/Range | Default | Description | M/O |
---|
no | 1-3 | 1 | Number of server. | M | host_ip | N/A | N/A | Host IP of server. | M | protocol | N/A | TCP | The protocol used to send messages to the Remote Server. | M | port | N/A | 514 | Specifies the port used to send messages to the remote Server. | M |
|
Command Syntax
To enable/disable the Rsyslog service for all the Linux Logs:
Code Block |
---|
set oam eventLog platformRsyslog syslogState <disabled | enabled> |
Command Parameters
Caption |
---|
0 | Table |
---|
1 | Parameters for Configuring New Remote Syslog Servers |
---|
|
Parameter | Description |
---|
syslogState | Use this flag to enable/disable the Rsyslog service: disabled (default)enabled
|
|
Anchor |
---|
| SubsystemAdmin |
---|
| SubsystemAdmin |
---|
|
Subsystem AdminCommand Syntax
Mandatory parameters required to configure an Event log subsystem event type
Command Syntax
The following syntax applies to the "set oam eventLog typeAdmin" command:
Code Block |
---|
|
% set oam eventLog typeAdminsubsystemAdmin <acct | audit | debug | packet | security | system | trace>
fileCount <1-1024>
fileSize <256-65535>
fileWriteMode <default | optimize>
filterLevel <critical | info | major | minor | noevents>
messageQueueSize <2-32>
renameOpenFiles <disabled | enabled>
rolloverAction <start | stop>
rolloverInterval <0-31536000>
rolloverStartTime <time>
rolloverType <repetitive | nonrepetitive>
saveTo <none | disk>
state <disabled | enabled | rollfile>
syslogRemoteHost <up to 255 characters>
syslogRemotePort <1-65535>
syslogRemoteProtocol <relp | tcp | udp>
syslogState <disabled | enabled> |
Note |
---|
Only the Administrator can execute the above command using the "audit" and "security" attributes: % set oam eventLog typeAdmin audit... % set oam eventLog typeAdmin security... |
The following syntax applies to the "request oam eventLog typeAdmin" command:
Code Block |
---|
|
% request oam eventLog typeAdmin <acct | audit | debug | packet | security | system | trace> rolloverLogNow
% request oam filterStatus <card name> <audit | debug | security | system | trace>
<audit | callproc | directory | netmgmt | policy | resmgmt | routing | security | signaling | sysmgmt | trace |
Note |
---|
Only the Administrator can execute the following commands using the "audit" and "security" attributes: % request oam eventLog typeAdmin audit rolloverLogNow
% request oam eventLog typeAdmin security rolloverLogNow
% request oam eventLog filterStatus <card name> security security resetStats |
Include Page |
---|
<system_name> <subsys_ID>
|
Non-mandatory parameters to configure an Event log subsystem event type:
Code Block |
---|
|
% set oam eventLog subsystemAdmin <system_name> <subsys_ID>
infoLogState <disabled | enabled>
maxEventID <0-4.294967295E9>
minEventID <0-4.294967295E9> |
Command Parameters
Multiexcerpt |
---|
MultiExcerptName | subsystemAdmin |
---|
|
Caption |
---|
0 | Table |
---|
1 | Subsystem Admin Event Log Parameters |
---|
| Parameter | Description |
---|
subsystemAdmin
| Subsystem event logging configuration. | <system_name>
| Name of system. | <subsys_ID>
| The subsystem/task ID. See Subsystem IDs table below for a list of subsystem IDs. | infoLogState
| Use this flag to enable/disable event logging of INFO level messages to DBG and SYS logs for the specified subsystem. By default, infoLogSate is enabled for all subsystems. disabled enabled (default)
Note: - If
infoLogState is disabled for CHM, nothing is written to AUD logs. - If
infoLogState is disabled for CPX, request commands are not recorded to AUD logs.
|
|
|
Caption |
---|
0 | Table |
---|
1 | Subsystem IDs |
---|
3 | Subsystem IDs |
---|
|
aka | arm | asg | brm | cam | cc | chm | cpx | dbl | dcm | debug | dfe | dht | diamc | dnsc | drm | ds | dsa | dtls/srtp | ema | enm | enm_am | enm_test | fm | gcl mbs | gclcomm | gwcm | gwfe | gwsg | h248fe | h323fe | h323sg | ice | iceapp1 | iceapp2 | iceapp3 | iceapp4 | iceapp5 | iceapp6 | iceapp7 | iceapp8 | icms_test1 | icms_test2 | ike | im | ipacl | ipm | kfqdn | les | license_sm | lvm | lwresd | mgsg | mim | mrm | mtrm | nim | nrm | nrma | nrs | pathchk | perfs | perfs | pes | pipe | prsnp | rgm | rtm | rtma | sbcintf | scpa | sec | sg | sipcm | sipfe | sipsg | sm | sma | ssa | ssreq | surrreg | trcrt | trm | xrm |
|
Type Admin Info |
---|
|
The syslog ACL rules are added and removed by enabling/disabling syslogState and configuring the syslog log fields. |
Info |
---|
|
To guard against overlogging, the SBC logs up to 4,294,976,295 messages per second in the event logs (configurable with set oam eventLog typeAdmin system diskThrottleLimit ), but additional event messages above that threshold are discarded. If log events must be discarded, the SBC writes an error message about the skipped messages in the system (.SYS) log. |
Command Syntax
The following syntax applies to the set oam eventLog typeAdmin command:
Code Block |
---|
|
% set oam eventLog typeAdmin <acct | audit | debug | memusage | packet | security | system | trace>
diskThrottleLimit <0-4294976295>
eventLogValidation
fileCount <1-2048>
fileSize <256-65535>
fileWriteMode <default | optimize>
filterLevel <info>
messageQueueSize <2-100>
renameOpenFiles <disabled | enabled>
rolloverAction <start | stop>
rolloverInterval <0-31536000>
rolloverStartTime <time>
rolloverType <repetitive | nonrepetitive>
saveTo <none | disk>
servers <syslogRemoteHost | syslogRemotePort | syslogRemoteProtocol>
syslogState <disabled | enabled> |
Note |
---|
Only the Administrator can execute the above command using the "audit" and "security" attributes: % set oam eventLog typeAdmin audit... % set oam eventLog typeAdmin security... |
The following syntax applies to the "request oam eventLog typeAdmin" command:
Code Block |
---|
|
% request oam eventLog typeAdmin <acct | audit | debug | memusage | packet | security | system | trace> rolloverLogNow
% request oam filterStatus <card name> <audit | debug | memusage | security | system | trace>
<audit | callproc | directory | netmgmt | policy | resmgmt | routing | security | signaling | sysmgmt | trace |
Note |
---|
Only the Administrator can execute the following commands using the "audit" and "security" attributes: % request oam eventLog typeAdmin audit rolloverLogNow
% request oam eventLog typeAdmin security rolloverLogNow
% request oam eventLog filterStatus <card name> security security resetStats |
Include Page |
---|
| Info level logs behavior |
---|
| Info level logs behavior |
---|
|
Command Parameters
Multiexcerpt |
---|
MultiExcerptName | typeAdmin1 |
---|
|
Info level logs behavior | Info level logs behavior | Command Parameters
Multiexcerpt |
---|
MultiExcerptName | typeAdmin1 |
---|
|
Caption |
---|
0 | Table |
---|
1 | Type Admin Event Log Parameters (set command) |
---|
| |
Parameter | Length/Range | Description |
---|
typeAdmin
| N/A | Event Log configuration table for configuration items related to each Event Log type. | <event_type>
| N/A | Specifies the type of event log being configured: acct – System account data. These files have .ACT extensions.audit – System audit data. These files contain a record of all management interactions that modify the state of the system. These files have .AUD extensions. It includes all the changes made via the CLI and the Netconf interface. (This attribute is only available to an Administrator)debug – System debugging data. These files have .DBG extensions.packet – Packet information details. These files have .PKT extensions. If enabled, stores the packet details to .PKT files.security – Security level events. These files have .SEC extensions. (This attribute is only available to an Administrator)system – System level events. These files have .SYS extensions.trace – System trace data. These files have .TRC extensions.
Note |
---|
Syslog is not supported for acct and packet event types. |
| fileCount
| 1-1024 | Specifies the number of event log files that will be maintained for this event type. (default = 32). | fileSize
| 256-65535 | Maximum size (in KB) that a single event log file will ever grow to. (default = 2048). | fileWriteMode
| N/A | Event log NFS write mode. Options are: default – Log data is written as a 1344-byte packet.optimize – Log data is written as a 8000-byte packet. Optimize write mode results in IP fragmentation but yields better throughput.
| filterLevel
| N/A | Events that are at least as severe as the designated level will be logged. Options are: critical – log only events of this threshold.info – log every possible event.major – log major and critical events only.minor – log all events other than information.noevents – do not log any events.
Note |
---|
The command to set the filterLevel for the acct event type is no longer applicable. |
| messageQueueSize
| 2-32 | The number of event log message entries to buffer before writing to disk. (default = 10). | renameOpenFiles
| N/A | Enable this flag to append an ".OPEN" extension to accounting and files which are open for writing. disabled (default)enabled
Note |
---|
You must enable the global callTrace signalingPacketCapture parameter (set state to "enable") to capture SIP and H.323 packets (see Call Trace - CLI for configuration details). Once signalingPacketCapture is enabled, any subsequent changes to SBC device configurations or filter information will not be available to signaling packet captures until signalingPacketCapture is reset (state is disabled, and then re-enabled). |
| rolloverAction
| N/A | Event log rollover actions. Options are: start – Start rollover actionstop – Stop rollover action
| rolloverInterval
| 0-31536000 | Event log rollover interval, in seconds. | rolloverStartTime
| N/A | Specifies the start time for event log rollover. The format is CCYY-MM-DDTHH:MM:SS . For example: 2010-01-01T01:01:01 | rolloverType
| N/A | Event log rollover type. Options are: nonrepetitive (default) – The rollover will occur once at the specified single instance.repetitive – The rollover will occur repeatedly at the specified intervals.
| saveTo
| N/A | Use flag to specify that the events are saved to disk or not saved. | state
| N/A | Specifies the requested state of the given Event Log type. disabled – Logging is not activated.enabled – (default) Logging is activated.rollfile
Accounting logs cannot be disabled. | syslogRemoteHost
| 0-255 | The remote host where the messages are written to the syslog. | syslogRemotePort
| 1-65535 | Specifies the port to use to send messages to the remote syslog. Default value is 514. | syslogRemoteProtocol
| N/A | The protocol to use to send messages to the remote syslog. Options are: | syslogState
| N/A | Enable flag to log events of specified type to syslog. disabled (default)enabled
|
|
Multiexcerpt |
---|
MultiExcerptName | typeAdmin2 |
---|
|
Caption |
---|
0 | Table |
---|
1 | Type Admin Event Log Parameters (request set command) |
---|
| Parameter | Length/Range | Description |
---|
typeAdmin
| N/A | Event Log configuration table for configuration items related to each Event Log type. | <event_type>
| N/A | Specifies the type of event log to roll overbeing configured: acct – System account data. These files have .ACT extensions.audit – System audit data. These files contain a record of all management interactions that modify the state of the system. These files have .AUD extensions. It includes all the changes made via the CLI and the Netconf interface. (This attribute is only available to an Administrator)debug – System debugging data. These files have .DBG extensions.memusage – Process heap memory usage data. These files have .MEM extensions.packet – Packet information details. These files have .PKT extensions. If enabled, stores the packet details to .PKT files.security – Security level events. These files have .SEC extensions. (This attribute is only available to an Administrator)system – System level events. These files have .SYS extensions.trace – System trace data. These files have .TRC extensions.
| rolloverLogNow
| This control is used with request command to perform a roll-over of the specified log immediately. |
|
|
Command Examples
To view typeAdmin status from the system-level prompt:
Code Block |
> show table oam eventLog typeAdmin
MAX
MESSAGE EVENT ROLLOVER FILE SYSLOG SYSLOG SYSLOG RENAME DISK
FILE FILE QUEUE SAVE MEMORY FILTER START ROLLOVER ROLLOVER WRITE SYSLOG REMOTE REMOTE REMOTE OPEN THROTTLE
TYPE STATE COUNT SIZE SIZE TO SIZE LEVEL TIME INTERVAL ROLLOVER TYPE ACTION MODE STATE HOST PROTOCOL PORT FILES LIMIT
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
systemNote: Syslog is not supported for acct and packet event types. | diskThrottleLimit | 0-4294976295 | Specifies the limit on INFO level messages logged to the disk in one second. A value of 0 disables the limit. The default value is 5000. Note: For the trace log, if tracing is being performed to capture all of the SIP PDU for all of the calls on the system for use in conjunction with Protect, then this value needs to be tuned to accommodate the maximum call load anticipated for the SBC instance. For example, for a call rate of 1350 cps and assuming 14 messages in a basic SIP call (ingress and egress legs), it would require a total of 18,900 messages. Adding this to the default 5000, the recommendation in this case would be to set the limit at 25,000. | eventLogValidation | N/A | Specifies whether the logs at rest for this log type should be cryptographically hashed. Hashing is only recommended for the security and audit logs. These are the main logs required to triage security issues and do not roll very frequently. Hashing must be disabled for logs that are rolling over frequently as would occur for the trace log if the call rate is 1350 cps and it is being used to capture all SIP PDU's for use with Protect. If logs are being exported using Rsyslog then there is no need to enable Event Log Validation as the logs are copied off the SBC before they could be modified. Refer to OAM - Event Log - Platform Rsyslog. disabled (default)enabled
IMPORTANT: You must disable this control for any logs which are rolling at a very high rate (e.g. capturing trace logs of all SIP PDUs for use with Protect). Hash Notes: - Hashes are stored in /.../evlog/eventLogValidation/
- The hash file name format is <evLogfilename>.hash.<keyName>
- Hashes must be retrieved using SFTP
| fileCount
| 1-2048 | Specifies the number of event log files that will be maintained for this event type. (default = 32). | fileSize
| 256-65535 | Maximum size (in KB) that a single event log file will ever grow to. (default = 2048). Note: Set the file size to 65535 for trace and account logs when attempting to trace all calls on the system for use with Protect. | fileWriteMode
| N/A | Event log NFS write mode. default – Log data is written as a 1344-byte packet.optimize – Log data is written as a 8000-byte packet. Optimize write mode results in IP fragmentation but yields better throughput.
| filterLevel
| N/A | Logs every possible event. | messageQueueSize
| 2-100 | The number of event log message entries to buffer before writing to disk. (default = 10). If capturing all of the SIP PDU messages in the trace log for use with Protect, set this value to 100 for the trace log. | renameOpenFiles
| N/A | Enable this flag to append an ".OPEN" extension to accounting and files which are open for writing. disabled (default)enabled
Note:You must enable the global callTrace signalingPacketCapture parameter (set state to "enable") to capture SIP and H.323 packets (Refer to Call Trace - CLI for configuration details). Once signalingPacketCapture is enabled, any subsequent changes to SBC device configurations or filter information will not be available to signaling packet captures until signalingPacketCapture is reset (state is disabled, and then re-enabled). | rolloverAction
| N/A | Event log rollover actions. start – Start rollover actionstop – Stop rollover action
| rolloverInterval
| 0-31536000 | Event log rollover interval, in seconds. | rolloverStartTime
| N/A | Specifies the start time for event log rollover. The format is CCYY-MM-DDTHH:MM:SS . For example: 2010-01-01T01:01:01 | rolloverType
| N/A | Event log rollover type. nonrepetitive (default) – The rollover will occur once at the specified single instance.repetitive – The rollover will occur repeatedly at the specified intervals.
| saveTo
| N/A | Use flag to specify that the events are saved to disk or not saved. | state
| N/A | Specifies the requested state of the given Event Log type. disabled – Logging is not activated.enabled – (default) Logging is activated.rollfile
Accounting logs cannot be disabled. | servers | N/A | Configure a remote Rsyslog Server for a single log type: syslogRemoteHost – (0-255) The remote host where the messages are written to the syslog.syslogRemotePort – (1-65,535) Specifies the port to use to send messages to the remote syslog. Default value is 514.syslogRemoteProtocol – The protocol to use to send messages to the remote syslog.
| syslogState | N/A | Enable flag to log events of specified type to syslog. disabled (default)enabled
|
|
|
Multiexcerpt |
---|
MultiExcerptName | typeAdmin2 |
---|
|
Caption |
---|
0 | Table |
---|
1 | Type Admin Event Log Parameters (request command) |
---|
| Parameter | Description |
---|
typeAdmin
| Event Log configuration table for configuration items related to each Event Log type. | <event_type>
| Specifies the type of event log to roll over: acct – System account data. These files have .ACT extensions.audit – System audit data. These files contain a record of all management interactions that modify the state of the system. These files have .AUD extensions. It includes all the changes made via the CLI and the Netconf interface. (This attribute is only available to an Administrator)debug – System debugging data. These files have .DBG extensions.memusage – Process heap memory usage data. These files have .MEM extensions.packet – Packet information details. These files have .PKT extensions. If enabled, stores the packet details to .PKT files.security – Security level events. These files have .SEC extensions. (This attribute is only available to an Administrator)system – System level events. These files have .SYS extensions.trace – System trace data. These files have .TRC extensions.
| rolloverLogNow
| This control is used with request command to perform a roll-over of the specified log immediately. |
|
|
Hide |
---|
Note TO TECH DOCS: This content is hidden based on Christopher John's comments until there is bandwidth to document correct examples. Command ExamplesTo view typeAdmin status from the system-level prompt: Code Block |
---|
> show table oam eventLog typeAdmin
MAX
MESSAGE EVENT ROLLOVER FILE SYSLOG SYSLOG SYSLOG RENAME DISK
FILE FILE QUEUE SAVE MEMORY FILTER START ROLLOVER ROLLOVER WRITE SYSLOG REMOTE REMOTE REMOTE OPEN THROTTLE
TYPE STATE COUNT SIZE SIZE TO SIZE LEVEL TIME INTERVAL ROLLOVER TYPE ACTION MODE STATE HOST PROTOCOL PORT FILES LIMIT
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
system enabled 32 2048 10 disk 16 major - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled 5000
debug enabled 32 10240 10 disk 16 info - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled -
trace enabled 32 2048 10 disk 16 info - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled -
acct enabled 32 2048 10 disk 16 major - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled |
|
5000debug 10240info - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled -
|
|
traceaudit enabled 32 2048 10 disk 16 |
|
info - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled -
|
|
acct enabled 32 2048 10 disk 16 major - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled -
|
|
securitymemusage enabled 32 2048 10 disk 16 major - 0 nonrepetitive stop default |
|
10disk16major To configure event log type “packet” by setting file count to “1”, maximum file size to 256 KB, roll-over interval to 2 seconds, and then enabling the event log but disabling the logging of events to syslog: Code Block |
---|
| % set oam eventLog typeAdmin system fileCount 1 fileSize |
|
0256 rolloverInterval 2 state enabled syslogState |
|
nonrepetitivestoptypeAdmin system
state enabled;
|
|
defaultdisabled 0.0.0.0tcpfileSize 256;
rolloverInterval 2;
|
|
514 To send the command to request an immediate roll-over: |
disabled-
audit enabled 32 2048 10 To display typeAdmin event log details. It has been shortened for brevity. Code Block |
---|
| % show details oam eventLog typeAdmin
typeAdmin system {
state |
|
disk16minor-0nonrepetitivestopdefaultdisabled 0.0.0.0tcp514disabled-
packetenabled32204810disk16major - 0 nonrepetitivestopdefaultdisabled0.0.0.0tcp514disabled-
To configure event log type “packet” by setting file count to “1”, maximum file size to 256 KB, roll-over interval to 2 seconds, and then enabling the event log but disabling the logging of events to syslog:
Code Block |
---|
|
% set oam eventLog typeAdmin system fileCount 1 fileSize 256 rolloverInterval 2 state enabled syslogState disabled
% show oam eventLog typeAdmin system
state enabled;
fileCount 1;
fileSize 256;
rolloverInterval 2;
syslogState disabled; |
To send the command to request an immediate roll-over:
Code Block |
---|
|
% request oam eventLog typeAdmin system rolloverLogNow |
To display typeAdmin event log details. It has been shortened for brevity. default;
syslogState disabled;
syslogRemoteHost 0.0.0.0;
syslogRemoteProtocol tcp;
syslogRemotePort 514;
renameOpenFiles disabled;
}
|
|
% show details oam eventLog
typeAdminsystemdebug {
state enabled;
fileCount 32;
fileSize 2048;
messageQueueSize 10;
saveTo disk;
filterLevel |
|
majorinfo;
rolloverInterval 0;
rolloverType nonrepetitive;
rolloverAction stop;
fileWriteMode default;
syslogState disabled;
syslogRemoteHost 0.0.0.0;
syslogRemoteProtocol tcp;
syslogRemotePort 514;
renameOpenFiles disabled;
}
|
|
debugtrace {
state enabled;
fileCount 32;
fileSize 2048;
messageQueueSize 10;
saveTo disk;
filterLevel info;
rolloverInterval 0;
rolloverType nonrepetitive;
rolloverAction stop;
fileWriteMode default;
syslogState disabled;
syslogRemoteHost 0.0.0.0;
syslogRemoteProtocol tcp;
syslogRemotePort 514;
renameOpenFiles disabled;
} |
|
tracememusage {
state enabled;
fileCount 32;
fileSize 2048;
messageQueueSize 10;
saveTo disk;
filterLevel info;
rolloverInterval 0;
rolloverType nonrepetitive;
rolloverAction stop;
fileWriteMode default;
syslogState disabled; |
|
syslogRemoteHost 0.0.0.0;
syslogRemoteProtocol tcp;
syslogRemotePort 514;
renameOpenFiles |
|
syslogRemoteHost 0.0.0.0;
syslogRemoteProtocol tcp;
syslogRemotePort 514;
renameOpenFiles disabled;
}
...
Caption |
---|
0 | Table |
---|
1 | Parameters for Configuring New Remote Rsyslog Servers |
---|
| Parameter | Length/Range | Default | Description | M/O |
---|
no | 1-3 | 1 | Number of server. | | host_ip | N/A | N/A | Host IP of server. | | protocol | N/A | tcp | The protocol used to send messages to the Remote Server. | | port | N/A | 514 | Specifies the port used to send messages to the remote Server. | |
|
|
pagebreak