Page History
add_workflow_for_icdtechpubs | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Panel | ||||
---|---|---|---|---|
In this section:
|
Overview
Multiexcerpt | ||||
---|---|---|---|---|
| ||||
Use the Event Log object to create, configure, disable and enable system and subsystem level log files to capture system, security, debug, packet, trace and accounting events. Caption | | Table | ||
1 | Event Types | 3 |
Event | Facility | |
---|---|---|
System | 16 | local0 |
Debug | 17 | local1 |
Trace | 18 | local2 |
Security | 19 | local3 |
Audit | 20 | local4 |
Accounting | 22 | local6 |
Platform Audit Logs | 23 | local7 |
Console log | lpr | |
SFTP log | ftp | |
Kern Log | kern | |
User Log | user | |
Daemon Log | daemon | |
Auth Log | auth, authpriv | |
Syslog Log | news | |
NTP Log | uucp | |
Cron Log | cron | |
FIPS Log |
local5 |
Include Page | ||||
---|---|---|---|---|
|
For each event type, an event class (subsystem) and severity threshold can be configured. Event classes include:
- Audit
- Call processing
- Directory services
- Network management
- Policy
- Resource management
- Network routing
- Platform Rsyslog
- Security
- Signaling
- System management
- Call trace
The ROLLFILE facility provides a means of closing the active log file and opening a new one with an incremented (name) suffix. This facilitates real-time analysis of system events by performing the analysis on closed, rather than opened and growing, files.
The Event Log object allows you to create event log filters to capture debug, security, system, trace, and accounting events using following parameters:
- Filter Admin – Filter configuration for each event log type and event class
- Filter Status – View filter status per each event log type and event class (using the request command)
- INFO Level Logging Enable – Re-enable INFO level logging if it becomes disabled due to system congestion
- Memory Usage – Measure memory usage of each process
- Platform Audit Logs – View platform audit logs of administrative, privileged, and security actions
- Platform Rsyslog – Method of sending event messages to a syslog server.
- Subsystem Admin – Filter configuration for each subsystem
- Type Admin – Event log for configuration items related to each event log type
Include Page | ||||
---|---|---|---|---|
|
Multiexcerpt include | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Multiexcerpt include | ||||
---|---|---|---|---|
|
Command Syntax
Code Block | ||
---|---|---|
| ||
% set oam eventLog filterAdmin <node name> <event_type: audit | debug | memusage | security | system | trace> <event_class: audit | callproc | directory | netmgmt | policy | resmgmt | routing | security | signaling | sysmgmt | trace> level <info | major | minor | noevents> state <off | on> |
Command Parameters
Multiexcerpt | |||
---|---|---|---|
| |||
Caption | |||
0 | Table | ||
Filter Admin Event Log Parameters | |||
3 | Filter Admin Event Log Parameters |
Parameter | Description |
---|---|
| Event Log Class Filter configuration table. |
| SBC node name. |
| The type of event log to configure:
|
| For each event type, configure one of the following event:
|
| Minimum severity level threshold for event logging:
Note: Info level logs which are traps or faults are always reported in the system logs. |
| Administrative state of event logging for this event type. Set to “on” if filter entry should take precedence over per-node settings.
|
Anchor | ||||
---|---|---|---|---|
|
Command Syntax
Code Block | ||
---|---|---|
| ||
% request oam eventLog filterStatus <node name> <event_type: audit | debug | memusage | security | system | trace> <event_class: audit | callproc | directory | netmgmt | policy | resmgmt | routing | security | signaling | sysmgmt | trace> resetStats |
Command Parameters
Multiexcerpt | ||
---|---|---|
| ||
Caption | | |
0 | Table | 1 |
Parameter | Description |
---|---|
| Event log class filter status table. |
| SBC system name. |
| The type of event log:
|
| Event class for each event type:
|
| Use this control to reset the value of Events Filtered column of the |
Anchor | ||||
---|---|---|---|---|
|
The active and standby SBC are designed to turn off INFO level logging if the system becomes congested. The "request oam eventLog infoLevelLoggingEnable clearInfoLevelLoggingDisabled
" command is used to re-enable INFO level logging once it is disabled. See sonusCpEventLogInfoLevelLoggingDisabledNotfication - MAJOR for associated trap details.
To view INFO LEVEL LOGGING DISABLED state, run the following command.
Code Block | ||||
---|---|---|---|---|
| ||||
> show table oam eventLog typeStatus INFO TOTAL LEVEL CURRENT FILE FILE TOTAL FILE FILES NEXT LOG LOGGING TYPE FILE RECORDS BYTES FILES BYTES DROPPED ROLLOVER DESTINATION LAST FILE DROP DISABLED ------------------------------------------------------------------------------------------------------------------------------ system 1000005.SYS 216 31756 32 1032744 0 0 localDisk 0000-00-00T00:00:00+00:00 false debug 1000014.DBG 1601 188964 32 27489838 0 0 localDisk 0000-00-00T00:00:00+00:00 false trace 1000005.TRC 0 128 32 5224 0 0 localDisk 0000-00-00T00:00:00+00:00 false acct 1000085.ACT 1 202 32 7592 0 0 localDisk 0000-00-00T00:00:00+00:00 false security 1000005.SEC 7 1047 32 23610 0 0 localDisk 0000-00-00T00:00:00+00:00 false audit 1000005.AUD 1002 186238 32 4267027 0 0 localDisk 0000-00-00T00:00:00+00:00 false packet 1000005.PKT 0 128 32 872 0 0 localDisk 0000-00-00T00:00:00+00:00 false |
Command Syntax
Code Block | ||
---|---|---|
| ||
% request oam eventLog infoLevelLoggingEnable clearInfoLevelLoggingDisabled |
Command Parameter
Multiexcerpt | ||||
---|---|---|---|---|
| ||||
Caption | ||||
0 | Table | |||
Info Level Logging Enable Event Log Parameter
|
Anchor | ||||
---|---|---|---|---|
|
Multiexcerpt include | ||||
---|---|---|---|---|
|
Command Syntax
Code Block |
---|
% set oam eventLog process memusage state <enable | disable> level <summary | detailed> interval <0...140> |
Command Parameters
Multiexcerpt | ||||
---|---|---|---|---|
| caption||||
0 | Table | |||
1 | Memory Usage Parameters | 3 |
Parameter | Length/Range | Description |
---|---|---|
memusage | N/A | The peer process memory usage configuration details. |
| N/A | Enable this flag to measure the memory usage of each active process.
|
level | N/A | Specifies the level of details to be displayed.
|
Interval | 0-1440 minutes | The time interval, in minutes, to elapse between the recording of each memory usage file to the hard drive. (Default = 5) Note: An interval of 1440 minutes (24 hours) equates to one log entry per day for a process. |
Anchor | ||||
---|---|---|---|---|
|
Command Syntax
Code Block | ||
---|---|---|
| ||
% set oam eventLog platformAuditLogs state <disabled | enabled> |
Command Parameters
Multiexcerpt | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
Caption | |||||||||
0 | Table | ||||||||
Platform Audit Logs Parameters
|
Anchor | ||||
---|---|---|---|---|
|
Use Rsyslog to configure a remote server IP address, port, and protocol type to push platform logs of administrative, privileged, and security actions to a remote server.
When platformRsyslog
is enabled, the /etc/
rsyslog.conf
file is configured to send the configured platform logs to the remote syslog server. The remote server's /etc/rsyslog.conf
file must match the configuration of the SBC to receive platform logs. The SBC automatically adds an Access Control List (ACL) rule to send the audit logs through the application layer to the remote server.
Include Page | ||||
---|---|---|---|---|
|
Info |
---|
The following logs will are not be supported: Monit, Mail, Printer, dpkg and the /var/log/messages file. |
Info | ||
---|---|---|
| ||
The ACL rule is removed automatically from the default ACL rules when platformRsyslog is disabled. |
Info | ||
---|---|---|
| ||
For a High Availability (HA) pair, the |
Command Syntax
To create a new Server configuration table:
Code Block |
---|
% |
Code Block |
set oam eventLog platformRsyslog servers server<no> remoteHost<host_ip> protocolType<protocol> port <port> |
Command Parameters
Info | ||
---|---|---|
| ||
Ensure the Platform Rsyslog |
0 | Table |
---|---|
1 | Parameters for Configuring New Remote Syslog Servers |
no
The protocol used to send messages to the Remote Server.
- tcp
- relp
- udp
- tls-tcp
Command Syntax
To enable/disable the Rsyslog service for all the Linux Logs:
Code Block |
---|
set oam eventLog platformRsyslog syslogState <disabled | enabled> |
Command Parameters
0 | Table |
---|---|
1 | Parameters for Configuring New Remote Syslog Servers |
linuxLogs
authLog <disabled | enabled>
consoleLog <disabled | enabled>
cronLog <disabled | enabled>
daemonLog <disabled | enabled>
fipsLog <disabled | enabled>
kernLog <disabled | enabled>
ntpLog <disabled | enabled>
platformAuditLog <disabled | enabled>
sftpLog <disabled | enabled>
syslogLog <disabled | enabled>
userLog <disabled | enabled>
servers server <server1 | server2 | server3>
port <port #>
protocolType <relp | tcp | tls-tcp | udp>
remoteHost <host_ip>
syslogState <disabled | enabled> |
New Server Configuration Command Parameters
Info | ||
---|---|---|
| ||
Ensure the Platform Rsyslog |
Parameter | Length/Range | Default | Description | M/O |
---|---|---|---|---|
| 1-3 | 1 | Number of server. | M |
host_ip | N/A | N/A | Host IP of server. | M |
protocolType | N/A | TCP | The protocol used to send messages to the Remote Server.
| M |
port | N/A | 514 | Specifies the port used to send messages to the remote Server. | M |
Sys log state Command Parameters
Parameter | Description |
---|---|
| Use this flag to enable/disable the Rsyslog service:
|
Linux logs Command Parameters
To determine which types of logs the Rsyslog service sends to a remote syslog server when the service is enabled, use linuxLogs.
Parameter | Description | ||||||
---|---|---|---|---|---|---|---|
| Platform Linux audit log messages ( | ||||||
| Console activity messages ( | ||||||
| Internal-sftp messages ( | ||||||
| Kernal messages ( | ||||||
| User-level messages ( | ||||||
| System daemon messages ( | ||||||
| Auth and authpriv security/authorization messages ( | ||||||
| Internally generated syslogd messages ( | ||||||
| NTP subsystem messages ( | ||||||
| Clock deamon messages ( | ||||||
| Fips messages (
|
Parameter | Description |
---|---|
syslogState | Use this flag to enable/disable the Rsyslog service:
|
Anchor | ||||
---|---|---|---|---|
|
Command Syntax
Mandatory parameters required to configure an Event log subsystem event type:
Code Block | ||
---|---|---|
| ||
% set oam eventLog subsystemAdmin <system_name> <subsys_ID> |
Non-mandatory parameters to configure an Event log subsystem event type:
Code Block | ||
---|---|---|
| ||
% set oam eventLog subsystemAdmin <system_name> <subsys_ID> infoLogState <disabled | enabled> maxEventID <0-4.294967295E9> minEventID <0-4.294967295E9> |
Command Parameters
Multiexcerpt | ||||
---|---|---|---|---|
| caption||||
0 | Table | 1 |
Parameter | Description |
---|---|
| Subsystem event logging configuration. |
| Name of system. |
| The subsystem/task ID. See Subsystem IDs table below for a list of subsystem IDs. |
| Use this flag to enable/disable event logging of INFO level messages to DBG and SYS logs for the specified subsystem. By default, infoLogSate is enabled for all subsystems.
Note:
|
Subsystem IDs
aka | arm | asg | brm | cam | cc |
chm | cpx | dbl | dcm | debug | dfe |
dht | diamc | dnsc | drm | ds | dsa |
dtls/srtp | ema | enm | enm_am | enm_test | fm |
gcl mbs | gclcomm | gwcm | gwfe | gwsg | h248fe |
h323fe | h323sg | ice | iceapp1 | iceapp2 | iceapp3 |
iceapp4 | iceapp5 | iceapp6 | iceapp7 | iceapp8 | icms_test1 |
icms_test2 | ike | im | ipacl | ipm | kfqdn |
les | license_sm | lvm | lwresd | mgsg | mim |
mrm | mtrm | nim | nrm | nrma | nrs |
pathchk | perfs | perfs | pes | pipe | prsnp |
rgm | rtm | rtma | sbcintf | scpa | sec |
sg | sipcm | sipfe | sipsg | sm | sma |
ssa | ssreq | surrreg | trcrt | trm | xrm |
Anchor | ||||
---|---|---|---|---|
|
Info | ||
---|---|---|
| ||
The |
Info | ||
---|---|---|
| ||
To guard against overlogging, the SBC logs up to 4,294,976,295 messages per second in the event logs (configurable with |
Command Syntax
The following syntax applies to the set oam eventLog typeAdmin command:
Code Block | ||
---|---|---|
| ||
% set oam eventLog typeAdmin <acct | audit | debug | memusage | packet | security | system | trace> cdrFileTransferType <compressed | uncompressed> compressionSupport <both | none | only> compressionDaysToKeep <1 .. 7>-14> compressionCleanupDirectory <alternate <directorydirectory name> diskThrottleLimit <0-4294976295> encryptFile <disabled | enabled> encryptionPublicKey <encryptionPublicKey_name> eventLogValidation fileCount <1-2048> fileSize <256-65535> fileWriteMode <default | optimize> filterLevel <info> messageQueueSize <2-100> renameOpenFiles <disabled | enabled> rolloverAction <start | stop> rolloverInterval <0-31536000> rolloverStartTime <time> rolloverType <repetitive | nonrepetitive> saveTo <none | disk> servers <syslogRemoteHost | syslogRemotePort | syslogRemoteProtocol> syslogState <disabled | enabled> |
Note |
---|
Only the Administrator can execute the above command using the % set oam eventLog typeAdmin audit... % set oam eventLog typeAdmin security.. typeAdmin security... |
Info | ||
---|---|---|
| ||
The SBC logs configuration changes made to the |
The following syntax applies to the request oam eventLog typeAdmin
command:
Code Block | ||
---|---|---|
| ||
% request oam eventLog typeAdmin <acct | audit | debug | memusage | packet | security | system | trace> rolloverLogNow % request oam filterStatus <card name> <audit | debug | memusage | security | system | trace> <audit | callproc | directory | netmgmt | policy | resmgmt | routing | security | signaling | sysmgmt | trace |
Note |
---|
Only the Administrator can execute the following commands using the "audit" and "security" attributes: % request oam eventLog typeAdmin audit rolloverLogNow % request oam eventLog typeAdmin security rolloverLogNow % request oam eventLog filterStatus <card name> security security resetStats |
Include Page | ||||
---|---|---|---|---|
|
Command Parameters
Multiexcerpt | |||||||
---|---|---|---|---|---|---|---|
| |||||||
Caption | | ||||||
0 | Table | 1 |
Parameter | Length/Range | Description |
---|---|---|
| N/A | Event Log configuration table for configuration items related to each Event Log type. |
| N/A | Specifies the type of event log being configured:
|
|
debug
– System debugging data
|
|
memusage
– Process heap memory usage
|
packet
– Packet information details. These files have .PKT extensions. If enabled, stores the packet details to .PKT files.security
– Security level events. These files have .SEC extensions. (This attribute is only available to an Administrator)system
– System level events. These files have .SYS extensions.trace
– System trace data. These files have .TRC extensions.NOTE: packet (.PKT
) and memusage (.MEM
) logs are not supported for syslog service. Refer to Supported Log Types for more information on supported log types.
Note: packet ( | |||||||
cdrFileTransferType | N/A | Write CDRs as compressed, or uncompressed.
| |||||
compressionSupport | N/A | Type of compression.
| |||||
compressionDaysToKeep | 1-14 | The number of days to keep compressed files before deleting. Default = 5. | |||||
compressionCleanupDirectory | N/A | The alternate directory name (containing no slashes) under the evlog file directory from which compressed files are removed after
| |||||
diskThrottleLimit | 0-4294976295 | Specifies the limit on INFO level messages logged to the disk in one second. A value of 0 disables the limit. The default value is 10000. Note: For the trace log, if tracing is being performed to capture all of the SIP PDU for all of the calls on the system for use in conjunction with Ribbon Analytics, then this value needs to be tuned to accommodate the maximum call load anticipated for the SBC instance. For example, for a call rate of 1350 cps and assuming 14 messages in a basic SIP call (ingress and egress legs), it would require a total of 18,900 messages. Adding this to the default 10000, the recommendation in this case would be to set the limit at 30,000. | |||||
encryptFile | N/A | Specifies whether the packet files are encrypted.
Note: You can configure this parameter only when For more detailed information, refer to Encrypting Auto-traced Media. | |||||
encryptionPublicKey | 128-1024 bytes | This is the RSA public key without ssh-rsa at the beginning of the key contents and without the user email at the end of the key contents. This key uses a minimum of 2048 bits and accommodates public keys of up to 4096 bits in length. Note: This parameter is mandatory when Note: You can configure this parameter only when For more detailed information, refer to Encrypting Auto-traced Media. | |||||
eventLogValidation | N |
cdrFileTransferType
Write CDRs as compressed, or uncompressed.
compressed
uncompressed
(default)
compressionSupport
Type of compression.
both –
The SBC generates both compressed and uncompressed CDR filesnone
(default) – For backward compatibility, uncompressed CDR filesonly –
The SBC generates compressed CDR files
compressionDaysToKeep
compressionCleanupDirectory
compressionDaysToKeep
daysdiskThrottleLimit
0-4294976295
Specifies the limit on INFO level messages logged to the disk in one second. A value of 0 disables the limit. The default value is 10000.
Note: For the trace log, if tracing is being performed to capture all of the SIP PDU for all of the calls on the system for use in conjunction with Ribbon Analytics, then this value needs to be tuned to accommodate the maximum call load anticipated for the SBC instance. For example, for a call rate of 1350 cps and assuming 14 messages in a basic SIP call (ingress and egress legs), it would require a total of 18,900 messages. Adding this to the default 10000, the recommendation in this case would be to set the limit at 30,000.
eventLogValidation
/A | Specifies whether the logs at rest for this log type should be cryptographically hashed. Hashing is only recommended for the security and audit logs. These are the main logs required to triage security issues and do not roll very frequently. Hashing must be disabled for logs that are rolling over frequently as would occur for the trace log if the call rate is 1350 cps and it is being used to capture all SIP PDU's for use with Ribbon Analytics. If logs are being exported using Rsyslog then there is no need to enable Event Log Validation as the logs are copied off the SBC before they could be modified. Refer to OAM - Event Log - Platform Rsyslog.
IMPORTANT: You must disable this control for any logs which are rolling at a very high rate (e.g. capturing trace logs of all SIP PDUs for use with Ribbon Analytics). Hash Notes:
| |
| 1-2048 | Specifies the number of event log files that will be maintained for this event type. (default = 32). |
| 256-65535 | Maximum size (in KB) that a single event log file will ever grow to. (default = 2048). Note: Set the file size to 65535 for trace and account logs when attempting to trace all calls on the system for use with Ribbon Analytics. |
| N/A | Event log NFS write mode.
|
| N/A | Logs every possible event. |
| 2-100 | The number of event log message entries to buffer before writing to disk. (default = 10). If capturing all of the SIP PDU messages in the trace log for use with Ribbon Analytics, set this value to 100 for the trace log. |
| N/A | Enable this flag to append an ".OPEN" extension to accounting and files which are open for writing.
Note: You must enable the global callTrace Once |
| N/A | Event log rollover actions.
|
| 0-31536000 | Event log rollover interval, in seconds. Note: When using this service, you must set a value of 15 seconds or more. |
| N/A | Specifies the start time for event log rollover. The format is |
| N/A | Event log rollover type.
|
| N/A | Use flag to specify that the events are saved to disk or not saved.
|
| N/A | Specifies the requested state of the given Event Log type.
Do not disable accounting and audit logs. |
servers | N/A | Configure a remote Rsyslog Server for a single log type:
|
Note: packet ( Note: The memusage value printed at the end of the line is in bytes. | ||
syslogState | N/A | Enable flag to log events of specified type to syslog.
|
Info | ||
---|---|---|
| ||
For Hardware and SWe-Based Systems
...where
For N:1 Cloud-Based Systems
You cannot use the system name because, in an N:1 system, multiple instances running in active mode would have the same system name. The SBC uses the
For 1:1 Cloud-Based Systems
...where System Name is the
|
Multiexcerpt | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
Caption | ||||||||
0 | Table | |||||||
Type Admin Event Log Parameters (request command)
|
Hide | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Note TO TECH DOCS: This content is hidden based on Christopher John's comments until there is bandwidth to document correct examples. Command ExamplesTo view typeAdmin status from the system-level prompt:
To configure event log type “packet” by setting file count to “1”, maximum file size to 256 KB, roll-over interval to 2 seconds, and then enabling the event log but disabling the logging of events to syslog:
To send the command to request an immediate roll-over:
To display typeAdmin event log details (shortened for brevity).
Parameters for Configuring New Remote Rsyslog Servers
|