In this section:
Use the Event Log object to create, configure, disable and enable system and subsystem level log files to capture system, security, debug, packet, trace and accounting events. Facility 21 and local5 are used by /var/log/fips.log. To guard against overlogging, the SBC logs up to 5000 messages per second in the event logs, but additional event messages above that threshold are discarded. If log events must be discarded, the SBC writes an error message about the skipped messages in the system (.SYS) log. For each event type, an event class (subsystem) and severity threshold can be configured. Event classes include: The ROLLFILE facility provides a means of closing the active log file and opening a new one with an incremented (name) suffix. This facilitates real-time analysis of system events by performing the analysis on closed, rather than opened and growing, files.
The Event Log object allows you to create event log filters to capture debug, security, system, trace, and accounting events using following parameters:
For security protection, the Netconf interface does not support "/aaa" records.
The page ALLDOC:SBC Core Default Groups and Passwords was not found -- Please check/update the page name used in the MultiExcerpt-Include macro
If using INFO filter level is needed for troubleshooting, the SBC triggers the alarm sonusCpEventLogFileDebugLevelInfoNotification any time the Debug Event Log filter level is set to INFO as a reminder of potential memory congestion due to the accumulation of a large number of Debug Event logs in memory. The alarm includes a warning message to set the filter level to MAJOR. The alarm is enabled or disabled using both CLI and EMA When the filter level is set to Once the troubleshooting is completed, set the filter level to When the filter level is changed, the clear alarm
SBC records the maximum number of Debug Event logs, which can potentially cause memory to become congested resulting in unexpected or undesirable SBC performance.INFO
, the following events occur: sonusCpEventLogFileDebugLevelInfoNotification
every five minutes.Debug Event Log filter level is set to INFO. Set to MAJOR if finished troubleshooting
on the last modified Debug Event Log file.MAJOR
. The alarms are cleared when the filter level is set to MAJOR
.sonusCpEventLogFileDebugLevelInfoClearNotification
is triggered and a message Debug Event Log filter level is no longer set to INFO
is displayed in the log file.
% set oam eventLog filterAdmin <node name> <event_type: audit | debug | memusage | security | system | trace> <event_class: audit | callproc | directory | netmgmt | policy | resmgmt | routing | security | signaling | sysmgmt | trace> level <critical | info | major | minor | noevents> state <off | on>
% request oam eventLog filterStatus <node name> <event_type: audit | debug | memusage | security | system | trace> <event_class: audit | callproc | directory | netmgmt | policy | resmgmt | routing | security | signaling | sysmgmt | trace> resetStats
The active and standby SBC are designed to turn off INFO level logging if the system becomes congested. The "request oam eventLog infoLevelLoggingEnable clearInfoLevelLoggingDisabled
" command is used to re-enable INFO level logging once it is disabled. See sonusCpEventLogInfoLevelLoggingDisabledNotfication - MAJOR for associated trap details.
To view INFO LEVEL LOGGING DISABLED state, run the following command.
> show table oam eventLog typeStatus INFO TOTAL LEVEL CURRENT FILE FILE TOTAL FILE FILES NEXT LOG LOGGING TYPE FILE RECORDS BYTES FILES BYTES DROPPED ROLLOVER DESTINATION LAST FILE DROP DISABLED ------------------------------------------------------------------------------------------------------------------------------ system 1000005.SYS 216 31756 32 1032744 0 0 localDisk 0000-00-00T00:00:00+00:00 false debug 1000014.DBG 1601 188964 32 27489838 0 0 localDisk 0000-00-00T00:00:00+00:00 false trace 1000005.TRC 0 128 32 5224 0 0 localDisk 0000-00-00T00:00:00+00:00 false acct 1000085.ACT 1 202 32 7592 0 0 localDisk 0000-00-00T00:00:00+00:00 false security 1000005.SEC 7 1047 32 23610 0 0 localDisk 0000-00-00T00:00:00+00:00 false audit 1000005.AUD 1002 186238 32 4267027 0 0 localDisk 0000-00-00T00:00:00+00:00 false packet 1000005.PKT 0 128 32 872 0 0 localDisk 0000-00-00T00:00:00+00:00 false
% request oam eventLog infoLevelLoggingEnable clearInfoLevelLoggingDisabled
The SBC Core uses the OAM Event Log memusage command to log the memory usage of each process over a configurable interval. The SBC generates a memory log which is uses to capture and log process heap memory usage over time. The following limitations apply in this release: The number of bytes used by an active process are captured in the memory usage log file: Processes are identified by the log entries encoded by the system. For example, the format of a log entry: The memory usage details are logged to the hard drive in the directory: Use the log number to locate the correct log file. For example: where the 113 03282017 073341.007995:1.01.00.00006.MAJOR .PRS: memusage: 1516445696
/var/log/sonus/sbx/evlog
/var/log/sonus/sbx/evlog/<log number>.mem
<log number>.mem
is the memory usage log file.
% set oam eventLog process memusage state <enable | disable> level <summary | detailed> interval <0...140>
Use platformAuditLogs
to configure a remote server IP address, port, and protocol type to push platform audit logs of administrative, privileged, and security actions to a remote server. .
When platformAuditLogs
is enabled, the /etc/
rsyslog.conf
file sends the /var/log/audit/audit.log
to the remote server's /var/log/messages
file. The remote server's /etc/rsyslog.conf
file must match the configuration of the SBC to receive the audit logs. The SBC automatically adds an Access Control List (ACL) rule to send the audit logs through the application layer to the remote server.
platformAuditLogs
is disabled.For a High Availability (HA) pair, the
file is updated both on the Active and the Standby SBCs to push the audit logs to the remote server./etc/
rsyslog.conf
% set oam eventLog platformAuditLogs auditLogPort <1 to 65535> auditLogProtocolType <relp | tcp | udp> auditLogRemoteHost <IPv4/IPv6 address> state <disabled | enabled>
Ensure the Platform Audit Logs state
is set to "disabled" before configuring/re-configuring the IP address, port, and/or protocol type of the remote server.
Mandatory parameters required to configure an Event log subsystem event type:
% set oam eventLog subsystemAdmin <system_name> <subsys_ID>
Non-mandatory parameters to configure an Event log subsystem event type:
% set oam eventLog subsystemAdmin <system_name> <subsys_ID> infoLogState <disabled | enabled> maxEventID <0-4.294967295E9> minEventID <0-4.294967295E9>
The syslog
ACL rules are added and removed by enabling/disabling syslogState
and configuring the syslog
log fields.
The following syntax applies to the "set oam eventLog typeAdmin" command:
% set oam eventLog typeAdmin <acct | audit | debug | memusage | packet | security | system | trace> fileCount <1-2048> fileSize <256-65535> fileWriteMode <default | optimize> filterLevel <critical | info | major | minor | noevents> messageQueueSize <2-32> renameOpenFiles <disabled | enabled> rolloverAction <start | stop> rolloverInterval <0-31536000> rolloverStartTime <time> rolloverType <repetitive | nonrepetitive> saveTo <none | disk> state <disabled | enabled | rollfile> syslogRemoteHost <up to 255 characters> syslogRemotePort <1-65535> syslogRemoteProtocol <relp | tcp | udp> syslogState <disabled | enabled>
Only the Administrator can execute the above command using the "audit" and "security" attributes:
% set oam eventLog typeAdmin audit...
% set oam eventLog typeAdmin security...
The following syntax applies to the "request oam eventLog typeAdmin" command:
% request oam eventLog typeAdmin <acct | audit | debug | memusage | packet | security | system | trace> rolloverLogNow % request oam filterStatus <card name> <audit | debug | memusage | security | system | trace> <audit | callproc | directory | netmgmt | policy | resmgmt | routing | security | signaling | sysmgmt | trace
Only the Administrator can execute the following commands using the "audit" and "security" attributes:
% request oam eventLog typeAdmin audit rolloverLogNow % request oam eventLog typeAdmin security rolloverLogNow % request oam eventLog filterStatus <card name> security security resetStats
The System log displays Info level logs which are traps or faults when the System log filterLevel is configured to log Major and/or Critical events.
To view typeAdmin status from the system-level prompt:
Refer to Show Table OAM for additional details.
> show table oam eventLog typeAdmin MAX MESSAGE EVENT ROLLOVER FILE SYSLOG SYSLOG SYSLOG RENAME DISK FILE FILE QUEUE SAVE MEMORY FILTER START ROLLOVER ROLLOVER WRITE SYSLOG REMOTE REMOTE REMOTE OPEN THROTTLE TYPE STATE COUNT SIZE SIZE TO SIZE LEVEL TIME INTERVAL ROLLOVER TYPE ACTION MODE STATE HOST PROTOCOL PORT FILES LIMIT ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- system enabled 32 2048 10 disk 16 major - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled 5000 debug enabled 32 10240 10 disk 16 info - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled - trace enabled 32 2048 10 disk 16 info - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled - acct enabled 32 2048 10 disk 16 major - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled - security enabled 32 2048 10 disk 16 major - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled - audit enabled 32 2048 10 disk 16 minor - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled - packet enabled 32 2048 10 disk 16 major - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled - memusage enabled 32 2048 10 disk 16 major - 0 nonrepetitive stop default disabled 0.0.0.0 tcp 514 disabled -
To configure event log type “packet” by setting file count to “1”, maximum file size to 256 KB, roll-over interval to 2 seconds, and then enabling the event log but disabling the logging of events to syslog:
% set oam eventLog typeAdmin system fileCount 1 fileSize 256 rolloverInterval 2 state enabled syslogState disabled % show oam eventLog typeAdmin system state enabled; fileCount 1; fileSize 256; rolloverInterval 2; syslogState disabled;
To send the command to request an immediate roll-over:
% request oam eventLog typeAdmin system rolloverLogNow
To display typeAdmin event log details. It has been shortened for brevity.
% show details oam eventLog typeAdmin typeAdmin system { state enabled; fileCount 32; fileSize 2048; messageQueueSize 10; saveTo disk; filterLevel major; rolloverInterval 0; rolloverType nonrepetitive; rolloverAction stop; fileWriteMode default; syslogState disabled; syslogRemoteHost 0.0.0.0; syslogRemoteProtocol tcp; syslogRemotePort 514; renameOpenFiles disabled; }
typeAdmin debug { state enabled; fileCount 32; fileSize 2048; messageQueueSize 10; saveTo disk; filterLevel info; rolloverInterval 0; rolloverType nonrepetitive; rolloverAction stop; fileWriteMode default; syslogState disabled; syslogRemoteHost 0.0.0.0; syslogRemoteProtocol tcp; syslogRemotePort 514; renameOpenFiles disabled; }
typeAdmin trace { state enabled; fileCount 32; fileSize 2048; messageQueueSize 10; saveTo disk; filterLevel info; rolloverInterval 0; rolloverType nonrepetitive; rolloverAction stop; fileWriteMode default; syslogState disabled; syslogRemoteHost 0.0.0.0; syslogRemoteProtocol tcp; syslogRemotePort 514; renameOpenFiles disabled; }
typeAdmin memusage { state enabled; fileCount 32; fileSize 2048; messageQueueSize 10; saveTo disk; filterLevel major; rolloverInterval 0; rolloverType nonrepetitive; rolloverAction stop; fileWriteMode default; syslogState disabled; syslogRemoteHost 0.0.0.0; syslogRemoteProtocol tcp; syslogRemotePort 514; renameOpenFiles disabled; } ...