Event Log - CLI

In this section:

Overview

Use the Event Log object to create, configure, disable and enable system and subsystem level log files to capture system, security, debug, packet, trace and accounting events.

Event Types

Event	Facility
System	16	local0
Debug	17	local1
Trace	18	local2
Security	19	local3
Audit	20	local4
Acct	22	local6
Memusage	23	local7

Note

Facility 21 and local5 are used by /var/log/fips.log.

For each event type, an event class (subsystem) and severity threshold can be configured. Event classes include:

Audit
Call processing
Directory services
Network management
Policy
Resource management
Network routing
Security
Signaling
System management
Call trace

The ROLLFILE facility provides a means of closing the active log file and opening a new one with an incremented (name) suffix. This facilitates real-time analysis of system events by performing the analysis on closed, rather than opened and growing, files.

The Event Log object allows you to create event log filters to capture debug, security, system, trace, and accounting events using following parameters:

Filter Admin – Filter configuration for each event log type and event class
Filter Status – View filter status per each event log type and event class (using the request command)
INFO Level Logging Enable – Re-enable INFO level logging if it becomes disabled due to system congestion
Memory Usage – Measure memory usage of each process
Platform Audit Logs – View platform audit logs of administrative, privileged, and security actions
Subsystem Admin – Filter configuration for each subsystem
Type Admin – Event log for configuration items related to each event log type

Note

For security protection, the Netconf interface does not support "/aaa" records.

The page ALLDOC:SBC Core Default Groups and Passwords was not found -- Please check/update the page name used in the MultiExcerpt-Include macro

Filter Admin

Command Syntax

% set oam eventLog filterAdmin <node name>
	<event_type: audit | debug | memusage | security | system | trace>
	<event_class: audit | callproc | directory | netmgmt | policy |  resmgmt | routing | security | signaling | sysmgmt | trace>
	level <critical | info | major | minor | noevents>
	state <off | on>

Command Parameters

Filter Admin Event Log Parameters

Parameter	Description
`filterAdmin`	Event Log Class Filter configuration table.
`<node name>`	SBC node name.
`<event type>`	The type of event log to configure: `audit` – System audit data. These files contain a record of all management interactions that modify the state of the system, and includes all the changes made via the CLI and the Netconf interface. These files use .AUD extensions. `debug` – System debugging data. These files have .DBG extensions. `memusage` – Process heap memory usage data. These files have .MEM extensions. `security` – Security level events. These files have .SEC extensions. `system` – System level events. These files have .SYS extensions. `trace` – System trace data. These files have .TRC extensions.
`<event class>`	For each event type, configure one of the following event: `audit` – Audit subsystem. `callproc` – Call Processing subsystem. `directory` – Directory Services subsystem. `netmgmt` – Network Management subsystem. `policy` – Policy subsystem. `resmgmt` – Resource Management subsystem. `routing` – Network Routing subsystem. `security` – Security subsystem. `signaling` – Signaling subsystem. `sysmgmt` – System Management subsystem. `trace` – Call Trace subsystem.
`level`	Minimum severity level threshold for event logging: `critical` – log only critical events. `info` – log all events. `major` – log major and critical events. `minor` – log all events other than info. `noevents` – do not log any events. NOTE: Info level logs which are traps or faults are always reported in the system logs.
`state`	Administrative state of event logging for this event type. Set to “on” if filter entry should take precedence over per-node settings. `off` (default) – Logging is not activated. `on` – Logging is activated.

Filter Status

Command Syntax

% request oam eventLog filterStatus <node name>
   <event_type: audit | debug | memusage | security | system | trace>
   <event_class: audit | callproc | directory | netmgmt | policy |  resmgmt | routing | security | signaling | sysmgmt | trace>
   resetStats

Command Parameters

Filter Status Event Log Parameters

Parameter	Description
`filterStatus`	Event log class filter status table.
`<system name>`	SBC system name.
`<event type>`	The type of event log: `audit` – System audit data. These files contain a record of all management interactions that modify the state of the system, and includes all the changes made via the CLI and the Netconf interface. These files use .AUD extensions. `debug` – System debugging data. These files have .DBG extensions. `memusage` – Process heap memory usage data. These files have .MEM extensions. `security` – Security level events. These files have .SEC extensions. `system` – System level events. These files have .SYS extensions. `trace` – System trace data. These files have .TRC extensions.
`<event class>`	Event class for each event type: `audit` – Audit subsystem. `callproc` – Call Processing subsystem. `directory` – Directory Services subsystem. `netmgmt` – Network Management subsystem. `policy` – Policy subsystem. `resmgmt` – Resource Management subsystem. `routing` – Network Routing subsystem. `security` – Security subsystem. `signaling` – Signaling subsystem. `sysmgmt` – System Management subsystem. `trace` – Call Trace subsystem.
`resetStats`	Use this control to reset the value of Events Filtered column of the `filterStatus` display.

INFO Level Logging Enable

The active and standby SBC are designed to turn off INFO level logging if the system becomes congested. The "request oam eventLog infoLevelLoggingEnable clearInfoLevelLoggingDisabled" command is used to re-enable INFO level logging once it is disabled. See sonusCpEventLogInfoLevelLoggingDisabledNotfication - MAJOR for associated trap details.

To view INFO LEVEL LOGGING DISABLED state, run the following command.

'show table oam eventLog typeStatus' Example

> show table oam eventLog typeStatus
                                                                                                                    INFO
                                               TOTAL                                                                LEVEL
          CURRENT      FILE     FILE    TOTAL  FILE      FILES    NEXT      LOG                                     LOGGING
TYPE      FILE         RECORDS  BYTES   FILES  BYTES     DROPPED  ROLLOVER  DESTINATION  LAST FILE DROP             DISABLED
------------------------------------------------------------------------------------------------------------------------------
system    1000005.SYS  216      31756   32     1032744   0        0         localDisk    0000-00-00T00:00:00+00:00  false
debug     1000014.DBG  1601     188964  32     27489838  0        0         localDisk    0000-00-00T00:00:00+00:00  false
trace     1000005.TRC  0        128     32     5224      0        0         localDisk    0000-00-00T00:00:00+00:00  false
acct      1000085.ACT  1        202     32     7592      0        0         localDisk    0000-00-00T00:00:00+00:00  false
security  1000005.SEC  7        1047    32     23610     0        0         localDisk    0000-00-00T00:00:00+00:00  false
audit     1000005.AUD  1002     186238  32     4267027   0        0         localDisk    0000-00-00T00:00:00+00:00  false
packet    1000005.PKT  0        128     32     872       0        0         localDisk    0000-00-00T00:00:00+00:00  false

Command Syntax

% request oam eventLog infoLevelLoggingEnable clearInfoLevelLoggingDisabled

Command Parameter

Info Level Logging Enable Event Log Parameter

Parameter

Description

clearInfoLevelLoggingDisabled

Use this command to re-enable info level logging after it becomes disabled due to system congestion. If this command is executed while the system is still congested, this may cause the system to become further congested.

NOTE: Only issue this command once system congestion dissipates. The system may become further congested if this command is executed while the system is still congested

Memory Usage

The SBC Core uses the OAM Event Log memusage command to log the memory usage of each process over a configurable interval. The SBC generates a memory log which is uses to capture and log process heap memory usage over time.

The following limitations apply in this release:

Memory consumption through interval statistics are not reported.
Memory usage is reported at the process level, not for individual threads/tasks.

The number of bytes used by an active process are captured in the memory usage log file:

Processes are identified by the log entries encoded by the system. For example, the format of a log entry:
113 03282017 073341.007995:1.01.00.00006.MAJOR .PRS: memusage: 1516445696

The memory usage details are logged to the hard drive in the directory: /var/log/sonus/sbx/evlog

Note

Use the log number to locate the correct log file. For example:

/var/log/sonus/sbx/evlog/<log number>.mem

where the <log number>.mem is the memory usage log file.

Command Syntax

% set oam eventLog process memusage
        state <enable | disable>
        level <summary | detailed>
        interval <0...140>

Command Parameters

Memory Usage Parameters

Parameter	Length/Range	Description
`memusage`	N/A	The peer process memory usage configuration details.
`state`	N/A	Enable this flag to measure the memory usage of each active process. `disable` (default) `enable`
`level`	N/A	Specifies the level of details to be displayed. `summary` (default) `detailed`
`Interval`	0-1440 minutes	The time interval, in minutes, to elapse between the recording of each memory usage file to the hard drive. (Default = 5) NOTE: An interval of 1440 minutes (24 hours) equates to one log entry per day for a process.

Platform Audit Logs

Use platformAuditLogs to configure a remote server IP address, port, and protocol type to push platform audit logs of administrative, privileged, and security actions to a remote server. .

When platformAuditLogs is enabled, the /etc/rsyslog.conf file sends the /var/log/audit/audit.log to the remote server's /var/log/messages file. The remote server's /etc/rsyslog.conf file must match the configuration of the SBC to receive the audit logs. The SBC automatically adds an Access Control List (ACL) rule to send the audit logs through the application layer to the remote server.

Note

The ACL rule is removed automatically from the default ACL rules when platformAuditLogs is disabled.

Note

For a High Availability (HA) pair, the /etc/rsyslog.conf file is updated both on the Active and the Standby SBCs to push the audit logs to the remote server.

Command Syntax

% set oam eventLog platformAuditLogs
    auditLogPort <1 to 65535>
    auditLogProtocolType <relp | tcp | udp>
    auditLogRemoteHost <IPv4/IPv6 address>
    state <disabled | enabled>

Command Parameters

Note

Ensure the Platform Audit Logs state is set to "disabled" before configuring/re-configuring the IP address, port, and/or protocol type of the remote server.

Platform Audit Logs Parameters

Parameter	Length/Range	Description
`platformAuditLogs`	N/A	Use this object to configure a remote server IP address, port, and protocol type to push the platform audit logs to a remote server.
`auditLogRemoteHost`	Up to 256 characters	`<IP address>` – The IPv4 or IPv6 address of the remote server. (IPv4 default – 0.0.0.0 / IPv6 default – ::) NOTE: When the IPv4 or IPv6 address is configured to the default“0.0.0.0” or “::", respectively, the SBC does not send the audit logs to the remote server.
`auditLogPort`	1 to 65535	`<port number>` – The port number used to send the audit logs to the remote server. (Default = 514)
`auditLogProtocolType`	N/A	The protocol type used to send the audit logs to the remote server. `relp` `tcp` (default) `udp`
`state`	N/A	Enable this flag to allow platform audit logging of administrative, privileged, and security actions. `disabled` (default) `enabled`

Subsystem Admin

Command Syntax

Mandatory parameters required to configure an Event log subsystem event type:

% set oam eventLog subsystemAdmin <system_name> <subsys_ID>

Non-mandatory parameters to configure an Event log subsystem event type:

% set oam eventLog subsystemAdmin <system_name> <subsys_ID>
	infoLogState <disabled | enabled>
	maxEventID <0-4.294967295E9>
	minEventID <0-4.294967295E9>

Command Parameters

Subsystem Admin Event Log Parameters

Parameter	Description
`subsystemAdmin`	Subsystem event logging configuration.
`<system_name>`	Name of system.
`<subsys_ID>`	The subsystem/task ID. See Subsystem IDs table below for a list of subsystem IDs.
`infoLogState`	Use this flag to enable/disable event logging of INFO level messages to DBG and SYS logs for the specified subsystem. By default, infoLogSate is enabled for all subsystems. `disabled` `enabled` (default) NOTE: If `infoLogState` is disabled for CHM, nothing is written to AUD logs. If `infoLogState` is disabled for CPX, request commands are not recorded to AUD logs.

Subsystem IDs

acm	arma	asg	atmrm	brm	cam
cassg	cc	chm	cli	cmtsg	cnh
cpx	dbug	diamc	dnsc	drm	ds
ema	enm	fm	frm	grm	gwfe
gwsg	h323sg	icmsvc	ike	im	ipacl
ipm	lvm	mgsg	mtp2	mtrm	ncm
ncomm	nim	nrm	nrma	nrs	ntp
pathchk	pes	pfa	pipe	pipehook	prm
reserved	rtcp	rtm	scpa	sec	sfm
sg	sgisdn	sgisup	sipfe	sipsg	sm
sma	ssa	trm	xrm

Type Admin

Command Syntax

The following syntax applies to the "set oam eventLog typeAdmin" command:

% set oam eventLog typeAdmin <acct | audit | debug | memusage | packet |  security | system | trace>
   fileCount <1-2048>
   fileSize <256-65535>
   fileWriteMode <default | optimize>
   filterLevel <critical | info | major | minor | noevents>
   messageQueueSize <2-32>
   renameOpenFiles <disabled | enabled>
   rolloverAction <start | stop>
   rolloverInterval <0-31536000>
   rolloverStartTime <time>
   rolloverType <repetitive | nonrepetitive>
   saveTo <none | disk>
   state <disabled | enabled | rollfile>
   syslogRemoteHost <up to 255 characters>
   syslogRemotePort <1-65535>
   syslogRemoteProtocol <relp | tcp | udp>
   syslogState <disabled | enabled>

Only the Administrator can execute the above command using the "audit" and "security" attributes:

% set oam eventLog typeAdmin audit...

% set oam eventLog typeAdmin security...

The following syntax applies to the "request oam eventLog typeAdmin" command:

% request oam eventLog typeAdmin <acct | audit | debug | memusage | packet |  security | system | trace> rolloverLogNow

% request oam filterStatus <card name> <audit | debug | memusage | security | system | trace> 
	<audit | callproc | directory | netmgmt | policy | resmgmt | routing | security | signaling | sysmgmt | trace

Only the Administrator can execute the following commands using the "audit" and "security" attributes:

% request oam eventLog typeAdmin audit rolloverLogNow
% request oam eventLog typeAdmin security rolloverLogNow
% request oam eventLog filterStatus <card name> security security resetStats

Note

The System log displays Info level logs which are traps or faults when the System log filterLevel is configured to log Major and/or Critical events.

Command Parameters

Type Admin Event Log Parameters (set command)

Parameter	Length/Range	Description
`typeAdmin`	N/A	Event Log configuration table for configuration items related to each Event Log type.
`<event_type>`	N/A	Specifies the type of event log being configured: `acct` – System account data. These files have .ACT extensions. `audit` – System audit data. These files contain a record of all management interactions that modify the state of the system. These files have .AUD extensions. It includes all the changes made via the CLI and the Netconf interface. (This attribute is only available to an Administrator) `debug` – System debugging data. These files have .DBG extensions. `memusage` – Process heap memory usage data. These files have .MEM extensions. `packet` – Packet information details. These files have .PKT extensions. If enabled, stores the packet details to .PKT files. `security` – Security level events. These files have .SEC extensions. (This attribute is only available to an Administrator) `system` – System level events. These files have .SYS extensions. `trace` – System trace data. These files have .TRC extensions. NOTE: Syslog is not supported for `acct` and `packet` event types.
`fileCount`	1-2048	Specifies the number of event log files that will be maintained for this event type. (default = 32).
`fileSize`	256-65535	Maximum size (in KB) that a single event log file will ever grow to. (default = 2048).
`fileWriteMode`	N/A	Event log NFS write mode. `default` – Log data is written as a 1344-byte packet. `optimize` – Log data is written as a 8000-byte packet. Optimize write mode results in IP fragmentation but yields better throughput.
`filterLevel`	N/A	Events that are at least as severe as the designated level will be logged. `critical` – log only events of this threshold. `info` – log every possible event. `major` – log major and critical events only. `minor` – log all events other than information. `noevents` – do not log any events. NOTE: The command to set the `filterLevel` for the `acct` event type is no longer applicable.
`messageQueueSize`	2-32	The number of event log message entries to buffer before writing to disk. (default = 10).
`renameOpenFiles`	N/A	Enable this flag to append an ".OPEN" extension to accounting and files which are open for writing. `disabled` (default) `enabled` NOTE:You must enable the global callTrace `signalingPacketCapture` parameter (set `state` to "enable") to capture SIP and H.323 packets (Refer to Call Trace - CLI for configuration details). Once `signalingPacketCapture` is enabled, any subsequent changes to SBC device configurations or filter information will not be available to signaling packet captures until `signalingPacketCapture` is reset (state is disabled, and then re-enabled).
`rolloverAction`	N/A	Event log rollover actions. `start` – Start rollover action `stop` – Stop rollover action
`rolloverInterval`	0-31536000	Event log rollover interval, in seconds.
`rolloverStartTime`	N/A	Specifies the start time for event log rollover. The format is `CCYY-MM-DDTHH:MM:SS`. For example: `2010-01-01T01:01:01`
`rolloverType`	N/A	Event log rollover type. `nonrepetitive` (default) – The rollover will occur once at the specified single instance. `repetitive` – The rollover will occur repeatedly at the specified intervals.
`saveTo`	N/A	Use flag to specify that the events are saved to disk or not saved. `disk` (default) `none`
`state`	N/A	Specifies the requested state of the given Event Log type. `disabled` – Logging is not activated. `enabled` – (default) Logging is activated. `rollfile` Accounting logs cannot be disabled.
`syslogRemoteHost`	0-255	The remote host where the messages are written to the syslog.
`syslogRemotePort`	1-65535	Specifies the port to use to send messages to the remote syslog. Default value is 514.
`syslogRemoteProtocol`	N/A	The protocol to use to send messages to the remote syslog. `relp` `tcp` (default) `udp`
`syslogState`	N/A	Enable flag to log events of specified type to syslog. `disabled` (default) `enabled`

Type Admin Event Log Parameters (request command)

Parameter

Description

typeAdmin

Event Log configuration table for configuration items related to each Event Log type.

<event_type>

Specifies the type of event log to roll over:

acct – System account data. These files have .ACT extensions.
audit – System audit data. These files contain a record of all management interactions that modify the state of the system. These files have .AUD extensions. It includes all the changes made via the CLI and the Netconf interface. (This attribute is only available to an Administrator)
debug – System debugging data. These files have .DBG extensions.
memusage – Process heap memory usage data. These files have .MEM extensions.
packet – Packet information details. These files have .PKT extensions. If enabled, stores the packet details to .PKT files.
security – Security level events. These files have .SEC extensions. (This attribute is only available to an Administrator)
system – System level events. These files have .SYS extensions.
trace – System trace data. These files have .TRC extensions.

rolloverLogNow

This control is used with request command to perform a roll-over of the specified log immediately.

Command Examples

To view typeAdmin status from the system-level prompt:

Refer to Show Table OAM for additional details.

> show table oam eventLog typeAdmin
                                                MAX
                                 MESSAGE        EVENT           ROLLOVER                                     FILE               SYSLOG   SYSLOG    SYSLOG  RENAME    DISK
                   FILE   FILE   QUEUE    SAVE  MEMORY  FILTER  START     ROLLOVER                 ROLLOVER  WRITE    SYSLOG    REMOTE   REMOTE    REMOTE  OPEN      THROTTLE
TYPE      STATE    COUNT  SIZE   SIZE     TO    SIZE    LEVEL   TIME      INTERVAL  ROLLOVER TYPE  ACTION    MODE     STATE     HOST     PROTOCOL  PORT    FILES     LIMIT
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
system    enabled  32     2048   10       disk  16      major   -         0         nonrepetitive  stop      default  disabled  0.0.0.0  tcp       514     disabled  5000
debug     enabled  32     10240  10       disk  16      info    -         0         nonrepetitive  stop      default  disabled  0.0.0.0  tcp       514     disabled  -
trace     enabled  32     2048   10       disk  16      info    -         0         nonrepetitive  stop      default  disabled  0.0.0.0  tcp       514     disabled  -
acct      enabled  32     2048   10       disk  16      major   -         0         nonrepetitive  stop      default  disabled  0.0.0.0  tcp       514     disabled  -
security  enabled  32     2048   10       disk  16      major   -         0         nonrepetitive  stop      default  disabled  0.0.0.0  tcp       514     disabled  -
audit     enabled  32     2048   10       disk  16      minor   -         0         nonrepetitive  stop      default  disabled  0.0.0.0  tcp       514     disabled  -
packet    enabled  32     2048   10       disk  16      major   -         0         nonrepetitive  stop      default  disabled  0.0.0.0  tcp       514     disabled  -
memusage  enabled  32     2048   10       disk  16      major   -         0         nonrepetitive  stop      default  disabled  0.0.0.0  tcp       514     disabled  -

To configure event log type “packet” by setting file count to “1”, maximum file size to 256 KB, roll-over interval to 2 seconds, and then enabling the event log but disabling the logging of events to syslog:

% set oam eventLog typeAdmin system fileCount 1 fileSize 256 rolloverInterval 2 state enabled syslogState disabled
% show oam eventLog typeAdmin system
   state enabled;
   fileCount 1;
   fileSize 256;
   rolloverInterval 2;
   syslogState disabled;

To send the command to request an immediate roll-over:

% request oam eventLog typeAdmin system rolloverLogNow

To display typeAdmin event log details. It has been shortened for brevity.

% show details oam eventLog typeAdmin

typeAdmin system {
    state                enabled;
    fileCount            32;
    fileSize             2048;
    messageQueueSize     10;
    saveTo               disk;
    filterLevel          major;
    rolloverInterval     0;
    rolloverType         nonrepetitive;
    rolloverAction       stop;
    fileWriteMode        default;
    syslogState          disabled;
    syslogRemoteHost     0.0.0.0;
    syslogRemoteProtocol tcp;
    syslogRemotePort     514;
    renameOpenFiles      disabled;
}
typeAdmin debug {
    state                enabled;
    fileCount            32;
    fileSize             2048;
    messageQueueSize     10;
    saveTo               disk;
    filterLevel          info;
    rolloverInterval     0;
    rolloverType         nonrepetitive;
    rolloverAction       stop;
    fileWriteMode        default;
    syslogState          disabled;
    syslogRemoteHost     0.0.0.0;
    syslogRemoteProtocol tcp;
    syslogRemotePort     514;
    renameOpenFiles      disabled;
}
typeAdmin trace {
    state                enabled;
    fileCount            32;
    fileSize             2048;
    messageQueueSize     10;
    saveTo               disk;
    filterLevel          info;
    rolloverInterval     0;
    rolloverType         nonrepetitive;
    rolloverAction       stop;
    fileWriteMode        default;
    syslogState          disabled;
    syslogRemoteHost     0.0.0.0;
    syslogRemoteProtocol tcp;
    syslogRemotePort     514;
    renameOpenFiles      disabled;
}
typeAdmin memusage {
    state                enabled;
    fileCount            32;
    fileSize             2048;
    messageQueueSize     10;
    saveTo               disk;
    filterLevel          major;
    rolloverInterval     0;
    rolloverType         nonrepetitive;
    rolloverAction       stop;
    fileWriteMode        default;
    syslogState          disabled;
    syslogRemoteHost     0.0.0.0;
    syslogRemoteProtocol tcp;
    syslogRemotePort     514;
    renameOpenFiles      disabled;
}
...

Space shortcuts

Page tree

Overview

Filter Admin

Command Syntax

Command Parameters

Filter Status

Command Syntax

Command Parameters

INFO Level Logging Enable

Command Syntax

Command Parameter

Memory Usage

Command Syntax

Command Parameters

Platform Audit Logs

Command Syntax

Command Parameters

Subsystem Admin

Command Syntax

Command Parameters

Type Admin

Command Syntax

Command Parameters

Command Examples