Message Logging Destinations
There can be confusion regarding the various forms of message logging - including the Syslog and Fault Log - available on the N-Series platform.
This document is intended to provide clarification.
Note that syslog data includes the tracking of CLI commands and the user who issued them, collectively referred to as the "audit trail" for Federal certification purposes.
The logging severity level settings of the syslogging applications affect the type and severity of messages which appear in (1) the logging buffer, (2) the current.log files, (3) the old.log files, (4) the system console display, and (5) the syslog server(s). They to a lesser degree affect what appears in a (6) Fault Log, since only a small percentage of its messages are syslog-sourced. DFE(rw)->show logging application
Application Current Severity Level Server List
88 RtrAcl 6 1-8
89 CLI 6 1-8
90 SNMP 6 1-8
91 Webview 6 1-8
93 System 6 1-8
95 RtrFe 6 1-8
96 Trace 6 1-8
105 RtrLSNat 6 1-8
111 FlowLimt 6 1-8
112 UPN 6 1-8
117 AAA 6 1-8
118 Router 6 1-8
140 AddrNtfy 6 1-8
141 OSPF 6 1-8
142 VRRP 6 1-8
1(emergencies) 2(alerts) 3(critical)
4(errors) 5(warnings) 6(notifications)
To change all syslog applications to log to the various destinations at level 8 (write messages of levels 1-8) for testing purposes, rather than at their default of level 6 (write messages of levels 1-6 only): DFE(rw)->set logging application all level 8[/code]
Here are the syslog logging destinations, in more detail:
- Each logging buffer, maintained in (volatile) DRAM of its host blade, contains the up to 256 syslog items generated by its host blade since its last boot-up, as filtered by the application logging levels. [/code]To display the aggregated contents of the individual logging buffers onto the system console: DFE(rw)->show logging buffer[/code]As with the Fault Log, these displayed items are in order by slot number, then by date/time of occurrence (10188). [/code]
- Each current.log file contains all syslog items generated by its host blade, as filtered by the application logging levels, while the 'file enable' command was active to maintain current.log on each blade of the system. Each blade maintains only its own messages. Activating these local logs is highly advisable, because by default the information is volatile (in the logging buffer), being lost for any given slot when that module is powered down or rebooted. Syslog messages can also be generated by router, SNMP, and other processes resident on other blades. [/code]To start the file-based archiving of the logging buffer items specific to each blade: DFE(rw)->set logging local console enable file enable[/code]If you don't want syslog data to be seen on the system console (CLI), then instead use this command: DFE(rw)->set logging local console disable file enable[/code]
- Each old.log file contains the first 256K (about 262,000 bytes) of messaging data from the current.log in the same directory when that file had reached the stated limit. Upon establishing old.log on a blade, the blade's current.log is reinitialized. After another 256K of data accumulation, current.log again rolls to old.log (previous old.log contents are lost), and current.log is again initialized. In other words, the maximum data retained in this manner is within the range of 256K to 512K at any given time, per slot. [/code]To determine the slots which maintain a log directory: DFE(rw)->dir[/code]To determine if the slot-based log directory has a current.log file and possibly an old.log file: DFE(rw)->dir slot
/logs[/code]To display the contents of the referenced slot-based log file: DFE(rw)->show file slot /logs/current.log[/code]
- The system console displays syslog messages as filtered by both the application logging levels and the local logging level (5569): DFE(rw)->set logging local 8 [this is the default][/code]
- The syslog server(s) receive, as configured, syslog messages as filtered by both the application logging levels and the relevant server logging severity level: DFE(rw)->set logging server 1 ip-addr
severity 8 state enable[/code]Note: There is a backoff algorithm for syslog servers that do not respond. If the server has been unreachable for awhile, the system will no longer attempt to reach it with syslog messages. To restore an active server status (for server 1, in this example): DFE(rw)->set logging server 1 state disable DFE(rw)->set logging server 1 state enable[/code]
- The Fault Log (5101) contains hardware-level messages, largely separate from what feeds the syslog system. However, some Fault Log entries are sent to the syslog system as well.
For more about the command sets mentioned above, see the Configuration Guide specific to your firmware.