topic Re: XIQ-SE syslog and traps data retention in ExtremeCloud IQ- Site Engine Management Center

XIQ-SE syslog and traps data retention

EF — Tue, 15 Feb 2022 17:03:26 GMT

Hi team,

I see in Alarms&Events --> Events tab that you can go up to 4 weeks ago for search events, but I can´t find if this parameter is configurable.

In the other hand I dont know how this data base is handle, if there is a limit size or other considerations.

Its usefully for us undesrtanding it.

King regards

EF

Re: XIQ-SE syslog and traps data retention

AdrianO — Tue, 22 Feb 2022 14:27:05 GMT

I think that what you can configure is the row limit on the table for each type, in your case shows 4 weeks ago in my case much less. So, you can customize the size but not the time.

Administration > Alarm/Event Logs and Tables > Event Tables Row Limit (per type)

Re: XIQ-SE syslog and traps data retention

bar — Mon, 28 Feb 2022 12:22:11 GMT

Thanks Adrian Orellana, for the info on where to configure the table size.

I'd be interested to know the implications of changing this value. Currently the default size gives us less than an hour of data so we would be looking at increasing the size dramatically. Other than disk space are there any other performance considerations?

regards,

Re: XIQ-SE syslog and traps data retention

AdrianO — Mon, 28 Feb 2022 12:30:53 GMT

I don´t think that there will be an impact on performance since XIQ will be receiving the same data at the same rate and writing the same amount to disk, the only difference is that the files would be bigger.

I´m planning on research the logs that are interesting to have on XIQ since the devices send all by default and this is not optimal for visibility and performance. I know that not everyone has the same needs, but it would be fantastic if @extreme can offer a baseline filter to be customized. Or if someone has one such filter and want to share, I think that it would be a resource for this community.

Re: XIQ-SE syslog and traps data retention

bar — Mon, 28 Feb 2022 13:28:45 GMT

@Adrian Orellana,
I am also looking at the logs.

As you said "not everyone has the same needs, " but this may be of interest / useful:

currently we have some messages that are filtered out within the /etc/rsyslog.conf file:

#drop unimportant messages

#wireless and authentication

:msg, contains, "completed WPA2-AES handshake" ~

:msg, contains, "failed WPA2-AES handshake" ~

:msg, contains, "failed group key handshake" ~

:msg, contains, "timeout attempting 802.1x/EAP authentication" ~

:msg, contains, "failed 802.1x/EAP authentication" ~

:msg, contains, "Key Cache used for client" ~

:msg, contains, "Opportunistic Key Cache used for client" ~

:msg, contains, "Key Cache used for client" ~

:msg, contains, "802.1x/EAP (type:peap) authentication success" ~

#xmc login messages !! Change 10.11.12.13 to the IP of your XMC / XiQ and change the user name if required

:msg, contains, "succeeded for user rwa on host 10.11.12.13" ~

:msg, contains, "CLI session start: user rwa on host 10.11.12.13" ~

:msg, contains, "SSH:10.11.12.13 rwa terminal more disable" ~

:msg, contains, "SSH:10.11.12.13 rwa enable" ~

:msg, contains, "SSH:10.11.12.13 rwa show app-telemetry" ~

:msg, contains, "SSH:10.11.12.13 rwa show interfaces" ~

:msg, contains, "CLI session end: user rwa on host 10.11.12.13" ~

:msg, contains, "SSH session closed by user rwa on host 10.11.12.13" ~

At the switches, we also try to reduce what is sent (these are ERS (BoSS) switches):

no snmp-server notification-control lldpRemTablesChange

no snmp-server notification-control pethPsePortOnOffNotification 1-48

snmp-server notification-control linkDown all

no snmp-server notification-control linkDown 1-48,51-52

# ports 49 and 50 are uplink ports - where traps are useful

snmp-server notification-control linkUp all

no snmp-server notification-control linkUp 1-48,51-52

# ports 49 and 50 are uplink ports - where traps are useful

no snmp-server notification-control lldpXMedTopologyChangeDetected ALL

no snmp-server notification-control nnMstGeneralEvent

no snmp-server notification-control nnMstTopologyChange

no snmp-server notification-control bsnConfigurationSavedToNvram

We also have vsp (VOSS) switches but have yet to create the equivalent commands (more difficult on these as we have to find the related snmp OID and create an snmp filter table - if anyone already has this, please share!)

We still have a long way to go, especially with wireless - the vast majority of our log messages pertain to wireless.
We have a profile on our wireless controllers so that APs do not send syslog to the management centre, but the controller still sends a huge amount of messages which I think we need to prune substantially!

Hope this helps,
Bar.