This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- XIQ-SE syslog and traps data retention
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
XIQ-SE syslog and traps data retention
XIQ-SE syslog and traps data retention
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-15-2022 09:03 AM
Hi team,
I see in Alarms&Events --> Events tab that you can go up to 4 weeks ago for search events, but I can´t find if this parameter is configurable.
In the other hand I dont know how this data base is handle, if there is a limit size or other considerations.
Its usefully for us undesrtanding it.
King regards
EF
I see in Alarms&Events --> Events tab that you can go up to 4 weeks ago for search events, but I can´t find if this parameter is configurable.
In the other hand I dont know how this data base is handle, if there is a limit size or other considerations.
Its usefully for us undesrtanding it.
King regards
EF
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-28-2022 05:28 AM
@Adrian Orellana,
I am also looking at the logs.
As you said "not everyone has the same needs, " but this may be of interest / useful:
currently we have some messages that are filtered out within the /etc/rsyslog.conf file:
We also have vsp (VOSS) switches but have yet to create the equivalent commands (more difficult on these as we have to find the related snmp OID and create an snmp filter table - if anyone already has this, please share!)
We still have a long way to go, especially with wireless - the vast majority of our log messages pertain to wireless.
We have a profile on our wireless controllers so that APs do not send syslog to the management centre, but the controller still sends a huge amount of messages which I think we need to prune substantially!
Hope this helps,
Bar.
I am also looking at the logs.
As you said "not everyone has the same needs, " but this may be of interest / useful:
currently we have some messages that are filtered out within the /etc/rsyslog.conf file:
#drop unimportant messages
#wireless and authentication
:msg, contains, "completed WPA2-AES handshake" ~
:msg, contains, "failed WPA2-AES handshake" ~
:msg, contains, "failed group key handshake" ~
:msg, contains, "timeout attempting 802.1x/EAP authentication" ~
:msg, contains, "failed 802.1x/EAP authentication" ~
:msg, contains, "Key Cache used for client" ~
:msg, contains, "Opportunistic Key Cache used for client" ~
:msg, contains, "Key Cache used for client" ~
:msg, contains, "802.1x/EAP (type:peap) authentication success" ~
#xmc login messages !! Change 10.11.12.13 to the IP of your XMC / XiQ and change the user name if required
:msg, contains, "succeeded for user rwa on host 10.11.12.13" ~
:msg, contains, "CLI session start: user rwa on host 10.11.12.13" ~
:msg, contains, "SSH:10.11.12.13 rwa terminal more disable" ~
:msg, contains, "SSH:10.11.12.13 rwa enable" ~
:msg, contains, "SSH:10.11.12.13 rwa show app-telemetry" ~
:msg, contains, "SSH:10.11.12.13 rwa show interfaces" ~
:msg, contains, "CLI session end: user rwa on host 10.11.12.13" ~
:msg, contains, "SSH session closed by user rwa on host 10.11.12.13" ~
At the switches, we also try to reduce what is sent (these are ERS (BoSS) switches):
no snmp-server notification-control lldpRemTablesChange
no snmp-server notification-control pethPsePortOnOffNotification 1-48
snmp-server notification-control linkDown all
no snmp-server notification-control linkDown 1-48,51-52
# ports 49 and 50 are uplink ports - where traps are useful
snmp-server notification-control linkUp all
no snmp-server notification-control linkUp 1-48,51-52
# ports 49 and 50 are uplink ports - where traps are useful
no snmp-server notification-control lldpXMedTopologyChangeDetected ALL
no snmp-server notification-control nnMstGeneralEvent
no snmp-server notification-control nnMstTopologyChange
no snmp-server notification-control bsnConfigurationSavedToNvram
We also have vsp (VOSS) switches but have yet to create the equivalent commands (more difficult on these as we have to find the related snmp OID and create an snmp filter table - if anyone already has this, please share!)
We still have a long way to go, especially with wireless - the vast majority of our log messages pertain to wireless.
We have a profile on our wireless controllers so that APs do not send syslog to the management centre, but the controller still sends a huge amount of messages which I think we need to prune substantially!
Hope this helps,
Bar.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-28-2022 04:30 AM
I don´t think that there will be an impact on performance since XIQ will be receiving the same data at the same rate and writing the same amount to disk, the only difference is that the files would be bigger.
I´m planning on research the logs that are interesting to have on XIQ since the devices send all by default and this is not optimal for visibility and performance. I know that not everyone has the same needs, but it would be fantastic if @extreme can offer a baseline filter to be customized. Or if someone has one such filter and want to share, I think that it would be a resource for this community.
I´m planning on research the logs that are interesting to have on XIQ since the devices send all by default and this is not optimal for visibility and performance. I know that not everyone has the same needs, but it would be fantastic if @extreme can offer a baseline filter to be customized. Or if someone has one such filter and want to share, I think that it would be a resource for this community.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-28-2022 04:22 AM
Thanks Adrian Orellana, for the info on where to configure the table size.
I'd be interested to know the implications of changing this value. Currently the default size gives us less than an hour of data so we would be looking at increasing the size dramatically. Other than disk space are there any other performance considerations?
regards,
I'd be interested to know the implications of changing this value. Currently the default size gives us less than an hour of data so we would be looking at increasing the size dramatically. Other than disk space are there any other performance considerations?
regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-22-2022 06:27 AM
I think that what you can configure is the row limit on the table for each type, in your case shows 4 weeks ago in my case much less. So, you can customize the size but not the time.
Administration > Alarm/Event Logs and Tables > Event Tables Row Limit (per type)
Administration > Alarm/Event Logs and Tables > Event Tables Row Limit (per type)
