Applies To:

Show Versions Show Versions

Archived Manual Chapter: Logging WANJet Appliance System Events
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.

13 
Viewing and managing log messages is an important part of maintaining a WANJet® appliance. Log messages inform you on a regular basis of the events that are happening on the system. Some of these events pertain to general events happening within the operating system, while other events are specific to the WANJet appliance, such as the stopping and starting of WANJet system services.
The mechanism that the WANJet appliance uses to log events is the utility syslog-ng. The syslog-ng utility is an enhanced version of the standard logging utility syslog.
System events
System event messages are based on operating system events, and are not specific to the WANJet appliance.
Local traffic events
Local-traffic event messages pertain specifically to the local traffic management system.
Audit events
Audit event messages are those that the WANJet appliance logs as a result of changes to the WANJet appliance configuration. Logging audit events is optional, and audit logging is disabled, by default.
The logging mechanism on a WANJet appliance includes several features designed to keep you informed of system events in the most effective way possible.
One of the primary features of the logging feature is its ability to log different types of events, ranging from system events to local traffic events. Through the WANJet appliance auditing feature, you can even track and report changes that users make to the WANJet appliance configuration, such as adding a virtual server or designating a device to be part of a redundant system. For more information, see Reviewing log content and Understanding log types.
When setting up logging on the WANJet appliance, you can customize the logs by designating the minimum severity level, or log level, that you want the WANJet appliance to report when a type of event occurs. The minimum log level indicates the minimum severity level at which the WANJet appliance logs that type of event.
For example, you can specify that, for any change a user makes to the bigdb database, the minimum severity level for which the WANJet appliance logs messages is Warning. This means that the WANJet appliance logs Warning and more severe messages such as Error and Critical messages, but not less severe ones such as Notice, Informational, or Debug messages. For more information, see Setting log levels.
Finally, you can log WANJet appliance events to a remote logging server. You do this by identifying the IP address or host name of the remote logging server, and creating an encrypted network connection, or tunnel, for sending log information to that remote server. For more information, see Configuring encrypted remote logging.
Tip: You can also configure the system to send email or activate pager notification based on the priority of the logged event.
The logs that the WANJet appliance generates include several types of information. For example, all logs except the audit log show a timestamp, host name, and service for each event. Some logs show a status code, while the audit log shows a user name and a transaction ID corresponding to each configuration change. All logs contain a 1-line description of each event.
Table 13.1 lists the categories of information contained in the logs and the specific logs in which the information is displayed.
System
Local Traffic
The host name of the system that logged the event message. Because this is typically the host name of the local machine, the appearance of a remote host name could be of interest.
System
Local Traffic
System
Local Traffic
The status code associated with the event. Note that only events logged by WANJet appliance components, and not operating system services, have status codes.
System
Local Traffic
1.
In the navigation pane, expand System, and click Logs.
The Logs screen opens.
2.
On the menu bar, click System, Local Traffic, or Audit, depending on the type of log messages you want to view.
This displays the appropriate logs.
3.
If you want to display another screen of messages, first locate the page list at the lower-right corner of the screen. You can either:
1.
In the navigation pane, expand System, and click Logs.
The Logs screen opens.
2.
On the menu bar, click System, Local Traffic, or Audit, depending on the type of log messages you want to view.
This displays the appropriate logs.
3.
In the Search box (directly above the Timestamp column), type a string, optionally using the asterisk as a wildcard character.
4.
Click Search.
This displays only those messages containing the string you specified.
The WANJet appliance automatically logs three main event types: system, local traffic, and configuration changes (audit). Each type of event is stored in a separate log file, and the information stored in each log file varies depending on the event type. All log files for these event types are placed in the directory /var/log.
Many events that occur on the WANJet appliance are operating system-related events, and do not specifically apply to the WANJet appliance. The WANJet appliance logs the messages for these events in the file /var/log/messages.
Table 13.2 shows some sample system log entries.
Many of the events that the WANJet appliance logs are related to local area traffic passing through the WANJet appliance. The WANJet appliance logs the messages for these events in the file /var/log/ltm.
Table 13.3 shows some sample local-traffic log entries.
HA daemon_heartbeat genericproxy fails action is restart.
Packet Velocity® ASIC (PVA) configuration events
Audit logging is an optional feature that logs messages whenever a WANJet appliance configuration is changed. You can track auditing changes:
Table 13.4 shows some sample audit log entries. In this example, the first entry shows that user admin enabled the audit logging feature; the second entry shows where user admin disabled Terminal Access for user NetworkAdmin.
DB_VARIABLE modified:
name="config.auditing"
value="enable"
USERDB_ENTRY modified:
name="NetworkAdmin"
shell="/bin/false"
Using the Configuration utility, you can set log levels on both local traffic and auditing events. For each type of local traffic event, you can set a minimum log level. The minimum log level indicates the minimum severity level at which the WANJet appliance logs that type of event. For more information, see Setting log levels for local traffic events, following.
For auditing events, you can set a log level that indicates the type of event that the system logs, such as the user-initiated loading of WANJet appliance configurations, or system-initiated configuration changes. For more information, see Setting log levels for auditing events.
For local traffic events, you can set a minimum log level. Thus, for different kinds of local traffic events, such as bigdb configuration events or events related to HTTP compression, you can set different minimum log levels.
For example, if you set the minimum log level for bigdb events to Error, then the system only logs messages that have a severity of Error or higher for those events. If you retain the default minimum log level (Informational), then the system logs all messages that have a severity of Informational or higher (that is, all messages except Debug messages).
You can set a minimum log level on many different types of local traffic events. Table 13.5 shows the types of local traffic events and the minimum log levels that you can configure for them. Because not all log levels are available for every local-traffic event type, the table shows the specific log levels you can set on each event type. Following the table is the procedure for setting the minimum log level on a local traffic event type.
1.
In the navigation pane, expand System, and click Logs.
This opens the Logs screen.
2.
On the menu bar, click Options.
The screen for setting minimum log levels opens.
3.
In the Local Traffic Logging area of the screen, locate the event type for which you want to set a minimum log level.
An example of an event type is HTTP Compression.
5.
Click Update.
An optional type of logging that you can enable is audit logging. Audit logging logs messages that pertain to configuration changes that users or services make to the WANJet appliance configuration. (For more information, see Auditing configuration changes.)
You can choose one of four log levels for audit logging. In this case, the log levels do not affect the severity of the log messages; instead, they affect the initiator of the audit event.
Disable
This turns audit logging off. This is the default value.
Enable
This causes the system to log messages for user-initiated configuration changes only.
Verbose
This causes the system to log messages for user-initiated configuration changes and any loading of configuration data.
Debug
This causes the system to log messages for all user-initiated and system-initiated configuration changes.
1.
In the navigation pane, expand System, and click Logs.
This opens the Logs screen.
2.
On the menu bar, click Options.
This displays the screen for setting minimum log levels on local traffic events.
4.
Click Update.
You can configure the Syslog utility on the WANJet appliance to send WANJet appliance log information to a remote logging host, using an encrypted network connection. To do this, you create a port-forwarding SSH tunnel to the remote logging host, and configure syslog-ng on the WANJet appliance to send log messages through the SSH tunnel.
Before you attempt to configure encrypted remote logging, you must meet the following conditions on the WANJet appliance and your remote logging host:
On the WANJet appliance
You must have a console with root access to the WANJet appliance.
On the remote logging host
You must have a console with root access to the remote logging host, the IP address, or the host name of the remote logging host.
For both systems
You must have both systems connected to the same subnetwork.
Warning: You should attempt this configuration only if you understand the risks associated with making changes to service startup scripts.
Edit the syslog-ng service startup script to create and destroy the SSH tunnels.
Edit the remote logging host to accept syslog-ng messages through the SSH tunnel.
This configuration requires that the WANJet appliance is able to establish an SSH connection to the remote logging host. On the WANJet appliance, use the ssh command to create the tunnel. Figure 13.1 is an example of the syntax required to create an SSH tunnel.
Table 13.6 contains detailed descriptions of the ssh syntax elements shown in Figure 13.1.
The port SSH listens on for connections in order to forward them to <remote log hostname>:<remote tunnel port>.
<remote log hostname>
The port to which you want the SSH daemon on the remote logging server to forward connections.
The user name that ssh attempts to authenticate, as on <remote log hostname>.
After you have reviewed the ssh command syntax, use the ssh command to create the encrypted tunnel on the WANJet appliance, you must create a unique key on the WANJet appliance. The unique key is used to identify and authorize the WANJet appliance to the remote logging host.
Use the following command to create the file syslog_tunnel_ID and syslog_tunnel_ID.pub.
Use the following command to make syslog_tunnel_ID readable only by the root account:
Use the following command to make the public portion of the unique SSH ID named syslog_tunnel_ID.pub readable by all accounts:
Copy syslog_tunnel_ID and syslog_tunnel_ID.pub into /var/ssh with the following command:
Next change the syslog-ng start script, /etc/init.d/syslog-ng, so that the encrypted tunnel is opened when the syslog-ng script starts up and is closed when the script is restarted or stopped.
Before you edit the syslog-ng start script, save a backup copy to the root directory. Use the following command to save the backup to the root directory:
After you save a backup of the syslog-ng, edit the startup script /etc/init.d/syslog-ng to automatically create a SSH tunnels when syslog-ng is started, or closed when syslog-ng is restarted or stopped.
The example configuration in this document demonstrates how to create a tunnel to a host using the following IP addresses and ports:
IP address of 10.0.0.100
User name logger on host 10.0.0.100.
Type the syntax below the line that reads start). Figure 13.2 is an example of what the section of the syslog-ng start script looks like after you specify the syntax. In this example, the syntax you add is shown in bold text.
ssh -L 5140:10.0.0.100:5140 \
Next, add syntax below the line that reads stop). Figure 13.3 shows the syntax you need to add in bold text.
for sshTunnel in \
After you add the syntax to open and close SSH tunnels, you can edit the syslog-ng configuration to log messages to the remote machine. To do this, you need to create source and filter configuration blocks based on the local environment.
Using the example IP addresses and ports used in the example in the previous section, you would edit the syslog-ng.conf file to look like the syslog-ng.conf in Figure 13.4.
Figure 13.4 Example syslog-ng.conf configuration
After you have edited the syslog-ng.conf to log messages on the remote logging host, you must copy the unique SSH identity to the remote logging host. To do this, copy the syslog_tunnel_ID.pub to the remote syslog server, and append this key to the authorized_keys file found in the.ssh folder under the home directory of the user that you want to use to capture remote log messages.
Note: The following instructions are examples. The actual process for setting up the new SSH key to be automatically authorized, and configuring the syslog service may be different on your system.
Verify that the logging facility is configured and ready to receive syslog messages on the <remote tunnel port>. If the remote logging host uses syslog-ng, you need to add a source configuration block like the one in Figure 13.5.
In addition to the source identification block, you also need to add filter, destination, and log configuration blocks to use the data from the source remote as required by your application.
1.
Log in as root to the WANJet appliance.
If everything is configured correctly, you should be able to get shell access to the remote logging host without being challenged for a password. (When you add the new identity key to the remote host's authorized_keys file, the key is used to authenticate the WANJet appliance.)
4.
Restart the syslog-ng service by typing the following command:
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)