cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

How to set syslog severity grade log send to syslog server

Hi all,

As the title, I have set as sk92798

add syslog log-remote-address 172.22.112.119 level emerg
set syslog filename /var/log/messages
set syslog cplogs off
set syslog mgmtauditlogs on
set syslog auditlog permanent
set syslog uncompressmessages off

[Expert@demoCP:0]# clock
Fri Nov 16 13:00:42 2018 -0.152526 seconds
[Expert@demoCP:0]# cat /etc/syslog.conf
# This file was AUTOMATICALLY GENERATED
# Generated by /bin/syslog_xlate on Fri Nov 16 12:00:40 2018
#
# DO NOT EDIT
#
auth.* /var/log/auth
mail.* -/var/log/maillog
cron.* -/var/log/cron
*.info;local5.emerg;local0.notice;authpriv.emerg;cron.emerg;mail.emerg /var/log/messages


#*.info;local5.none;local0.notice;authpriv.none;cron.none;mail.none /var/log/messages
#*.info;local5.none;local0.notice;authpriv.none;cron.none;mail.none /var/log/messages

#*.debug;local5.debug;local0.debug;authpriv.debug;cron.debug;mail.debug /var/log/messages

#*.info;local5.info;local0.info;authpriv.info;cron.info;mail.info /var/log/messages

#*.notice;local5.notice;local0.notice;authpriv.notice;cron.notice;mail.notice /var/log/messages
*.emerg *
*.emerg @172.22.112.119
local7.* /var/log/boot.log
authpriv.* /var/log/secure
uucp.crit;news.crit /var/log/spooler
[Expert@demoCP:0]# clock
Fri Nov 16 13:01:06 2018 -0.164737 seconds

but I can see notice syslog send to syslog server. What is wrong with it ? 

8 Replies
Admin
Admin

Re: How to set syslog severity grade log send to syslog server

Has syslog restarted since this configuration took place?

I believe syslogd should automatically restart anytime you change the configuration, but it's helpful to double-check.

0 Kudos

Re: How to set syslog severity grade log send to syslog server

Off course, service restart but it didn't seem useful. Meanwhile, I found if I annotating all code in /etc/syslog.conf. CP will send notice logs to Syslog server. I had config as sk87560 and sk92798. So, any step can exclude traffic logs? The client just wants to save simple and indicate clear log.

0 Kudos
Admin
Admin

Re: How to set syslog severity grade log send to syslog server

"If I annotating all code in /etc/syslog.conf" what does this mean?

What do you mean "traffic logs"? 

If you're talking about stuff that would normally appear in Logs/Reporting or SmartView, this stuff does not go to syslog unless you're running Log Exporter or similar and even then, it shouldn't go to the system syslog (unless you've configured it to).

0 Kudos

Re: How to set syslog severity grade log send to syslog server

"If I annotating all code in /etc/syslog.conf" what does this mean?

/etc/syslog.conf is syslog cofig file. I think it should do not override any logs to dedicate file. So, I think it should other CP software component send logs to Syslog server. I had check linux syslog config, config  /etc/syslog.conf to control syslog. Pls confirm any errors to Implementation requirement used sk87560 and sk92798. Or anything else mistakes. 

What do you mean "traffic logs"? 

Detail as the attachment.

The client config CP send logs to Splunk. You know Splunk pays as flow rate. So, he didn't want to too many low severity logs send to it.

0 Kudos
Admin
Admin

Re: How to set syslog severity grade log send to syslog server

When you configure the gateway to send Firewall blade logs via syslog as described in sk87560, they are not sent via syslogd.

The configuration of /etc/syslogd.conf is therefore irrelevant in this case.

There is no mechanism to filter what logs are sent: it's either all Firewall blade logs or nothing.

FYI, the method described in sk87560 only sends Firewall blade logs and not logs from other Software Blades.

For other blades, you should use Log Exporter guide

Log Exporter currently doesn't support filtering logs either (other than filtering out Firewall blade logs) but I believe we plan to add this to Log Exporter in the future.

0 Kudos

Re: How to set syslog severity grade log send to syslog server

Em.............So, could you pls describe when will suitable for sk92798? Does sk92798 only used in local disk?

0 Kudos
Admin
Admin

Re: How to set syslog severity grade log send to syslog server

sk92798 is only relevant for events that originate from the Gaia OS itself, i.e. things that would normally appear in /var/log/messages.

Some/all of these events can be forwarded to an external syslog server, depending on how you implement sk92798.

Re: How to set syslog severity grade log send to syslog server

All right. Understand. THX!

0 Kudos