Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Herschel_Liang
Collaborator

How to set syslog severity grade log send to syslog server

Hi all,

As the title, I have set as sk92798

add syslog log-remote-address 172.22.112.119 level emerg
set syslog filename /var/log/messages
set syslog cplogs off
set syslog mgmtauditlogs on
set syslog auditlog permanent
set syslog uncompressmessages off

[Expert@demoCP:0]# clock
Fri Nov 16 13:00:42 2018 -0.152526 seconds
[Expert@demoCP:0]# cat /etc/syslog.conf
# This file was AUTOMATICALLY GENERATED
# Generated by /bin/syslog_xlate on Fri Nov 16 12:00:40 2018
#
# DO NOT EDIT
#
auth.* /var/log/auth
mail.* -/var/log/maillog
cron.* -/var/log/cron
*.info;local5.emerg;local0.notice;authpriv.emerg;cron.emerg;mail.emerg /var/log/messages


#*.info;local5.none;local0.notice;authpriv.none;cron.none;mail.none /var/log/messages
#*.info;local5.none;local0.notice;authpriv.none;cron.none;mail.none /var/log/messages

#*.debug;local5.debug;local0.debug;authpriv.debug;cron.debug;mail.debug /var/log/messages

#*.info;local5.info;local0.info;authpriv.info;cron.info;mail.info /var/log/messages

#*.notice;local5.notice;local0.notice;authpriv.notice;cron.notice;mail.notice /var/log/messages
*.emerg *
*.emerg @172.22.112.119
local7.* /var/log/boot.log
authpriv.* /var/log/secure
uucp.crit;news.crit /var/log/spooler
[Expert@demoCP:0]# clock
Fri Nov 16 13:01:06 2018 -0.164737 seconds

but I can see notice syslog send to syslog server. What is wrong with it ? 

8 Replies
PhoneBoy
Admin
Admin

Has syslog restarted since this configuration took place?

I believe syslogd should automatically restart anytime you change the configuration, but it's helpful to double-check.

0 Kudos
Herschel_Liang
Collaborator

Off course, service restart but it didn't seem useful. Meanwhile, I found if I annotating all code in /etc/syslog.conf. CP will send notice logs to Syslog server. I had config as sk87560 and sk92798. So, any step can exclude traffic logs? The client just wants to save simple and indicate clear log.

0 Kudos
PhoneBoy
Admin
Admin

"If I annotating all code in /etc/syslog.conf" what does this mean?

What do you mean "traffic logs"? 

If you're talking about stuff that would normally appear in Logs/Reporting or SmartView, this stuff does not go to syslog unless you're running Log Exporter or similar and even then, it shouldn't go to the system syslog (unless you've configured it to).

0 Kudos
Herschel_Liang
Collaborator

"If I annotating all code in /etc/syslog.conf" what does this mean?

/etc/syslog.conf is syslog cofig file. I think it should do not override any logs to dedicate file. So, I think it should other CP software component send logs to Syslog server. I had check linux syslog config, config  /etc/syslog.conf to control syslog. Pls confirm any errors to Implementation requirement used sk87560 and sk92798. Or anything else mistakes. 

What do you mean "traffic logs"? 

Detail as the attachment.

The client config CP send logs to Splunk. You know Splunk pays as flow rate. So, he didn't want to too many low severity logs send to it.

0 Kudos
PhoneBoy
Admin
Admin

When you configure the gateway to send Firewall blade logs via syslog as described in sk87560, they are not sent via syslogd.

The configuration of /etc/syslogd.conf is therefore irrelevant in this case.

There is no mechanism to filter what logs are sent: it's either all Firewall blade logs or nothing.

FYI, the method described in sk87560 only sends Firewall blade logs and not logs from other Software Blades.

For other blades, you should use Log Exporter guide

Log Exporter currently doesn't support filtering logs either (other than filtering out Firewall blade logs) but I believe we plan to add this to Log Exporter in the future.

0 Kudos
Herschel_Liang
Collaborator

Em.............So, could you pls describe when will suitable for sk92798? Does sk92798 only used in local disk?

0 Kudos
PhoneBoy
Admin
Admin

sk92798 is only relevant for events that originate from the Gaia OS itself, i.e. things that would normally appear in /var/log/messages.

Some/all of these events can be forwarded to an external syslog server, depending on how you implement sk92798.

Herschel_Liang
Collaborator

All right. Understand. THX!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events