NetIron devices in any mode send the generated Syslog messages in real time to the local log storage on the device and to a Syslog server (only if a Syslog server is configured and available).
A NetIron device running in Common Criteria operational mode queues the Syslog messages if a Syslog server is not available or configured for the device. The max configurable limit is 5000 and default is 500 Syslog messages. When the configured maximum limit is reached, new audit logs will replace the first audit log and for every new audit logs it will replace every subsequent existing audit logs.
Syslog buffer limit can be configured by following command:
device(config)#logging buffered ? DECIMAL <1..5000> Dynamic log entries alerts Enable/disable logging of alert messages critical Enable/disable logging of critical messages debugging Enable/disable logging of debugging messages emergencies Enable/disable logging of emergency messages errors Enable/disable logging of error messages informational Enable/disable logging of informational messages notifications Enable/disable logging of notification messages warnings Enable/disable logging of warning messages device(config)#logging buffered 5000
NetIron devices, when enabled for Common Criteria mode, do not support Syslog servers that use UDP transport. However, other parameters that are defined for Syslog server connections, such as specifying the hold time for queued messages and traps when the device reloads or switches over are applicable for encrypted Syslog connections as well.
When you enable Common Criteria mode on a device, the device is in the Common Criteria Administrative mode, where Syslog server configuration that uses UDP transport is retained. You can configure encrypted Syslog server connections in this mode. However, Syslog messages that are generated when the device is in the administrative mode are sent to the UDP Syslog servers, not to the encrypted Syslog server that you have configured. When the device is put in the Common Criteria Operational mode, existing Syslog servers that use UDP transport are removed, and only encrypted Syslog server connections are accepted.
Conversely, when a device is downgraded from Common Criteria mode, the encrypted Syslog server connections that were configured are removed, and the device supports only unencrypted UDP Syslog servers. The following table summarizes these transitions.
|
From |
To non-FIPS mode |
To FIPS mode |
To Common Criteria Operational mode |
|---|---|---|---|
|
Non-FIPS mode |
Not applicable |
No change. FIPS mode does not require encrypted Syslog servers. |
All the UDP servers are removed when the device is put in CC Operational mode. Only encrypted Syslog server connections are allowed in CC Operational mode. |
|
FIPS mode |
No change |
Not applicable |
All the UDP servers are removed when the device is put in CC Operational mode. Only encrypted Syslog server connections are allowed in CC Operational mode. |
|
Common Criteria mode |
All the SSL servers are removed. Non-FIPS mode does not support encrypted Syslog server connections. |
Not allowed. You must disable Common Criteria mode to revert to non-FIPS mode, and then re-enable FIPS mode. FIPS mode does not support encrypted Syslog server connections. |
Not applicable |