Configuring the syslog message destinations

You can configure a switch to send the syslog messages to the following output locations: syslog daemon, system console, and SNMP management station.

System logging daemon

The system logging daemon (syslogd) is a process on UNIX, Linux, and some Windows systems that reads and logs messages as specified by the system administrator. The OS can be configured to use a UNIX-style syslogd process to forward system events and error messages to log files on a remote host system. The host system can be running UNIX, Linux, or any other operating system that supports the standard syslogd functionality. All the RASLog messages are forwarded to the syslogd. Configuring for syslogd involves configuring the host, enabling syslogd on the Extreme model, and optionally, setting the facility level.

Configuring a syslog server: To configure the switch to forward all RASLog messages to the syslogd of one or more servers, perform the following steps.

  1. Enter the configure terminal command to access the global configuration level of the CLI.

    device# configure terminal
    Entering configuration mode terminal
  2. Enter the logging syslog-server IP address command to add a server to which the messages are forwarded. You can configure a syslog server in IPv4 or IPv6 format. The following example shows how to configure a syslog server with an IPv4 address.

    device(config)# logging syslog-server 192.0.2.2

    You can configure as many as four syslog servers to receive the syslog messages.

  3. Enter the format command to configure the syslog server to use the RFC-5424 format for messages.

    device(config-syslog-server-192.0.2.2)# format RFC-5424

    The following example shows a SEC-3022 message in the format before configuring the syslog server to use the RFC-5424 format for messages:

    <190>Nov 30 01:00:03 SLX8-1 raslogd: [log@1588 value="RASLOG"][msgid@1588 value="SEC-3022"][seqnum@1588 value="6681"][attr@1588 value=" M1 | Active | WWN 10:00:c4:f5:7c:50:01:16"][severity@1588 value="INFO"][swname@1588 value="SLX9850-8"][arg0@1588 value="logout" desc="Event Name"][arg1@1588 value="admin" desc="User"] BOMEvent: logout, Status: success, Info: Successful logout by user [admin].

    The following example shows a SEC-3022 message in the format after configuring the syslog server to use the RFC-5424 format for messages:

    <190>1 2017-11-30T01:00:03+00:00 SLX8-1 raslogd - - [meta sequenceId="2"][log@1588 value="RASLOG"][msgid@1588 value="SEC-3022"][seqnum@1588 value="6681"][attr@1588 value=" M1 | Active | WWN 10:00:c4:f5:7c:50:01:16"][severity@1588 value="INFO"][swname@1588 value="SLX9850-8"][arg0@1588 value="logout" desc="Event Name"][arg1@1588 value="admin" desc="User"] BOMEvent: logout, Status: success, Info: Successful logout by user [admin].
  4. Enter the show running-config logging syslog-server command to verify the syslog configuration on the switch.

    device# show running-config logging syslog-server
    logging syslog-server 192.0.2.2
     format RFC-5424

The following example shows how to configure a syslog server with an IPv6 address.

device# configure terminal
Entering configuration mode terminal
device(config)# logging syslog-server 2017:DB8::32
device(config)# exit
device# show running-config logging syslog-server
logging syslog-server 2017:db8::32

You can remove a configured syslog server by using the no logging syslog-server IP address command.

Setting the syslog facility: The syslog facility is a configurable parameter that specifies the log file to which messages are forwarded. You must configure the syslog servers to receive system messages before you can configure the syslog facility. To set the syslog facility, perform the following steps.

  1. Enter the configure terminal command to access the global configuration level of the CLI.
    device# configure terminal
    Entering configuration mode terminal
  2. Enter the logging syslog-facility local log_level command to set the syslog facility to a specific log file.

    The log_level argument specifies the syslog facility and can be a value from LOG_LOCAL0 through LOG_LOCAL7. The default syslog level is LOG_LOCAL7. The following example show how to set the syslog facility level to LOG_LOCAL2.

    device(config)# logging syslog-facility local LOG_LOCAL2
  3. Enter the show running-config logging syslog-facility command to verify the syslog facility configuration on the switch.

    device# show running-config logging syslog-facility
    logging syslog-facility local LOG_LOCAL2

    You can reset the syslog facility to the default (LOG_LOCAL7) by using the no logging syslog-facility local command.

System console

The system console displays all RASLog messages, AUDIT messages (if enabled), and panic dump messages. These messages are mirrored to the system console; they are always saved in one of the message logs.

The system console displays messages only through the serial port. If you log in to a switch through the Ethernet port or modem port, you do not receive system console messages.

You can filter messages by severity that are displayed on the system console by using the logging raslog console command. All messages are still sent to the system message log, syslog (if enabled), and SNMP management station.

You can use the logging raslog console [stop [minutes] | start] command to disable and re-enable the RASLog messages from being displayed on the system console.

Setting the RASLog console severity level: You can limit the types of messages that are logged to the console by using the logging raslog console command. The RASLog messages that are displayed on the console are passed up to and above the configured severity level. For example, if you configure the console severity level to ERROR, only ERROR and CRITICAL messages pass through. You can choose one of the following severity levels: INFO, WARNING, ERROR, or CRITICAL.The default severity level is INFO.

To set the severity levels for the RASLog console, perform the following step.

  1. Enter the configure terminal command to access the global configuration level of the CLI.
    device# configure terminal
    Entering configuration mode terminal

SNMP management station

When an unusual event, an error, or a status change occurs on the device, an event notification is sent to the SNMP management station. Network OS v7.1.0 supports two types of event notifications: traps (in SNMPv1, SNMPv2c, and SNMPv3) and informs (in SNMPv3).

  1. SNMP traps: An unsolicited message that comes to the management station from the SNMP agent on the device is called a trap. When an event occurs and if the event severity level is at or below the set severity level, the SNMP trap, swEventTrap, is sent to the configured trap recipients. The VarBind in the Trap Data Unit contains the corresponding instance of the event index, time information, event severity level, repeat count, and description. The possible severity levels follow:

    • Critical

    • Debug

    • Error

    • Info

    • None

    • Warning

    By default, the severity level is set to None, implying all traps are filtered and, therefore, no event traps are received. When the severity level is set to Info, all traps with the severity level of Info, Warning, Error, and Critical are received.
    Note

    Note

    The AUDIT log messages are not converted into swEventTrap.

    The SNMP traps are unreliable because the trap recipient does not send any acknowledgment when it receives a trap. Therefore, the SNMP agent cannot determine if the trap was received.

    Extreme switches send traps out on UDP port 162. To receive traps, the management station IP address must be configured on the switch. You can configure the SNMPv1, SNMPv2c, and SNMPv3 hosts to receive the traps. For more information, refer to “Configuring the SNMP (version 1 or version 2c) server host” Configuring the SNMP server hosts.

  2. SNMP informs: An SNMP inform is similar to the SNMP trap except that the management station that receives an SNMP inform acknowledges the system message with an SNMP response PDU. If the sender does not receive the SNMP response, the SNMP inform request can be sent again. An SNMP inform request is saved in the switch memory until a response is received or the request times out. The SNMP informs are more reliable and they consume more resources in the device and in the network. Use SNMP informs only if it is important that the management station receives all event notifications. Otherwise, use the SNMP traps.

    Extreme devices support SNMPv3 informs. For more information, refer to “Configuring the SNMPv3 server” Configuring the SNMP server hosts.