Configuring Logging
This section outlines the steps required to configure logging on a managed device.
For each category or subcategory of message, you can set the logging level or severity level of the messages to be logged. Table 1 summarizes these categories:
Category or Subcategory |
Description |
|
Network messages |
|
All network messages |
|
Protocol packet dump messages |
|
Mobility messages |
|
|
|
System messages |
|
All system messages |
|
Configuration messages |
|
Messages |
|
|
|
Web server messages |
|
Security messages |
|
All security messages |
|
|
|
|
|
Packet trace messages |
|
Mobility messages |
|
|
|
|
|
Web server messages |
|
Wireless messages |
|
All wireless messages |
|
User messages |
|
All user messages |
|
|
|
|
|
|
|
For each category or subcategory, you can configure a logging level. Table 2 describes the logging levels in order of severity, from most to least severe.
Logging Level |
Description |
|
Panic conditions that occur when the system becomes unusable. |
|
Any condition requiring immediate attention and correction. |
|
Any critical conditions such as a hard drive error. |
|
Error conditions. |
|
Warning messages. |
|
Significant events of a non-critical and normal nature. |
|
Messages of general interest to system users. |
|
Messages containing information useful for debugging. |
The default logging level for all categories is Warning. You can also configure IP address of a syslog server to which the managed device can direct these logs.
The following procedure describes how to configure the IP address of a syslog server to which the managed device can direct these logs.
1. In the node hierarchy, navigate to the page.
2. To add a logging server, click + in the section.
3. Enter the and the .
4. Add the logging server to the list of logging servers. Ensure that the syslog server is enabled and configured on this host. Click .
5. To select the types of messages you want to log, select .
6. Select the category or subcategory to be logged.
7. To select the severity level for the category or subcategory, select the level from the Logging Level drop-down list.
8. Select the logging format or from the drop-down list.
|
The ArcSight CEF Common Event Format. The CEF is a standard for the interoperability of event or log-generating devices and applications. The standard syntax for CEF includes a prefix and a variable extension formatted as key-value pairs. is a log management standard that uses a standardized logging format so that data can easily be collected and aggregated for analysis by an enterprise management system. |
9. Click .
10. Click .
11. In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the IP address of a syslog server to which the managed device can direct these logs.
logging <ipaddr>
logging level <level> <category> [subcat <subcategory>]
Syslog operates over UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. and is connectionless. Therefore, it is not possible for the managed device to recognize a failure of the syslog server or the network path to the syslog server. By establishing an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel between the managed device and the syslog server, (see Planning a VPN Configuration) it is possible to indirectly track the status of the syslog server link.
After a failure occurs, the network administrator has to manually re-synchronize log files by copying them from the managed device to the syslog server. Use the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command to create an archive of all local logs, then use the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command to copy this archive to an external server. Log space is limited on the managed device, and depending on how long the outage lasted some local logs may be overwritten.