Configuring Logging

This section outlines the steps required to configure logging on a managed device.

For each category or subcategory of message, you can set the logging level or severity level of the messages to be logged. Table 1 summarizes these categories:

Table 1: Software Modules

Category or Subcategory

Description

Network

Network messages

all

All network messages

packet-dump

Protocol packet dump messages

mobility

Mobility messages

dhcp

DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  messages

System

System messages

all

All system messages

configuration

Configuration messages

messages

Messages

snmp

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  messages

webserver

Web server messages

security

Security messages

all

All security messages

aaa

AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. messages

firewall

Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. messages

packet-trace

Packet trace messages

mobility

Mobility messages

vpn

VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. messages

dot1x

802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. messages

webserver

Web server messages

Wireless

Wireless messages

all

All wireless messages

User

User messages

all

All user messages

captive-portal

Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. user messages

vpn

VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. messages

dot1x

802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. messages

radius

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  user messages

For each category or subcategory, you can configure a logging level. Table 2 describes the logging levels in order of severity, from most to least severe.

Table 2: Logging Levels

Logging Level

Description

Emergency

Panic conditions that occur when the system becomes unusable.

Alert

Any condition requiring immediate attention and correction.

Critical

Any critical conditions such as a hard drive error.

Errors

Error conditions.

Warning

Warning messages.

Notice

Significant events of a non-critical and normal nature.

Informational

Messages of general interest to system users.

Debug

Messages containing information useful for debugging.

The default logging level for all categories is Warning. You can also configure IP address of a syslog server to which the managed device can direct these logs.

The following procedure describes how to configure the IP address of a syslog server to which the managed device can direct these logs.

1. In the Managed Network node hierarchy, navigate to the Configuration > System > Logging > Syslog Servers page.

2. To add a logging server, click + in the Syslog Servers section.

3. Enter the IP address and the Port number.

4. Add the logging server to the list of logging servers. Ensure that the syslog server is enabled and configured on this host. Click Apply.

5. To select the types of messages you want to log, select Logging Levels .

6. Select the category or subcategory to be logged.

7. To select the severity level for the category or subcategory, select the level from the Logging Level drop-down list.

8. Select the logging format CEF or BSD-standard from the Format drop-down list.

 

The ArcSight CEF Common Event Format. The CEF is a standard for the interoperability of event or log-generating devices and applications. The standard syntax for CEF includes a prefix and a variable extension formatted as key-value pairs. is a log management standard that uses a standardized logging format so that data can easily be collected and aggregated for analysis by an enterprise management system.

9. Click Submit.

10. Click Pending Changes.

11. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the IP address of a syslog server to which the managed device can direct these logs.

logging <ipaddr>

logging level <level> <category> [subcat <subcategory>]

Syslog operates over UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. and is connectionless. Therefore, it is not possible for the managed device to recognize a failure of the syslog server or the network path to the syslog server. By establishing an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel between the managed device and the syslog server, (see Planning a VPN Configuration) it is possible to indirectly track the status of the syslog server link.

After a failure occurs, the network administrator has to manually re-synchronize log files by copying them from the managed device to the syslog server. Use the tar logs CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command to create an archive of all local logs, then use the copy CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command to copy this archive to an external server. Log space is limited on the managed device, and depending on how long the outage lasted some local logs may be overwritten.