Link Search Menu Expand Document

Remote Log Messages

If you register a remote log receiver, Orchestrator electronically sends a log message to the receiver when certain events take place, such as alarms. The remote log messages that are sent by Orchestrator provide details about the events and are sent in either JSON format or RFC5424 syslog format depending on the type of server you register as a receiver. For information on how to register a remote log receiver, see Remote Log Receivers.

JSON Format

For HTTP, HTTPS, KAFKA, and WEBSOCKET servers, remote log messages are sent using REST POST requests, and the messages are sent in JSON format.

There are two JSON message formats, one for alarm messages and one for audit log messages. The following tables describe the data found in each type of JSON message.

JSON Alarm Message Format

Key Type Description
sequenceID number The unique ID for the alarm event.
timestamp UTC The time at which Orchestrator sent the log message.
hostname string The hostname of the Orchestrator.
appName string ALARM. Indicates that the message is for an alarm.
severity string Indicates the severity of the alarm. You can customize alarm severity in Orchestrator.
msgId number An HPE Aruba Networking defined alarm type ID that can be used for parsing the product and alarm category information.
data JSON Provides detailed alarm information.

Note: See JSON Data Key for Orchestrator and Appliance Alarms for detailed information about the data fields that appear in the data key.
message string A pipe delimited message that provides brief details about the event.

JSON Audit Log Message Format

Key Type Description
sequenceID number The unique ID for the audit log event.
timestamp UTC The time at which Orchestrator sent the log message.
hostname string The hostname of the Orchestrator.
appName string AUDIT_LOG. Indicates that the message is for an audit log.
severity string Indicates the severity of the audit log event. All audit log events have a severity of INFO’.
msgId number -1
data JSON Provides detailed audit log information.

Note: See JSON Data Key for Audit Logs for detailed information about the data fields that appear in the data key.
message string A pipe delimited message that provides brief details about the event.

The following tables describe the detailed information contained in the data key for each type of JSON message. The data key contains the bulk of the message data and has detailed information about the alarm or the audit log.

JSON Data Key for Orchestrator and Appliance Alarms

Field Type Description
clearable boolean Indicates if the alarm can be cleared by the user.
acknowledged boolean Indicates if the alarm was acknowledged by the user.
severity string Indicates the severity of the alarm. WARNING(1), MINOR(2), MAJOR(3), or CRITICAL(4).
alarmCategory string This field is not used and does not contain any data.
source string Indicates the module or component that generated the alarm. Some appliance alarms do not have a source defined.
systemId string For Orchestrator alarms, this is the Orchestrator hostname.

For appliance alarms, this is the unique ID of the appliance (for example, “0.NE” or “1.NE”).
systemHostname string The hostname of the Orchestrator or appliance.
alarmId number The unique ID of the Orchestrator or appliance alarm.
raisedTime epoch milliseconds The time in UTC at which the alarm was raised.
clearedTime epoch milliseconds The time in UTC at which the the user cleared the alarm. A value of “0” indicates the alarm is still active.
description string A description of the alarm.
recommendedAction string Recommended actions the user can take to clear the alarm.
closed boolean Indicates if the alarm has been cleared.

JSON Data Key for Audit Logs

Field Type Description
id number The unique ID for the audit log event.
user string Either the person who or the system that originated the action.
ipAddress string The IP address of the Orchestrator.
nepk string If the audit log event was an action performed on an appliance, this field shows the unique ID of the appliance.
name string The name of the action performed in the audit log event.
description string A description of the action performed in the audit log event.
taskStatus enum Indicates the status of the action. NOT_STARTED (0), IN_PROGRESS (1), or COMPLETED (2).
startTime epoch
milliseconds
The time in UTC when the action started.
endTime epoch
milliseconds
The time in UTC when the action ended.
logLevel enum Indicates the type of log. DEBUG (1), INFO (2), or ERROR (3).
result string Indicates the result of the action and usually contains detailed data about the action that was taken.
queuedTime epoch
milliseconds
The time when the action is enqueued for execution.
percentComplete % Indicates the percentage of the action that has been completed.
completion status boolean Indicates if the action is completed.

RFC5424 Syslog Format

For syslog servers, remote log messages are sent using TCP/UDP, and the messages are sent in RFC5424 syslog format. All RFC5424 syslog remote messages contain the general details described in the following table, as well as a structured data section, which is described in Structured Data.

RFC5424 Syslog Message Details

Field Type Description
PRI number Indicates the syslog priority.
version number Indicates the syslog version.
timestamp UTC The time at which Orchestrator sent the log message.
hostname string The hostname of the originator; the originator will be either an Orchestrator instance or an appliance. Minimally this should be the IPv4/6 address, but ideally it should be a string name, such as “ec-SF-123.”
appName string AUDIT_LOG or ALARM. Indicates whether the message is for an alarm or an audit log.
facility string Indicates the syslog facility level, as set by the user.
severity string Indicates the syslog severity level. For audit log messages, either “Info” or “Debug” appears. For alarm messages, the user can map Orchestrator severity to syslog severity during configuration.
structured data RFC5424 This field contains the sequenceId and detailed alarm or audit log data. Data wrapped in brackets […], can have one or more structured data elements.

Note: See Structured Data for detailed information.
msgId number For alarms, use the HPE Aruba Networking defined alarm type ID. For audit logs, set to -1.
message string A pipe delimited message that provides brief details about the event.
Format:
“<severity> | <source> | <description> | <userId> | <seqId> | <timestamp> | <src object id> | <target object id> | <result> | <hostname> | <customData>”

Structured Data

Each syslog message contains two structured data elements. The first element contains information about the alarm or audit log, and there are three formats for the first element; one for Orchestrator alarm messages, one for appliance alarm messages, and one for audit log messages. The second structured data element contains the metadata. The following tables describe the information contained in the structured data elements.

RFC5424 Structured Data Element for Orchestrator Alarms

For an Orchestrator alarm, the first structured data element in the syslog message contains detailed Orchestrator alarm information.

Field Type Description
structured data id string HPE Aruba Networking enterprise number “SP@23867.”
clearable boolean Indicates if the alarm can be cleared by the user.
acknowledged boolean Indicates if the alarm was acknowledged by the user.
severity string enum Indicates the severity of the alarm. WARNING(1), MINOR(2), MAJOR(3), or CRITICAL(4).
alarmCategory string This field is not used and does not contain any data.
source string Indicates the module or component that generated the alarm (for example, “/orchestration”, “/email/smtp”, “/system/backup”).
systemId string The Orchestrator hostname.
systemHostname string The Orchestrator hostname.
alarmId number The unique ID of the Orchestrator alarm.
raisedTime epoch
milliseconds
The time in UTC at which the alarm was raised.
clearedTime epoch
milliseconds
The time in UTC at which the alarm was cleared by the user. A value of “0” indicates the alarm is still active.
description string A description of the alarm.
recommendedAction string Recommended actions the user can take to clear the alarm.
closed boolean Indicates if the alarm has been cleared.

RFC5424 Structured Data Element for Appliance Alarms

For an appliance alarm, the first structured data element in the syslog message contains detailed appliance alarm information.

Field Type Description
structured data id string HPE Aruba Networking enterprise number “SP@23867.”
clearable boolean Indicates if the alarm can be cleared by the user.
acknowledged boolean Indicates if the alarm was acknowledged by the user.
severity string enum Indicates the severity of the alarm. WARNING (1), MINOR (2), MAJOR (3), or CRITICAL (4).
alarmCategory string This field is not used and does not contain any data.
source string Indicates the module or component that generated the alarm (for example, tunnel name “tunnel1” is used for a tunnel down alarm.). Some appliance alarms do not have a source defined.
systemId string The unique ID of the appliance.
systemHostname string The appliance hostname.
alarmId number The unique ID for the appliance alarm.
raisedTime epoch
milliseconds
The time in UTC at which the alarm was raised.
clearedTime epoch
milliseconds
The time in UTC at which the user cleared the alarm. A value of “0” indicates the alarm is still active.
description string A description of the alarm.
recommendedAction string Recommended actions the user can take to clear the alarm.
closed boolean Indicates if the alarm has been cleared.

RFC5424 Structured Data Element for Audit Logs

For audit logs, the first structured data element in the syslog message contains detailed audit log information.

Field Type Description
structured data id string HPE Aruba Networking enterprise number “SP@23867.”
id number The unique ID for the audit log event.
user string Either the person who or the system that originated the action.
nepk string If the audit log event was an action performed on an appliance, this field shows the unique ID of the appliance.
name string The name of the action performed in the audit log event.
description string A description of the action performed in the audit log event.
taskStatus enum Indicates the status of the action. NOT_STARTED (0), IN_PROGRESS (1), or COMPLETED (2).
startTime epoch
milliseconds
The time in UTC when the action started.
endTime epoch
milliseconds
The time in UTC when the action ended.
logLevel enum Indicates the type of log. DEBUG (1), INFO (2), or ERROR (3).
result string Indicates the result of the action and usually contains detailed data about the action that was taken.

RFC5424 Meta Structured Data Element

The second structured data element is the metadata.

Field Type Description
structured data id string The metadata for the event.
sequenceId number The unique sequence ID for each event. Alarms and audit log events use a different sequence ID.

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.

Open Source Code:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America