Remote Log Messages
If you register a remote log receiver, Orchestrator electronically sends a log message to the receiver when certain events take place, such as alarms. The remote log messages that are sent by Orchestrator provide details about the events and are sent in either JSON format or RFC5424 syslog format depending on the type of server you register as a receiver. For information on how to register a remote log receiver, see Remote Log Receivers.
JSON Format
For HTTP, HTTPS, KAFKA, and WEBSOCKET servers, remote log messages are sent using REST POST requests, and the messages are sent in JSON format.
There are two JSON message formats, one for alarm messages and one for audit log messages. The following tables describe the data found in each type of JSON message.
JSON Alarm Message Format
Key | Type | Description |
---|---|---|
sequenceID | number | The unique ID for the alarm event. |
timestamp | UTC | The time at which Orchestrator sent the log message. |
hostname | string | The hostname of the Orchestrator. |
appName | string | ALARM. Indicates that the message is for an alarm. |
severity | string | Indicates the severity of the alarm. You can customize alarm severity in Orchestrator. |
msgId | number | An HPE Aruba Networking defined alarm type ID that can be used for parsing the product and alarm category information. |
data | JSON | Provides detailed alarm information. Note: See JSON Data Key for Orchestrator and Appliance Alarms for detailed information about the data fields that appear in the data key. |
message | string | A pipe delimited message that provides brief details about the event. |
JSON Audit Log Message Format
Key | Type | Description |
---|---|---|
sequenceID | number | The unique ID for the audit log event. |
timestamp | UTC | The time at which Orchestrator sent the log message. |
hostname | string | The hostname of the Orchestrator. |
appName | string | AUDIT_LOG. Indicates that the message is for an audit log. |
severity | string | Indicates the severity of the audit log event. All audit log events have a severity of INFO’. |
msgId | number | -1 |
data | JSON | Provides detailed audit log information. Note: See JSON Data Key for Audit Logs for detailed information about the data fields that appear in the data key. |
message | string | A pipe delimited message that provides brief details about the event. |
The following tables describe the detailed information contained in the data key for each type of JSON message. The data key contains the bulk of the message data and has detailed information about the alarm or the audit log.
JSON Data Key for Orchestrator and Appliance Alarms
Field | Type | Description |
---|---|---|
clearable | boolean | Indicates if the alarm can be cleared by the user. |
acknowledged | boolean | Indicates if the alarm was acknowledged by the user. |
severity | string | Indicates the severity of the alarm. WARNING(1), MINOR(2), MAJOR(3), or CRITICAL(4). |
alarmCategory | string | This field is not used and does not contain any data. |
source | string | Indicates the module or component that generated the alarm. Some appliance alarms do not have a source defined. |
systemId | string | For Orchestrator alarms, this is the Orchestrator hostname. For appliance alarms, this is the unique ID of the appliance (for example, “0.NE” or “1.NE”). |
systemHostname | string | The hostname of the Orchestrator or appliance. |
alarmId | number | The unique ID of the Orchestrator or appliance alarm. |
raisedTime | epoch milliseconds | The time in UTC at which the alarm was raised. |
clearedTime | epoch milliseconds | The time in UTC at which the the user cleared the alarm. A value of “0” indicates the alarm is still active. |
description | string | A description of the alarm. |
recommendedAction | string | Recommended actions the user can take to clear the alarm. |
closed | boolean | Indicates if the alarm has been cleared. |
JSON Data Key for Audit Logs
Field | Type | Description |
---|---|---|
id | number | The unique ID for the audit log event. |
user | string | Either the person who or the system that originated the action. |
ipAddress | string | The IP address of the Orchestrator. |
nepk | string | If the audit log event was an action performed on an appliance, this field shows the unique ID of the appliance. |
name | string | The name of the action performed in the audit log event. |
description | string | A description of the action performed in the audit log event. |
taskStatus | enum | Indicates the status of the action. NOT_STARTED (0), IN_PROGRESS (1), or COMPLETED (2). |
startTime | epoch milliseconds |
The time in UTC when the action started. |
endTime | epoch milliseconds |
The time in UTC when the action ended. |
logLevel | enum | Indicates the type of log. DEBUG (1), INFO (2), or ERROR (3). |
result | string | Indicates the result of the action and usually contains detailed data about the action that was taken. |
queuedTime | epoch milliseconds |
The time when the action is enqueued for execution. |
percentComplete | % | Indicates the percentage of the action that has been completed. |
completion status | boolean | Indicates if the action is completed. |
RFC5424 Syslog Format
For syslog servers, remote log messages are sent using TCP/UDP, and the messages are sent in RFC5424 syslog format. All RFC5424 syslog remote messages contain the general details described in the following table, as well as a structured data section, which is described in Structured Data.
RFC5424 Syslog Message Details
Field | Type | Description |
---|---|---|
PRI | number | Indicates the syslog priority. |
version | number | Indicates the syslog version. |
timestamp | UTC | The time at which Orchestrator sent the log message. |
hostname | string | The hostname of the originator; the originator will be either an Orchestrator instance or an appliance. Minimally this should be the IPv4/6 address, but ideally it should be a string name, such as “ec-SF-123.” |
appName | string | AUDIT_LOG or ALARM. Indicates whether the message is for an alarm or an audit log. |
facility | string | Indicates the syslog facility level, as set by the user. |
severity | string | Indicates the syslog severity level. For audit log messages, either “Info” or “Debug” appears. For alarm messages, the user can map Orchestrator severity to syslog severity during configuration. |
structured data | RFC5424 | This field contains the sequenceId and detailed alarm or audit log data. Data wrapped in brackets […], can have one or more structured data elements. Note: See Structured Data for detailed information. |
msgId | number | For alarms, use the HPE Aruba Networking defined alarm type ID. For audit logs, set to -1. |
message | string | A pipe delimited message that provides brief details about the event. Format: “<severity> | <source> | <description> | <userId> | <seqId> | <timestamp> | <src object id> | <target object id> | <result> | <hostname> | <customData>” |
Structured Data
Each syslog message contains two structured data elements. The first element contains information about the alarm or audit log, and there are three formats for the first element; one for Orchestrator alarm messages, one for appliance alarm messages, and one for audit log messages. The second structured data element contains the metadata. The following tables describe the information contained in the structured data elements.
RFC5424 Structured Data Element for Orchestrator Alarms
For an Orchestrator alarm, the first structured data element in the syslog message contains detailed Orchestrator alarm information.
Field | Type | Description |
---|---|---|
structured data id | string | HPE Aruba Networking enterprise number “SP@23867.” |
clearable | boolean | Indicates if the alarm can be cleared by the user. |
acknowledged | boolean | Indicates if the alarm was acknowledged by the user. |
severity | string enum | Indicates the severity of the alarm. WARNING(1), MINOR(2), MAJOR(3), or CRITICAL(4). |
alarmCategory | string | This field is not used and does not contain any data. |
source | string | Indicates the module or component that generated the alarm (for example, “/orchestration”, “/email/smtp”, “/system/backup”). |
systemId | string | The Orchestrator hostname. |
systemHostname | string | The Orchestrator hostname. |
alarmId | number | The unique ID of the Orchestrator alarm. |
raisedTime | epoch milliseconds |
The time in UTC at which the alarm was raised. |
clearedTime | epoch milliseconds |
The time in UTC at which the alarm was cleared by the user. A value of “0” indicates the alarm is still active. |
description | string | A description of the alarm. |
recommendedAction | string | Recommended actions the user can take to clear the alarm. |
closed | boolean | Indicates if the alarm has been cleared. |
RFC5424 Structured Data Element for Appliance Alarms
For an appliance alarm, the first structured data element in the syslog message contains detailed appliance alarm information.
Field | Type | Description |
---|---|---|
structured data id | string | HPE Aruba Networking enterprise number “SP@23867.” |
clearable | boolean | Indicates if the alarm can be cleared by the user. |
acknowledged | boolean | Indicates if the alarm was acknowledged by the user. |
severity | string enum | Indicates the severity of the alarm. WARNING (1), MINOR (2), MAJOR (3), or CRITICAL (4). |
alarmCategory | string | This field is not used and does not contain any data. |
source | string | Indicates the module or component that generated the alarm (for example, tunnel name “tunnel1” is used for a tunnel down alarm.). Some appliance alarms do not have a source defined. |
systemId | string | The unique ID of the appliance. |
systemHostname | string | The appliance hostname. |
alarmId | number | The unique ID for the appliance alarm. |
raisedTime | epoch milliseconds |
The time in UTC at which the alarm was raised. |
clearedTime | epoch milliseconds |
The time in UTC at which the user cleared the alarm. A value of “0” indicates the alarm is still active. |
description | string | A description of the alarm. |
recommendedAction | string | Recommended actions the user can take to clear the alarm. |
closed | boolean | Indicates if the alarm has been cleared. |
RFC5424 Structured Data Element for Audit Logs
For audit logs, the first structured data element in the syslog message contains detailed audit log information.
Field | Type | Description |
---|---|---|
structured data id | string | HPE Aruba Networking enterprise number “SP@23867.” |
id | number | The unique ID for the audit log event. |
user | string | Either the person who or the system that originated the action. |
nepk | string | If the audit log event was an action performed on an appliance, this field shows the unique ID of the appliance. |
name | string | The name of the action performed in the audit log event. |
description | string | A description of the action performed in the audit log event. |
taskStatus | enum | Indicates the status of the action. NOT_STARTED (0), IN_PROGRESS (1), or COMPLETED (2). |
startTime | epoch milliseconds |
The time in UTC when the action started. |
endTime | epoch milliseconds |
The time in UTC when the action ended. |
logLevel | enum | Indicates the type of log. DEBUG (1), INFO (2), or ERROR (3). |
result | string | Indicates the result of the action and usually contains detailed data about the action that was taken. |
RFC5424 Meta Structured Data Element
The second structured data element is the metadata.
Field | Type | Description |
---|---|---|
structured data id | string | The metadata for the event. |
sequenceId | number | The unique sequence ID for each event. Alarms and audit log events use a different sequence ID. |