Configuring System Logging
Logs are managed in LunaSH with the syslog commands. You can set rotation and other parameters to suit your own monitoring and management schedule. You can also configure flexible logs to gather only information you consider relevant, or to send different logs to different remote syslog hosts. Check the current logging configuration with lunash:> syslog show.
This section contains the following system logging procedures:
Rotating System Logs
System logs are gathered in a current log file that is periodically rotated and saved on the appliance. This allows you to easily search for logs from a specific relevant time period. You can customize the frequency of log rotation and how many rotated log files are saved. You can also rotate logs manually.
The syslog directory on the appliance will fill up over time, depending on how many old logs you choose to keep. LunaSH displays warnings when the system reaches 50%, 75%, and 90% of log capacity. If you see one of these warnings, export your old logs to a client workstation to clear space in the syslog directory.
NOTE NTP logs are not included in the periodic log rotations. They accumulate in one continuous file over a long period of time (ntp.log). Events are infrequent enough that the NTP log file is unlikely to fill the entire log directory.
To change the frequency of log rotation
You can configure the logs to rotate daily, weekly, or monthly.
lunash:> syslog period <syslogperiod>
lunash:>syslog period daily Log period set to daily. Command Result : 0 (Success)
To change the number of rotated log files saved on the appliance
You can save up to 100 rotated log files on the appliance. This command allows you to define how long to keep old logs on the appliance (maximum: 100 logs, rotated monthly).
lunash:> syslog rotations <#_of_rotations>
lunash:> syslog rotations 5 Log rotations set to 5. Command Result : 0 (Success)
To manually rotate the current log file
This command ensures that the most recent logs are included when exporting them off the appliance.
lunash:> syslog rotate
lunash:>syslog rotate Command Result : 0 (Success)
Customizing Severity Levels
You can customize the logs stored on the appliance by setting the log severity level (see Log Severity Levels for a description of the different levels). If you are concerned about the log directory filling up, you can configure the appliance to store only the most severe events (emergency) and send the rest of the logs to a remote syslog server (see Remote System Logging).
NOTE This feature requires minimum appliance software version 7.2. See Version Dependencies by Feature for more information.
To customize severity levels
1.Set the severity level for the desired log type (lunalogs,messages,cron,secure,boot).
lunash:> syslog severity set -logname <logname> -loglevel <loglevel>
lunash:>syslog severity set -logname lunalogs -loglevel emergency This command sets the severity level of lunalogs local log messages. Only messages with the severity equal to or higher than the new log level: "emergency" will be logged. Stopping syslog: [ OK ] Starting syslog: [ OK ] Command Result : 0 (Success)
2.Optionally, confirm the new setting.
lunash:> syslog show
Local Configured Log Levels: ---------------------------- lunalogs emergency messages * cron notice secure * boot * Note: '*' means all log levels.
3.Repeat Step 1, specifying the severity level of each log type you wish to customize (lunalogs,messages,cron,secure,boot).
Reading System Logs
You can search the current log rotation for recent events without exporting log files. Rotated logs must be exported to a client workstation to be read. For a detailed guide to reading and interpreting system log messages, see About the Syslog and SNMP Monitoring Guide. Syslog format is in accordance with RFC 5424.
To search the current rotation of system logs
You can search the entire current log file, specify the number of recent entries you want to see, or search for specific types of entries.
lunash:> syslog tail -logname <logname> -entries <#entries>
lunash:>syslog tail -logname lunalogs -entries 8 2017 Mar 1 14:27:54 local_host local5 info hsm[32081]: STC policy is set to "OFF" on partition 66331 : Unknown ResultCode value 2017 Mar 1 14:27:55 local_host local5 info hsm[32120]: STC policy is set to "OFF" on partition 66331 : Unknown ResultCode value 2017 Mar 1 14:29:53 local_host local5 info hsm[3948]: STC policy is set to "OFF" on partition 66331 : Unknown ResultCode value 2017 Mar 1 14:29:59 local_host local5 info lunash [29529]: info : 0 : Command: syslog remotehost add : admin : 10.124.0.87/61470 2017 Mar 1 14:30:37 local_host local5 info hsm[5511]: STC policy is set to "OFF" on partition 66331 : Unknown ResultCode value 2017 Mar 1 14:30:48 local_host local5 info lunash [29529]: info : 0 : Command: syslog remotehost list : admin : 10.124.0.87/61470 2017 Mar 1 14:33:10 local_host local5 info lunash [29529]: info : 0 : Command: syslog severity set : admin : 10.124.0.87/61470 2017 Mar 1 14:33:47 local_host local5 info lunash [29529]: info : 0 : Command: syslog severity set -logname lunalogs -loglevel crit : admin : 10.124.0.87/61470 Command Result : 0 (Success)
HSM Alarm Logging
The HSM card produces logs pertaining to the card status, including alarm messages for events such as zeroization, tamper events, and changes to Secure Transport Mode. The syslog tail command allows you to search for this type of message in the logs.
To search the system logs for HSM alarm messages
Search for log messages containing the string "ALM".
lunash:> syslog tail -logname messages -entries <#entries> -search ALM
For example, this command will display all alarm messages from the last 200000 log entries:
lunash:>syslog tail -logname messages -entries 200000 -search ALM 2017 Apr 17 11:00:45 local_host kern info kernel: k7pf0: [HSM] ALM2006: HSM decommissioned by FW 2017 Apr 17 11:00:48 local_host kern info kernel: k7pf0: [HSM] ALM2014: Auto-activation data invalid - HSM deactivated 2017 Apr 17 11:01:12 local_host kern info kernel: k7pf0: [HSM] ALM2006: HSM decommissioned by FW 2017 Apr 17 11:01:14 local_host kern info kernel: k7pf0: [HSM] ALM2011: HSM unlocked - tamper clear done 2017 Apr 17 11:02:47 local_host kern info kernel: k7pf0: [HSM] ALM2007: HSM zeroized 2017 Apr 17 11:02:47 local_host kern info kernel: k7pf0: [HSM] ALM2005: HSM deactivated 2017 Apr 17 11:15:32 local_host kern info kernel: k7pf0: [HSM] ALM2013: HSM recovered from secure transport mode Command Result : 0 (Success)
Exporting System Logs
If you are managing the logs locally, you must transfer them to a client workstation in order to read them. After you have exported the log records, you can clear them from the syslog directory on the appliance.
To transfer system logs from the appliance to a client
1.Create the log archive file.
lunash:> syslog tarlogs
lunash:>syslog tarlogs The tar file containing logs is now available via scp as filename 'logs.tgz'. Command Result : 0 (Success)
2.Transfer logs.tgz from the appliance to a client using pscp/scp.
>pscp admin@<applianceIP>:logs.tgz .
3.If you have configured NTP, transfer the ntp.log file from the appliance to a client.
>pscp admin@<applianceIP>:ntp.log .
Deleting System Logs
Once you have exported the log files to a client, you can clear the appliance's syslog directory. This process creates an archive of all the stored logs before deleting the original files.
CAUTION! Ensure that you have retrieved a copy of ntp.log before you run syslog cleanup. It is not archived with the rest of the logs.
To delete the stored system logs
lunash:> syslog cleanup
lunash:>syslog cleanup WARNING !! This command creates an archive of the current logs then deletes ALL THE LOG FILES. If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'. > proceed Proceeding... Creating tarlogs then deleting all log files... The tar file containing logs is now available via scp as filename "logs_cleanup_20170301_1443.tgz". Please copy "logs_cleanup_20170301_1443.tgz" to a client machine with scp. Deleting log files ... restart the rsyslogd service if it's running Stopping syslog: [ OK ] Starting syslog: [ OK ] Command Result : 0 (Success)