Configuring System Logging

Logs are managed in LunaSH with the syslog commands (see syslog). You can set rotation and other parameters to suit your own monitoring and management schedule. You can also configure flexible logs to gather only information you consider relevant, or to send different logs to different remote syslog hosts. Check the current logging configuration in LunaSH with syslog show.

This section contains the following system logging procedures:

>Rotating System Logs

>Customizing Severity Levels

>Reading System Logs

>Exporting System Logs

>Deleting System Logs

Rotating System Logs

System logs are gathered in a current log file that is periodically rotated and saved on the appliance. This allows you to easily search for logs from a specific relevant time period. You can customize the frequency of log rotation and how many rotated log files are saved. You can also rotate logs manually.

The syslog directory on the appliance will fill up over time, depending on how many old logs you choose to keep. LunaSH displays warnings when the system reaches 50%, 75%, and 90% of log capacity. If you see one of these warnings, export your old logs to a client workstation to clear space in the syslog directory.

NOTE   NTP logs are not included in the periodic log rotations. They accumulate in one continuous file over a long period of time (ntp.log). Events are infrequent enough that the NTP log file is unlikely to fill the entire log directory.

To change the frequency of log rotation:

Use syslog period (see syslog period). You can configure the logs to rotate daily, weekly, or monthly.

lunash:>syslog period <syslogperiod>

lunash:>syslog period daily
 
 
Log period set to daily.
 
 
 
Command Result : 0 (Success)
To change the number of rotated log files saved on the appliance:

Use syslog rotations (see syslog rotations). You can save up to 100 rotated log files on the appliance. This command allows you to define how long to keep old logs on the appliance (maximum: 100 logs, rotated monthly).

lunash:>syslog rotations <#_of_rotations>

lunash:> syslog rotations 5
 
 
Log rotations set to 5.
 
 
 
Command Result : 0 (Success)
To manually rotate the current log file:

Use syslog rotate (see syslog rotate). This command ensures that the most recent logs are included when exporting them off the appliance.

lunash:>syslog rotate

lunash:>syslog rotate
 
 
Command Result : 0 (Success)

Customizing Severity Levels

You can customize the logs stored on the appliance by setting the log severity level (see Log Severity Levels for a description of the different levels). If you are concerned about the log directory filling up, you can configure the appliance to store only the most severe events (emergency) and send the rest of the logs to a remote syslog server (see Remote System Logging).

NOTE   This feature has software and/or firmware dependencies. See Version Dependencies by Feature for more information.

To customize severity levels:

1.Set the severity level for the desired log type (lunalogs,messages,cron,secure,boot). See syslog severity set.

lunash:>syslog severity set -logname <logname> -loglevel <loglevel>

lunash:>syslog severity set -logname lunalogs -loglevel emergency
 
This command sets the severity level of lunalogs local log messages.
Only messages with the severity equal to or higher than the new
log level: "emergency" will be logged.
 
Stopping syslog:                                           [  OK  ]
 
Starting syslog:                                           [  OK  ]
 
Command Result : 0 (Success)

2.Optionally, confirm the new setting (see syslog show).

lunash:>syslog show

Local Configured Log Levels:
----------------------------
lunalogs       emergency
messages       *
cron           notice
secure         *
boot           *
 
Note: '*' means all log levels.

3.Repeat Step 1, specifying the severity level of each log type you wish to customize (lunalogs,messages,cron,secure,boot).

Reading System Logs

You can search the current log rotation for recent events without exporting log files. Rotated logs must be exported to a client workstation to be read. For a detailed guide to reading and interpreting system log messages, see About the Syslog and SNMP Monitoring Guide in the Syslog and SNMP Monitoring Guide. Syslog format is in accordance with RFC 5424.

To search the current rotation of system logs:

Use syslog tail (see syslog tail). You can search the entire current log file, specify the number of recent entries you want to see, or search for specific types of entries.

lunash:>syslog tail -logname <logname> -entries <#entries>

lunash:>syslog tail -logname lunalogs -entries 8
 
2017 Mar  1 14:27:54 local_host  local5 info  hsm[32081]: STC policy is set to "OFF" on partition 66331 : Unknown ResultCode value
2017 Mar  1 14:27:55 local_host  local5 info  hsm[32120]: STC policy is set to "OFF" on partition 66331 : Unknown ResultCode value
2017 Mar  1 14:29:53 local_host  local5 info  hsm[3948]: STC policy is set to "OFF" on partition 66331 : Unknown ResultCode value
2017 Mar  1 14:29:59 local_host  local5 info  lunash [29529]: info : 0 : Command: syslog remotehost add  : admin : 10.124.0.87/61470
2017 Mar  1 14:30:37 local_host  local5 info  hsm[5511]: STC policy is set to "OFF" on partition 66331 : Unknown ResultCode value
2017 Mar  1 14:30:48 local_host  local5 info  lunash [29529]: info : 0 : Command: syslog remotehost list  : admin : 10.124.0.87/61470
2017 Mar  1 14:33:10 local_host  local5 info  lunash [29529]: info : 0 : Command: syslog severity set  : admin : 10.124.0.87/61470
2017 Mar  1 14:33:47 local_host  local5 info  lunash [29529]: info : 0 : Command: syslog severity set -logname lunalogs -loglevel crit : admin : 10.124.0.87/61470
 
Command Result : 0 (Success)

HSM Alarm Logging

The HSM card produces logs pertaining to the card status, including alarm messages for events such as zeroization, tamper events, and changes to Secure Transport Mode. The syslog tail command allows you to search for this type of message in the logs.

To search the system logs for HSM alarm messages:

Search for log messages containing the string "ALM" (see syslog tail).

lunash:>syslog tail -logname messages -entries <#entries> -search ALM

For example, this command will display all alarm messages from the last 200000 log entries:

lunash:>syslog tail -logname messages -entries 200000 -search ALM
 
2017 Apr 17 11:00:45 local_host kern info kernel: k7pf0: [HSM] ALM2006: HSM decommissioned by FW
2017 Apr 17 11:00:48 local_host kern info kernel: k7pf0: [HSM] ALM2014: Auto-activation data invalid - HSM deactivated
2017 Apr 17 11:01:12 local_host kern info kernel: k7pf0: [HSM] ALM2006: HSM decommissioned by FW
2017 Apr 17 11:01:14 local_host kern info kernel: k7pf0: [HSM] ALM2011: HSM unlocked - tamper clear done
2017 Apr 17 11:02:47 local_host kern info kernel: k7pf0: [HSM] ALM2007: HSM zeroized
2017 Apr 17 11:02:47 local_host kern info kernel: k7pf0: [HSM] ALM2005: HSM deactivated
2017 Apr 17 11:15:32 local_host kern info kernel: k7pf0: [HSM] ALM2013: HSM recovered from secure transport mode
 
Command Result : 0 (Success)

Exporting System Logs

If you are managing the logs locally, you must transfer them to a client workstation in order to read them. After you have exported the log records, you can clear them from the syslog directory on the appliance.

To transfer system logs from the appliance to a client:

1.Create the log archive file (see syslog tarlogs).

lunash:>syslog tarlogs

lunash:>syslog tarlogs
 
The tar file containing logs is now available via scp as filename 'logs.tgz'.
 
Command Result : 0 (Success)

2.Transfer logs.tgz from the appliance to a client using scp/pscp (see SCP and PSCP).

>scp admin@<applianceIP>:logs.tgz .

3.If you have configured NTP, transfer the ntp.log file from the appliance to a client.

>scp admin@<applianceIP>:ntp.log .

Deleting System Logs

Once you have exported the log files to a client, you can clear the appliance's syslog directory. This process creates an archive of all the stored logs before deleting the original files.

CAUTION!   Ensure that you have retrieved a copy of ntp.log before you run syslog cleanup. It is not archived with the rest of the logs.

To delete the stored system logs:

Use syslog cleanup (see syslog cleanup).

lunash:>syslog cleanup

lunash:>syslog cleanup
 
 
WARNING !!  This command creates an archive of the current logs then deletes ALL THE LOG FILES.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'.
 
> proceed
Proceeding...
Creating tarlogs then deleting all log files...
 
The tar file containing logs is now available via scp as filename "logs_cleanup_20170301_1443.tgz".
Please copy "logs_cleanup_20170301_1443.tgz" to a client machine with scp.
 
Deleting log files ...
restart the rsyslogd service if it's running
Stopping syslog:                                           [  OK  ]
 
Starting syslog:                                           [  OK  ]
 
 
Command Result : 0 (Success)