Syslog notifications
The syslog protocol is a standard protocol for forwarding log messages from a sender to a receiver on an IP network. The system can send syslog messages that notify personnel about an event. You can set up syslog event notifications with either the management GUI or the command-line interface (CLI).
The system can transmit syslog messages in either expanded or concise format. Servers configured with facility values of 0 - 3 receive syslog messages in concise format. Servers configured with facility values of 4 - 7 receive syslog messages in fully expanded format. The default value is 0. The facility number that is used in syslog messages also identifies the origin of the message to the receiving server. You can use a syslog manager to view the syslog messages that the system sends. For error, warning, and information notifications the format that messages are sent in depends on the facility setting. Audit (-audit) and authentication (-login) messages are sent in a single format so for these messages there is no distinction between concise and expanded format. The system supports TCP, UDP, and TLS transmission protocols to send the syslog message to the specified syslog servers. You can specify up to a maximum of six syslog servers with either an IP address or a fully qualified domain name and its corresponding port. The default port for the TCP protocol is port 6514, and the default port for UDP transmissions is 514. If you are using a domain name to identify a syslog server, ensure that a DNS server is configured on the system. Domain names cannot exceed 40 characters. To configure a DNS server, select mkdnsserver command. in the management GUI or use the
- Error notifications
- Select this option to send error notifications that can indicate a serious problem with the system.
- Warning notifications
- Select this option to send warning notifications that can indicate a problem or unexpected condition with the system. Always immediately investigate this type of notification to determine the effect that it might have on your operation, and make any necessary corrections.
- Information notifications
- Select this option to send information messages that indicate an expected operation has completed on the system.
- Audit log messages
- Select this option to include any CLI or management GUI operations on the specified syslog servers.
- Authentication log messages
- Select this option to send successful and failed authentication attempts to the specified syslog servers.
Syslog over TLS
The system supports encrypted communication with a syslog server using a TLS connection.
- Before you begin
- The system and the syslog server use mutual TLS to establish a secure connection. The system
must verify the syslog server certificate, and the syslog server must verify the certificate that is
presented by the system.
The syslog server certificate must be installed in a trust store on the system that has the syslog tag turned on. If the syslog server’s certificate is signed by a Certificate Authority (CA), then the CA certificate must be installed in a trust store with the syslog tag that is turned on. See Truststore management commands for more information about creating and managing trust stores.
The system only supports the use of one CA to sign the server certificates. All server certificates must be signed by the same CA. If using self-signed certificates, then all servers must use the same certificate. The system’s certificate must be installed on the syslog server. If the system’s certificate is signed by a Certificate Authority (CA), then the CA certificates must be installed on the SYSLOG server too.
Note: The system uses the same certificate for all services that use certificate authentication. If changes are made to the system certificate, then services that use certificate authentication may be interrupted. If any services are interrupted, add the new certificate to the necessary trust stores.Some syslog servers may have requirements about details that must be included in the system certificate. The cluster’s fully qualified domain name, and the cluster IP address, should be included in the subject alternative name fields. See System certificates for more details about generating a new system certificate.
The system and the syslog server must agree to use a cipher suite that is supported by both parties. See Changing security protocol levels for more information about changing the system’s list of supported cipher suites.
Using the management GUI
To configure or work with syslog notification settings in the management GUI, select
.- Creating a Syslog server
-
To configure Syslog notifications, you must create a Syslog server.
- Go to to create a Syslog server.
- In the Create Syslog Server window, you can define the following protocols:
- UDP
- Use this protocol to reduce system and network overhead
- TCS
- It is a reliable delivery protocol.
- TLS
- This option uses TLS to send encrypted syslog messages.
- If you select TLS, the Drag and drop or click or click here to
upload the syslog server certificate option appears.
- If the syslog server’s certificate is signed by a CA, upload the root CA certificate.
- If the server’s certificate is self-signed, upload the self-signed certificate.
- If you are creating multiple syslog servers that use the same certificate and the certificate has already been uploaded, select the box I have already uploaded the certificate.
Note: If the server certificate is signed by a chain of CAs that includes a root CA and intermediate CAs, then the server should be configured to present its server certificate and any intermediate CA certificates when establishing a connection.When you create a Syslog server that uses TLS, the management GUI creates a new trust store that contains the uploaded server certificates. The CLI must be used to modify or remove trust store entries for existing servers.
- Click Create.
Using the Command Line interface
- See mksyslogserver command to create a syslog notification.
- See chsyslogserver command to modify a syslog notification.
- See rmsyslogserver command to delete a syslog notification.
- See lssyslogserver command to display a concise list of syslog notification.