Log Type Commands¶
The log command takes a log type parameter, as can be seen from the
command syntax [audit|event|stream]
:
$ log
USAGE:
------
log [audit|event] locallog on|off - Enable or disable audit/event logging
log [audit|event|stream] remotelog - Get the config for remote system logging
log [audit|event|stream] remotelog <IP:port>|off - Configure a remote system for sending logs
log [audit|event|stream|ssl] status - Get the status for audit/event/stream/ssl logging
For an overview of the log types and formats, see:
Note
Audit log details are determined by the audit log ruleset - see: Audit Log Rule Sets.
To enable or disable local audit and event logging, use the command and its respective option:
log audit locallog on|off
log event locallog on|off
Important
In a clustered environment, logging should be enabled or disabled on all application nodes in order to generate or stop logs completely, since a single transaction queue is utilized in the cluster and transactions can run on all application nodes. For commands on a cluster, see the cluster run command: Remote Execution in Clusters.
If local logs are enabled, local log files of the type are available:
Audit log files can be viewed as with all logs: log view platform/audit.log
Event logs: log view platform/event.log
To enable remote logs of a type requires a remote system IP address and port as input parameters. The location and format of the logged data on the remote system would depend on the syslog application being used and the configuration of that application.
For remote system requirements, see: Log Types.
Note
When audit or event logging is enabled or disabled locally or remotely, the syslog service restarts.
When stream logging is enabled or disabled, the syslog service restarts.
Remote log type disable CLI output example:
$ log audit remotelog off
You are about to restart syslog. Do you wish to continue? yes
You have new mail in /var/mail/<username>
The log type status for both local and remote logging can be checked with: log audit status or log event status, for example:
$ log audit status
audit:
ip: 112.19.42.249:10514
locallog: true
To check only the remote logging status of a log type: log audit remotelog or log event remotelog, for example:
$ log audit remotelog
ip: 112.19.42.249:10514
Note
The internal rsyslog statistics are checked every 60 seconds to detect failed actions. If a failure is detected, the failure notification is retransmitted every 10 minutes.
If the remote syslog server stops receiving logs, an email message or SNMP trap is generated, with the email message:
Subject: Log processing failure Message: System unable to send <event type> messages to <IP>
In the case of an SNMP trap:
mteHotTrigger: Log processing failure mteHotContextName: System unable to send <event type> messages to <IP>
If the remote syslog server stops receiving logs, the local disk space of the queue of logs can grow to a maximum of 1GB before logs are not queued and log messages are discarded.
See Warnings and Notifications to set up the notification.