How do I configure the syslog daemon on Mac OS X Leopard to receive syslogs from Aruba controllers?

Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x and later.

The following article describes the steps to configure a computer running Mac OS X Leopard (10.5) to receive syslogs from an Aruba controller. The instructions are separated into three parts. Part 1 describes the configuration on the Aruba controller. Part 2 outlines the instructions to enable the built-in syslog server to receive syslog messages from external devices. Part 3 describes how to set up automatic process to rotate saved log messages.

1.    Configuring Aruba controllers to send syslogs to an external server.
The internal storage capacity on an Aruba controller is limited. Therefore, it is recommended to forward important system messages to an external server for central processing and storage. Aruba controllers use the standard BSD syslog protocol (RFC3164) to forward system messages to an external server.  

1a. Set up the syslog destination.
To send syslogs to an external server, issue the following command in 'config' mode:
logging a.b.c.d

where a.b.c.d is the IP address of the syslog server. The syslog protocol uses udp port 514, therefore, ensure that udp/514 is allowed between the controller and the syslog server. Note that the source IP address of syslog messages is the IP address of the interface where the packet exits the controller.

Multiple syslog servers can be defined.  In this case, multiple copies of syslog messages will be sent.

1b. Set up the syslog facility.
Each syslog message is tagged with a “facility” field. This field allows a syslog server receiving syslogs from multiple sources to process syslogs and save them in different files. Aruba controllers can be configured to use syslog facilities from local0 to local7.  

The default facility sent by an Aruba controller is “local1”. To change the facility, enter the following configurations in config mode:

logging facility localX

where X = 0-7

For example:

logging facility local2

will tag all syslogs originating from Aruba controllers with facility = local2

1c. Syslog Severity / Logging Level
The Aruba controller also tags each syslog message with a severity. The severities are listed here in descending order of criticality.

Numerical    Severity
     Code

      0       Emergency       system is unusable
      1       Alert           action must be taken immediately
      2       Critical        critical conditions
      3       Error           error conditions
      4       Warning         warning conditions
      5       Notice          normal but significant condition
      6       Informational   informational messages
      7       Debug           debug-level messages

By default, the logging level of Aruba controllers is set at “warning”. That is, all messages with severity from emergency to warning are logged and sent to the syslog server. Furthermore, Aruba controllers group syslog messages into five categories:
·  network
·  security
·  system
·  user
·  wireless

The logging level of each category can be set individually.  

For example (from config mode):

logging level information user
logging level information security

For details, refer to the ArubaOS User Guide.


2.   Configuring Mac OS X to receive syslogs from an external device.
Mac OS X is based on FreeBSD. There the server to receive syslog message is built-in to the operating system and no additional software is required. However, by default, the syslog daemon running in Mac OS X is configured to receive syslog messages only from itself.  

2a. Enable syslog daemon to receive syslog messages from external sources.
To enable your Leopard system to receive network syslog submissions from other devices (such as an Aruba controller), edit the file:

/System/Library/LaunchDaemons/com.apple.syslogd.plist

and uncomment the lines specified in the comments so that the end of the file looks something like this:

<!--
Un-comment the following lines to enable the network syslog protocol listener.
-->

<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
</dict>
</dict>
</plist>


2b. Configure where Aruba syslogs are stored.
By default, syslogs messages are stored in this file:

/var/log/system.log

However, it is advisable to direct Aruba-specific logs to a different file. This can be done by configuration in the /etc/syslog.conf file.

In section 1b above, if the “facility” for Aruba controller is changed to “local2”, we can then redirect all syslog messages from Aruba controllers (tagged with facility = local2) to a file.

For example:

/var/log/aruba.log

To achieve that, add the following line in the /etc/syslog.conf file as the first line:

local2.*                        /var/log/aruba.log


2c. Restart the syslog daemon.
Before this new configuration take effect, the syslog daemon need to be restarted.

Issue the following commands:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist

sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

For more information, refer to the man pages of syslog(8), syslog.conf(5), launchctl(8).


3.   Configuring Mac OS X to rotate logs periodically.
To prevent the log files from growing indefinitely, logs should be rotated periodically.

In Mac OS X 10.5 (Leopard), log files are rotated by the newsyslog command.
It is run every hour (at 0:00, 1:00, ..., 23:00) by launchd, as can be seen in:

/System/Library/LaunchDaemons/com.apple.newsyslog.plist

The configuration file for newsyslog is /etc/newsyslog.conf, which contains something like:

# logfilename          [owner:group]    mode count size when  flags
...
/var/log/system.log                     640  7     *    @T00  J

when=@T00 means “every night at midnight 0:00”, count=7 means keep seven recent logs, and flags=J indicates to compress old logs by bzip2.

Therefore, to rotate the log files containing syslogs from the Aruba controller (as configured in Step 2 above), the following line can be added to the newsyslog config file:

/var/log/aruba.log                     640 14     *    @T03  J

This means that the log file will be rotated once a day at 0300h. Old logs will be kept for 14 days. The rotated logs will be compressed with bzip2. Note that the command will run only if the computer is actually on. For example, if this is set up on a laptop, the newsyslog command will be skipped if the computer is in sleep mode at 0300h.

To get around this, a manual rotation of logs can be done with the following command:

sudo newsyslog -F /var/log/aruba.log

For additional information, refer to the newsyslog(8) and newsyslog.conf(5) man pages. The "when" field in newsyslog.conf can also specify an "interval" between rotations.

Version history
Revision #:
1 of 1
Last update:
‎06-30-2014 07:54 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: