Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x and later.
The following article describes the steps to configure a computer running Mac OS X Leopard (10.5) to receive syslogs from an Aruba controller. The instructions are separated into three parts. Part 1 describes the configuration on the Aruba controller. Part 2 outlines the instructions to enable the built-in syslog server to receive syslog messages from external devices. Part 3 describes how to set up automatic process to rotate saved log messages.
1. Configuring Aruba controllers to send syslogs to an external server.
The internal storage capacity on an Aruba controller is limited. Therefore, it is recommended to forward important system messages to an external server for central processing and storage. Aruba controllers use the standard BSD syslog protocol (RFC3164) to forward system messages to an external server.
1a. Set up the syslog destination.
To send syslogs to an external server, issue the following command in 'config' mode:
logging a.b.c.d
where a.b.c.d is the IP address of the syslog server. The syslog protocol uses udp port 514, therefore, ensure that udp/514 is allowed between the controller and the syslog server. Note that the source IP address of syslog messages is the IP address of the interface where the packet exits the controller.
Multiple syslog servers can be defined. In this case, multiple copies of syslog messages will be sent.
1b. Set up the syslog facility.
Each syslog message is tagged with a “facility” field. This field allows a syslog server receiving syslogs from multiple sources to process syslogs and save them in different files. Aruba controllers can be configured to use syslog facilities from local0 to local7.
The default facility sent by an Aruba controller is “local1”. To change the facility, enter the following configurations in config mode:
logging facility localX
where X = 0-7
For example:
logging facility local2
will tag all syslogs originating from Aruba controllers with facility = local2
1c. Syslog Severity / Logging Level
The Aruba controller also tags each syslog message with a severity. The severities are listed here in descending order of criticality.
Numerical Severity
Code
0 Emergency system is unusable
1 Alert action must be taken immediately
2 Critical critical conditions
3 Error error conditions
4 Warning warning conditions
5 Notice normal but significant condition
6 Informational informational messages
7 Debug debug-level messages
By default, the logging level of Aruba controllers is set at “warning”. That is, all messages with severity from emergency to warning are logged and sent to the syslog server. Furthermore, Aruba controllers group syslog messages into five categories:
· network
· security
· system
· user
· wireless
The logging level of each category can be set individually.
For example (from config mode):
logging level information user
logging level information security
For details, refer to the ArubaOS User Guide.
2. Configuring Mac OS X to receive syslogs from an external device.
Mac OS X is based on FreeBSD. There the server to receive syslog message is built-in to the operating system and no additional software is required. However, by default, the syslog daemon running in Mac OS X is configured to receive syslog messages only from itself.
2a. Enable syslog daemon to receive syslog messages from external sources.
To enable your Leopard system to receive network syslog submissions from other devices (such as an Aruba controller), edit the file:
/System/Library/LaunchDaemons/com.apple.syslogd.plist
and uncomment the lines specified in the comments so that the end of the file looks something like this:
<!--
Un-comment the following lines to enable the network syslog protocol listener.
-->
<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
</dict>
</dict>
</plist>
2b. Configure where Aruba syslogs are stored.
By default, syslogs messages are stored in this file:
/var/log/system.log
However, it is advisable to direct Aruba-specific logs to a different file. This can be done by configuration in the /etc/syslog.conf file.
In section 1b above, if the “facility” for Aruba controller is changed to “local2”, we can then redirect all syslog messages from Aruba controllers (tagged with facility = local2) to a file.
For example:
/var/log/aruba.log
To achieve that, add the following line in the /etc/syslog.conf file as the first line:
local2.* /var/log/aruba.log
2c. Restart the syslog daemon.
Before this new configuration take effect, the syslog daemon need to be restarted.
Issue the following commands:
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
For more information, refer to the man pages of syslog(8), syslog.conf(5), launchctl(8).
3. Configuring Mac OS X to rotate logs periodically.
To prevent the log files from growing indefinitely, logs should be rotated periodically.
In Mac OS X 10.5 (Leopard), log files are rotated by the newsyslog command.
It is run every hour (at 0:00, 1:00, ..., 23:00) by launchd, as can be seen in:
/System/Library/LaunchDaemons/com.apple.newsyslog.plist
The configuration file for newsyslog is /etc/newsyslog.conf, which contains something like:
# logfilename [owner:group] mode count size when flags
...
/var/log/system.log 640 7 * @T00 J
when=@T00 means “every night at midnight 0:00”, count=7 means keep seven recent logs, and flags=J indicates to compress old logs by bzip2.
Therefore, to rotate the log files containing syslogs from the Aruba controller (as configured in Step 2 above), the following line can be added to the newsyslog config file:
/var/log/aruba.log 640 14 * @T03 J
This means that the log file will be rotated once a day at 0300h. Old logs will be kept for 14 days. The rotated logs will be compressed with bzip2. Note that the command will run only if the computer is actually on. For example, if this is set up on a laptop, the newsyslog command will be skipped if the computer is in sleep mode at 0300h.
To get around this, a manual rotation of logs can be done with the following command:
sudo newsyslog -F /var/log/aruba.log
For additional information, refer to the newsyslog(8) and newsyslog.conf(5) man pages. The "when" field in newsyslog.conf can also specify an "interval" between rotations.