View Only
last person joined: 3 days ago 

Expand all | Collapse all

Syslog parsing for Aruba CX Switches

This thread has been viewed 28 times
  • 1.  Syslog parsing for Aruba CX Switches

    Posted Sep 08, 2021 10:20 AM
    Hey Aruba people, first time poster here.

    I'm building log parsing integrations for a product on my side. 
    I'm trying to find the a chart or table with the definitions of each of these log fields below:

    Sanitized log example:
    <190>1 2021-09-01T10:38:33.885340-06:00 lab-1 hpe-restd 886 - - Event|4605|LOG_INFO|AMM|-|Session ended for user test-user, session 0vsN-1234-Q5WgX4DSxgg==

    So the event log message reference guide for Aruba CX, describes all possible event ids, e.g. 4605, and the message body field just fine. Those are not an issue. The issue is the log header is not defined anywhere. It looks similar to Aruba OS general log which is similar but otherwise different.

    The issue is the fields here:
    hpe-restd 886 -- I know the first part is the daemon that generated the log, do we have a list of all possible daemons? Also is the decimal after the process ID or some other value?

    AMM -- I know this is short hand for the module it applies to, e.g. this is the Admin module, MSTR is rapid spanning tree related, etc. Do we have a list defining all these short hand module names? The log reference only has the long names.

    Is there a guide similar to the ArubaOS-CX Event Log MessageReference Guide for 10.03 that outlines the module name options in the log header? 

    Robert Evans

  • 2.  RE: Syslog parsing for Aruba CX Switches

    Posted Sep 10, 2021 04:31 PM
    In addition to my above, clients are reporting a few events where certain fields are NULL, and don't have a placeholder, e.g. 

    <190>1 2021-07-08T13:03:51.540688-06:00 lab1 intfd 776 - - Event|4701|LOG_INFO|||User user1 added user2 with role user_role

    Notice the module field is omitted , instead of |-|-|Message Body, its just |||Message Body

    Is anyone on the dev team able to explain the variety of log structures? Which fields are guaranteed to be present. Which are not? We are making educated guessing so far based on production logs from Aruba CX Switches.

    Robert Evans

  • 3.  RE: Syslog parsing for Aruba CX Switches

    Posted Oct 13, 2021 12:38 PM
    Hi @zerozero !

    Apologies for the delay in response - you'll be able to access the event logs for the firmware version you're using on our Aruba Support Portal - here is the document for 10.8:

    Tiffany Chiapuzio-Wong