SD-WAN

My syslog server received a log from an appliance, how can I decode the log? What does it mean for 306, yes/no?

{"unixtimestamp":"172663479", "fromhost-ip":"192.168.0.1", "message":"<137>Mar 18 02:02:04 XXXXXXXXXXX mgmtd[32113]: CPU 0 TID 233550604214628:  [mgmtd.ALERT]: ALARM RAISE:  CRI, TUN, 306, tunnel_down, Tunnel state is Down, to_XXXXXXXXXXXXXXXX, 2024\/03\/18 02:02:04, 1, no, yes, yes, yes. Tunnel state is Down, ,1970\/01\/01 00:00:00,,1970\/01\/01 00:00:00, "}

Thanks!

Hello. 

The format from mgmtd.ALERT is:

ALARM (RAISE or CLEAR) - whether the alarm is new or clearing.
Next is the severity, in this case CRI means Critical.
TUN is shorthand for a tunnel alarm.
The next number, in this example 306, is the alarm number. They run sequentially resetting to 1 from boot.
The next field is the short alarm name followed by a longer alarm description.
Next you'll see the tunnel identifier name.
The date and time the alarm fired is next. 
I don't recall what no, yes, yes, yes means but you'll always see them that way.
Then you get a repeat of the long alarm description.

The last dates are trickier to explain. There are actually four columns (from left to right) and they are ack by, ack time, cleared by and cleared time. When an alarm is raised, these four columns are not relevant and hence not set. Similarly, when an alarm is cleared, the ack by and ack time may not be relevant and hence may not be set.

When ack time or cleared time is not set, the default value is set to epoch 0 and when the UI converts this time to human readable format, it sets it to "1970/01/01 00:00:00". You'll see that quite a lot but it is nothing to worry about.

Hope this helps,

Chris

My syslog server received a log from an appliance, how can I decode the log? What does it mean for 306, yes/no?

{"unixtimestamp":"172663479", "fromhost-ip":"192.168.0.1", "message":"<137>Mar 18 02:02:04 XXXXXXXXXXX mgmtd[32113]: CPU 0 TID 233550604214628:  [mgmtd.ALERT]: ALARM RAISE:  CRI, TUN, 306, tunnel_down, Tunnel state is Down, to_XXXXXXXXXXXXXXXX, 2024\/03\/18 02:02:04, 1, no, yes, yes, yes. Tunnel state is Down, ,1970\/01\/01 00:00:00,,1970\/01\/01 00:00:00, "}

Thanks!

Hi Chris,

Thanks for your information. But where can I find official document about it?

Thanks,

Hello. 

The format from mgmtd.ALERT is:

ALARM (RAISE or CLEAR) - whether the alarm is new or clearing.
Next is the severity, in this case CRI means Critical.
TUN is shorthand for a tunnel alarm.
The next number, in this example 306, is the alarm number. They run sequentially resetting to 1 from boot.
The next field is the short alarm name followed by a longer alarm description.
Next you'll see the tunnel identifier name.
The date and time the alarm fired is next. 
I don't recall what no, yes, yes, yes means but you'll always see them that way.
Then you get a repeat of the long alarm description.

The last dates are trickier to explain. There are actually four columns (from left to right) and they are ack by, ack time, cleared by and cleared time. When an alarm is raised, these four columns are not relevant and hence not set. Similarly, when an alarm is cleared, the ack by and ack time may not be relevant and hence may not be set.

When ack time or cleared time is not set, the default value is set to epoch 0 and when the UI converts this time to human readable format, it sets it to "1970/01/01 00:00:00". You'll see that quite a lot but it is nothing to worry about.

Hope this helps,

Chris

My syslog server received a log from an appliance, how can I decode the log? What does it mean for 306, yes/no?

{"unixtimestamp":"172663479", "fromhost-ip":"192.168.0.1", "message":"<137>Mar 18 02:02:04 XXXXXXXXXXX mgmtd[32113]: CPU 0 TID 233550604214628:  [mgmtd.ALERT]: ALARM RAISE:  CRI, TUN, 306, tunnel_down, Tunnel state is Down, to_XXXXXXXXXXXXXXXX, 2024\/03\/18 02:02:04, 1, no, yes, yes, yes. Tunnel state is Down, ,1970\/01\/01 00:00:00,,1970\/01\/01 00:00:00, "}

Thanks!

To my knowledge, we don't have any official documentation on the finer points of log output. The web interface (of either the appliance or Orchestrator) sanitises the logs and presents them in a much more friendly way.

Hi Chris,

Thanks for your information. But where can I find official document about it?

Thanks,

Hello. 

The format from mgmtd.ALERT is:

ALARM (RAISE or CLEAR) - whether the alarm is new or clearing.
Next is the severity, in this case CRI means Critical.
TUN is shorthand for a tunnel alarm.
The next number, in this example 306, is the alarm number. They run sequentially resetting to 1 from boot.
The next field is the short alarm name followed by a longer alarm description.
Next you'll see the tunnel identifier name.
The date and time the alarm fired is next. 
I don't recall what no, yes, yes, yes means but you'll always see them that way.
Then you get a repeat of the long alarm description.

The last dates are trickier to explain. There are actually four columns (from left to right) and they are ack by, ack time, cleared by and cleared time. When an alarm is raised, these four columns are not relevant and hence not set. Similarly, when an alarm is cleared, the ack by and ack time may not be relevant and hence may not be set.

When ack time or cleared time is not set, the default value is set to epoch 0 and when the UI converts this time to human readable format, it sets it to "1970/01/01 00:00:00". You'll see that quite a lot but it is nothing to worry about.

Hope this helps,

Chris

My syslog server received a log from an appliance, how can I decode the log? What does it mean for 306, yes/no?

{"unixtimestamp":"172663479", "fromhost-ip":"192.168.0.1", "message":"<137>Mar 18 02:02:04 XXXXXXXXXXX mgmtd[32113]: CPU 0 TID 233550604214628:  [mgmtd.ALERT]: ALARM RAISE:  CRI, TUN, 306, tunnel_down, Tunnel state is Down, to_XXXXXXXXXXXXXXXX, 2024\/03\/18 02:02:04, 1, no, yes, yes, yes. Tunnel state is Down, ,1970\/01\/01 00:00:00,,1970\/01\/01 00:00:00, "}

Thanks!