What is a Syslog?
Log information is very important when troubleshooting problems. As a network grows in size, so does the countless stream of daily log files stored on each your network devices, making it impossible to manually track. With Syslog, this changed.
A Syslog server allows a network’s devices to send their log file information to one centralized location where it receives, categorizes, and stores log messages for analysis, maintaining a comprehensive view of what is going on everywhere on the network.
A network admin can use a Syslog server to manage, search, and archive all of the network’s log information.
Locating System Objects Syslog in the Graphiant Portal
From the Home screen, navigate to the System Objects screen by one of the following:
Locate the "Configurations" section within the top left of the screen; select 'Create System Object'.
or
Click 'Configure' in the sidebar; select 'System Objects'.
Under 'System Services', click 'Syslog Servers'.
This will bring up the Syslog table, with the following fields:
Object Name: The assigned name of the Syslog Server
Sites: Number of Sites to which the Syslog Server is attached
Attached Devices: Number of Edges to which the Syslog Server is attached
In Sync: Number of Edges which are successfully pulling down their Syslog Server configuration from the Site.
Override: Number of Edges in Override Status (see here for details on Override status)
Failures: Number of Edges in Failure Status (see here for details on Failure status)
Creating a Syslog Server in System Objects
To create a System Objects Syslog server, navigate to the Syslog table from within System Objects.
Click 'Create Syslog Server' in the upper right corner.
The following fields are required:
Name: Choose a name for the server.
Syslog Server: To enable Syslog, choose 'On'.
Transport: Select either TCP or UDP.
LAN Segments: Select the desired LAN Segment from the drop-down.
Host / IP Address: Enter the Host / IP Address for the Syslog server.
Port: Enter the port number to receive incoming Syslog messages / data.
Note:
If UDP is selected, the default port is 514.
Minimum Severity: From the drop-down, select the desired minimum severity level that will notify users.
The Severity Levels are defined as follows:
Emergency: System is unusable
Alert: Requires immediate correction
Critical: Critical conditions
Error: Error conditions
Warning: Indicates that an Error will occur if no action taken
Notice: Normal operation, with significant unusual conditions
Informational: Operational messages requiring no action
Debug: Developer-level debug information
Note:
The Severity Level chosen will also notify of more severe levels; i.e. if “Warning” is selected, notifications of Error, Critical, Alert and Emergency are also sent.
Click 'Create'.
The new Syslog server will now appear in the Syslog table.
Attaching a Syslog Server to a Site
For a System Object Syslog Server to be utilized by any Edges, it must be attached to a Site.
To attach a Syslog Server to a Site, click 'Configure' from the left side menu from anywhere in the Portal; select 'Site Management'.
Click the 3 dots to the right of the Site to which the Syslog Server will be attached; select 'Edit'.
Click 'Site Services' under 'Summary'; select 'System Services'.
The screen will already be set for 'Syslog'. Click the (+) in 'System Objects'.
Select the desired Syslog server from the drop-down.
The configuration of the Syslog server will be displayed.
Review & Apply.
A Device Config Status table will appear with the status of the Edge(s) on that Site being "Config Push Queued".
When the configuration from the Site to the Edge(s) is complete, the status of the Edge(s) will be "In Sync".
Note:
If any other System Service (IPFIX, SNMP) is in override for that Edge, the status will read as "Override". (Click here for Configuration Status information.)
From the 'Site Services'; 'System Services' menu under the Summary on the left, the Syslog Server will appear in the Site and its configuration will be visible.
Configuration Status from the Site to the Graphiant Edge
The 'Status' field of each Edge in a Site can be reported in the following terms:
"In Sync": The Edge configuration is synced with the Site configuration; the Edge is doing exactly what the Site is telling it to do.
"Override": The Edge configuration is not synced with the Site configuration; this will be the status if the user is overriding the Site to perform necessary changes directly on the Edge.
"Failure": The Site configuration failed when it attempted to push its configuration to the Edge.
If a Syslog attachment results in "Failure" Status
Locating the Failure Status Error Message
The failure status error message can be found in 3 locations within the Graphiant Portal, for ease of discovery wherever you are within the Portal.
#1: Site Management Summary Screen
Should a Site attachment attempt result in a status of "Failure", the reason for the failure can be immediately seen under the “Device Config Status” by clicking the 3 dots to the right of the Edge, and selecting 'View Details'.
This will bring up a modal of details for the Edge.
The "Error Message" under the Failure Status will explain the reason for the failure.
'View Configuration' will bring up the Edge configuration, if desired.
#2: Site Management Syslog Screen
Within the Site Management area of the Portal, click 'Site Services'; select 'System Services'; choose the 'Syslog' tab at the top.
Click 'View Details' to the right of the "Failure" status.
This will bring up a modal of details for the Edge.
The "Error Message" under the Failure Status will explain the reason for the failure.
'View Configuration' will bring up the Edge configuration, if desired.
#3: Edge Configuration Syslog Screen
Within the Edge Configuration area of the Portal, click 'Configure Services; select 'Edge Services'; choose the 'Syslog' tab at the top.
Click 'View Failure Details' within the warning message
.
This will bring up a modal of details for the Edge.
The "Error Message" under the Failure Status will explain the reason for the failure.
'View Configuration' will bring up the Edge configuration, if desired.
Correcting the Syslog Attachment Failure
To correct the error that resulted in the Syslog attachment error, navigate to the Site Management Summary screen for Syslog.
Correcting a Syslog Attachment Failure via Selecting a New Syslog Server
In the System Objects Syslog screen, select a different Syslog Server from the dropdown of previously created Syslog Servers.
Note:
Take care to select a Syslog Server that will meet the requirements and eliminate the error message.
When the different Syslog Server is selected, click 'Review' and 'Apply.
Correcting a Syslog Attachment Failure via Creating a New Syslog Server
If no previously created Syslog Servers will have the desired configuration, a new Syslog Server can be created.
To create a new Syslog server, navigate to the Syslog table from within System Objects.
Click 'Create Syslog Server' in the upper right corner.
Create the new Syslog Server as previously described here.
Note:
Take care to create a Syslog Server that will meet the requirements and eliminate the error message.
Overriding the Site Syslog Configuration for an Edge
The only field able to be edited from the Edge configuration screen is the 'Interface' field.
If there is a need to change anything else in the Syslog configuration directly on an Edge (i.e. for troubleshooting purposes), the attachment to the Site's configuration must be paused. This effectively breaks the connection between the Edge and the Syslog Server, as all System Objects flow through the Site configuration to the Edge.
In Override status, the Edge is out of "Read-Only" mode for System Objects, and all fields are then able to be edited. Any desired changes are now able to be made to the Edge locally.
Locating the Override Toggle
To override the configuration, go to 'Configuring Edges' either by clicking the button in the top center, or by clicking 'Configure' in the left side menu, then selecting 'Edge Devices'.
Select the checkbox for the Edge to configure; click the 'Configure' button to the right of that Edge.
Click 'Configure Services' on the left; select 'Edge Services'.
If not already at the Syslog tab, select the 'Syslog' tab from across the top.
The Syslog Server will be shown here under "System Object".
The Override Switch will be at the top right of the System Object section.
Overriding the Site Syslog Configuration for an Edge
To override the Edge Syslog Configuration, from the Edge Services screen, click the 'Override' switch located at the top right of the System Object.
The 'Override' switch will show activated, and all of the fields will now be able to be edited.
Make the desired configuration changes; click 'Review'.
This will bring up the "Configuration Versions" screen for the Edge.
Next to 'Edge Services' on the left will be warnings. One will indicate that the Syslog Server has been selected for Override, and any others will reflect the number of changes made within the configuration.
To see the exact changes that will be made in the configuration, click the 'Syslog Servers' drop-down.
The configuration changes to be made once applied are shown here.
Click 'Apply'.
The new configuration will be highlighted in gray, and show listed below as live.
Override Details and Status
On returning to the Syslog Server table, it will now show an alert under the 'Override' column, with the quantity of Edges that are in Override status for Syslog.
The Site is no longer tracking if the Edge configuration is "In Sync" with the Site's configuration.
To see the Override details, click on the 3 dots to the right of the Syslog Server with the override; select 'View Details'.
This will bring up the Status screen for the Edges. The Edge that has been configured while in Override will read the Status of "Override".
Restoring an Edge from Override Configuration to Site Configuration
When the Edge is ready to go back under the Site configuration and out of Override Status, return to the Syslog Configure Screen for the Edge, where the Override switch is located. (For help finding this screen, click here).
Click the 'Override' switch; hit 'Review'.
Note:
When Override is deselected, all fields edited in the Override are cleared, and automatically put back to Site configuration selections.
This will bring up the "Configuration Versions" screen for the Edge.
Next to 'Edge Services' on the left will be warnings. One will indicate that the Syslog Server has been deselected for Override, and any others will reflect the number of changes that will be automatically reverted within the configuration when it again pulls down from the Site configuration.
To see the exact changes that will be made in the configuration, click the 'Syslog Servers' drop-down.
The configuration changes to be made once applied are shown here.
Click 'Apply'.
The new configuration will be highlighted in gray, and show listed below as live.
On returning to the Syslog Server table, it will now show that the Edge is no longer included in "Override".
Note:
Any other Edges in that Syslog Server that are in Override will still be included in this column.
The Syslog table will now show that Edge as "In Sync", as it is again getting it's configuration from the Site.
Cloning a System Objects Syslog Server
A Syslog Server can be cloned, for ease of creating a new Syslog Server that is mostly identical to a previously created Syslog Server, with just a few changes.
To clone a Syslog Server, navigate to the Syslog Server table.
Click the 3 dots to the right of the Syslog Server to be cloned; select 'Clone'.
This will open a Configure screen for a copy of the Syslog Server that was cloned.
Name: Edit this field so as to have distinction from the original Syslog Server.
Edit any desired fields that will differ from the original.
Click 'Create'.
The cloned Syslog Server will now appear in the Syslog Server table.
Detaching a System Objects Syslog Server from a Site
To detach a Syslog Server from a Site so that the Edges attached to that Site will no longer receive that Syslog Server configuration, navigate to the Site Management Summary screen for Syslog.
Click 'Configure' from the left side menu from anywhere in the Portal; select 'Site Management'.
Click the 3 dots to the right of the Site from which the Syslog Server will be detached; select 'Edit'.
Click 'Site Services' under 'Summary'; select 'System Services'.
This page will show all of the Syslog Servers for the Site.
Locate the Syslog Server to be detached.
Locate the trash can icon at the bottom of the section of the Syslog Server to be detached.
Click the trash can icon.
The Syslog Server will now longer be listed under the System Objects in Syslog.
'Review' & 'Apply'.
The Syslog Server will now be detached from the Site.
Any Edges attached to the Site will no longer show that Syslog Server in their configuration.
Deleting a System Objects Syslog Server
To delete a Syslog Server, navigate to the Syslog Server table.
Note:
A Syslog Server can only be deleted if it is has no mappings; it cannot be attached to any Sites, Edges, or have any other references to it within the network.
Click the 3 dots to the right of the Syslog Server to be deleted; select 'Delete'.
A Syslog Server with no Sites or Edges attached and not referenced anywhere in the network will have a successful 'Delete' action permitted.
If a Syslog Server still has Sites or Edges attached to it or is referenced elsewhere in the network, the 'Delete' selection will be grayed out and the Delete action will not be permitted.
A modal will appear with a confirmation to proceed with the Syslog Server deletion.
If the Syslog Server is confirmed to be deleted, click 'Confirm'.
The Syslog Server will be removed and no longer present in the Syslog Server Table.
