Login
- Table of Contents
-
- 17-Network Management and Monitoring Configuration Guide
- 00-Preface
- 01-System maintenance and debugging configuration
- 02-NQA configuration
- 03-NTP configuration
- 04-EAA configuration
- 05-Process monitoring and maintenance configuration
- 06-NETCONF configuration
- 07-Information center configuration
- 08-SNMP configuration
- 09-RMON configuration
- 10-Flow log configuration
- 11-Event MIB configuration
- 12-Packet capture configuration
- 13-Fast log output configuration
- 14-Mirroring configuration
- 15-GOLD configuration
- 16-BFD configuration
- 17-Track configuration
- 18-Interface collaboration configuration
- 19-Process placement configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 13-Fast log output configuration | 103.40 KB |
Contents
Restrictions and guidelines: fast log output configuration
Configuring fast output of logs to log hosts
Configuring fast log output to use the UTF-8 encoding
Configuring fast output of logs to Kafka servers
Fast log output configuration examples
Example: Configuring fast log output to a log host
Configuring fast log output
About fast log output
The fast log output feature enables fast output of logs to log hosts.
Typically, logs generated by a service module are first sent to the information center, which then outputs the logs to the specified destination (such as to log hosts). When fast log output is configured, logs of service modules are sent directly to log hosts instead of to the information center. Compared to outputting logs to the information center, fast log output saves system resources. For more information about the information center, see "Configuring the information center."
Logs are classified into eight severity levels from 0 through 7 in descending order.
|
Severity value |
Level |
Description |
|
0 |
Emergency |
The system is unusable. For example, the system authorization has expired. |
|
1 |
Alert |
Action must be taken immediately. For example, traffic on an interface exceeds the upper limit. |
|
2 |
Critical |
Critical condition. For example, the device temperature exceeds the upper limit, the power module fails, or the fan tray fails. |
|
3 |
Error |
Error condition. For example, the link state changes. |
|
4 |
Warning |
Warning condition. For example, an interface is disconnected, or the memory resources are used up. |
|
5 |
Notification |
Normal but significant condition. For example, a terminal logs in to the device, or the device reboots. |
|
6 |
Informational |
Informational message. For example, a command or a ping operation is executed. |
|
7 |
Debugging |
Debug message. |
Log header formats
The log header formats of fast output logs are as follows:
Table 2 Log header formats
|
Log header types |
Format |
|
Standard format |
Example: |
|
Customized format |
URL filtering UNICOM format: Example: NAT CMCC format: Example: NAT UNICOM format: <PRI> Vision HostName Timestamp AppName ProcID MsgID Example: NAT TELECOM format: <PRI> Vision Timestamp HostName AppName ProcID MsgID Example: |
Log field description
Table 3 Log field description
|
Field |
Description |
|
PRI |
Log type code. · Standard format and NAT UNICOM format: 134. · URL filtering UNICOM format, NAT CMCC format, and NAT TELECOM format: 142. |
|
Timestamp |
Records the time when the log was generated. The timestamp is in the format of YYYY Mon DD hh:mm:ss. |
|
AppName |
Name of the device that generated the log. |
|
%%10 |
Vendor of the device that generated the log. |
|
SN |
Serial number of the device that generated the log. To view the device serial number, see the DEVICE_SERIAL_NUMBE field in the output of the display device manuinfo command. This field is available only when the device is configured to carry the serial number in fast output logs by using the customlog with-sn command. |
|
VsysId |
Virtual system that generated the log. |
|
HostName |
Source IPv4 address of the device that generated the log. |
|
MsgID |
Log type. |
|
Len |
Total length of the log header, in bytes. |
|
ProcID |
Hyphen (-). |
vSystem support for features
Non-default vSystems do not support configuring fast output of logs to Kafka servers.
For information about the support of non-default vSystems for the commands, see fast log output command reference. For information about vSystem, see Virtual Technologies Configuration Guide.
Restrictions and guidelines: fast log output configuration
The device supports outputting logs from service modules to log hosts by using the following methods in descending order of priority:
1. Fast log output.
2. Flow log. For more information about flow log and the service modules supported by flow log, see "Configuring flow log."
3. Information center.
If you configure multiple log output methods for a service module, the service module outputs its logs in the method that has the highest priority.
You cannot specify both the standard format and SGCC format for IPS logs. If you configure both formats, the most recent specified format takes effect. However, you can configure either of the two formats and the CMCC format for IPS logs simultaneously.
To output NAT logs to a log host, you must specify the log format required by the log host in the customlog format and customlog host commands.
You can configure the device to carry VNI information in NAT logs only if you specify the TELECOM format. NAT logs that carry the VNI field use a new format different from the TELECOM format.
Configuring fast output of logs to log hosts
1. Enter system view.
system-view
2. Enable fast log output.
customlog format { aft | aft-cmcc | aft-telecom | aft-unicom | attack-defense | cntm | dns | dpi [ anti-virus | audit | data-filter | file-filter | ips [ sgcc { policy-hit | signature-update } ] | netshare | reputation | sandbox | terminal | traffic-policy | url-filter [ unicom ] | waf ] | keepalive sgcc | lb [ dns-proxy | gslb | inbound | outbound | slb ] | nat { cmcc | telecom [ with-vni ] | unicom } | packet-filter [ sgcc ] | scd | security-policy sgcc | session | trusted-access { csap | iam [ authorization | notification ] }
By default, fast log output is disabled.
3. Configure fast log output parameters.
customlog host [ vpn-instance vpn-instance-name ] { hostname | ipv4-address | ipv6 ipv6-address } [ port port-number ] export { aft | attack-defense | cmcc-sessionlog | cmcc-userlog | cntm | dns | dpi [ anti-virus | audit | data-filter | file-filter | ips | netshare | reputation | sandbox | terminal | traffic-policy | url-filter | waf ] * | keepalive | lb [ dns-proxy | gslb | inbound | outbound | slb ] * | packet-filter | scd | security-policy | session | telecom-sessionlog | telecom-userlog | trusted-access { csap | iam [ authorization | notification ] } * | unicom-sessionlog | unicom-userlog } *
By default, no fast log output parameters are configured.
The value for the port-number argument must be the same as the port number configured on the log host. Otherwise, the log host cannot receive logs.
4. (Optional.) Specify the source IP address for fast log output.
customlog host source interface-type interface-number
By default, the source IP address of fast output logs is the primary IP address of the outgoing interface.
If this command is configured, the primary IP address of the specified interface is used as the source IP address of fast output logs regardless of the outgoing interface.
Configure this command when you need to filter logs by source IP address on the log host.
5. (Optional.) Configure the timestamp of fast output logs to show the system time.
customlog timestamp localtime
By default, the timestamp of fast output logs shows the Greenwich Mean Time (GMT).
6. (Optional.) Configure the device to carry its serial number in fast output logs.
customlog with-sn
By default, the device does not carry its serial number in fast output logs.
Configuring fast log output to use the UTF-8 encoding
About this task
The fast log output module and the log host must use the same character set encoding. If they use different encodings, the log host cannot correctly display Chinese characters in the log messages received from the fast log output module. By default, fast log output uses the GB18030 encoding. You can perform this task to configure fast log output to use the UTF-8 encoding.
Procedure
1. Enter system view.
system-view
2. Configure fast log output to use UTF-8 encoding.
customlog character-encoding utf-8
By default, fast log output uses the GB18030 encoding.
Configuring fast output of logs to Kafka servers
About this task
The device supports outputting fast logs in Kafka format to a Kafka log server. When you have deployed a Kafka log server in the network, created a Kafka server on the device, and enabled output of fast logs to the Kafka server, the device will send fast logs in Kafka format to the Kafka log server.
A broker is a member of a Kafka server cluster. After you configure the IP address and port of a broker for receiving logs on the device side, the device will send logs in Kafka format to the specified address.
Restrictions and guidelines
The customlog kafka-server export command takes effect only when you have enabled fast log output for the corresponding modules using the customlog format command.
Procedure
1. Enter system view.
system-view
2. Create a Kafka server and enter its view.
kafka-server server-name
By default, no Kafka server exists.
3. Specify a Kafka broker.
broker { hostname | ipv4-address | ipv6 ipv6-address } [ port port-number]
By default, no Kafka broker is specified.
4. Associate a VPN instance with the Kafka server.
vpn-instance vpn-instance-name
By default, the Kafka server is associated with the public network.
5. Return to system view.
quit
6. Enable output of fast logs to the Kafka server.
customlog kafka-server server-name topic topic-name export dpi ips
By default, output of fast logs to the Kafka server is disabled.
7. Enable fast log output of the IPS module.
customlog format dpi ips cmcc-kafka
By default, fast log output of the IPS module is disabled.
Fast log output configuration examples
Example: Configuring fast log output to a log host
Network configuration
As shown in Figure 1, configure fast log output on the device to send session logs to the log server.
Procedure
1. Assign IP addresses to interface GigabitEthernet 1/0/2.
<Device> system-view
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] ip address 1.1.0.1 255.255.0.0
[Device-GigabitEthernet1/0/2] quit
2. Configure settings for routing.
This example configures a static route, and the next hop in the router is 1.1.0.2.
[Device] ip route-static 1.2.0.0 16 1.1.0.2
3. Add interface GigabitEthernet 1/0/2 to security zone untrust.
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
4. Configure a security policy:
# Configure a rule named loglocalout to allow the device to send fast log output messages to the server.
[Device] security-policy ip
[Device-security-policy-ip] rule name loglocalout
[Device-security-policy-ip-1-loglocalout] source-zone local
[Device-security-policy-ip-1-loglocalout] destination-zone untrust
[Device-security-policy-ip-1-loglocalout] source-ip-host 1.1.0.1
[Device-security-policy-ip-1-loglocalout] destination-ip-host 1.2.0.1
[Device-security-policy-ip-1-loglocalout] action pass
[Device-security-policy-ip-1-loglocalout] quit
[Device-security-policy-ip] quit
5. Configure fast log output. Enable fast log output, configure log output to the log server, and enable logging for session creation and deletion. Enable IPv4 session logging in the inbound direction of the interface connected to the internal network.
[Device] customlog format session
[Device] customlog host 1.2.0.1 port 1000 export session
[Device] session log flow-begin
[Device] session log flow-end
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] session log enable ipv4 inbound
Verifying the configuration
On the server, verify that logs are received from the device successfully.
