Contents

Fast log output commands· 1

broker 1

customlog character-encoding utf-8· 2

customlog format 2

customlog host 5

customlog host source· 7

customlog kafka-server 8

customlog timestamp· 9

customlog with-sn· 9

kafka-server 10

vpn-instance· 11

Fast log output commands

Non-default vSystems do not support some of the fast log output commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.

broker

Use broker to specify a Kafka broker.

Use undo broker to restore the default.

Syntax

broker { hostname | ipv4-address | ipv6 ipv6-address } [ port port-number]

undo broker { hostname | ipv4-address | ipv6 ipv6-address }

Default

No Kafka broker is specified.

Views

Kafka server view

Predefined user roles

network-admin

context-admin

Parameters

hostname: Specifies a hostname for the Kafka broker, a case-insensitive string of 1 to 253 characters. The hostname can contain letters, numbers, hyphens (-), underscores (_), and dots (.).

ipv4-address: Specifies an IP address for the Kafka broker.

ipv6 ipv6-address: Specifies an IPv6 address for the Kafka broker.

port port-number: Specifies a port number of the Kafka broker for receiving logs, in the range of 1 to 65535. The default port number is 9092. For the Kafka broker to receive logs, make sure the port number is the same as that configured for the broker on the Kafka server side.

Usage guidelines

Non-default vSystems do not support this command.

A broker is a member of a Kafka server cluster. After you configure the IP address and port of a broker for receiving logs on the device side, the device will send logs in Kafka format to the specified address.

Examples

# Specify a Kafka broker with IP address 1.1.1.1 and port number 9092 in Kafka server ABC.

<Sysname> system-view

[Sysname] kafka-server ABC

[Sysname- kafka-server-ABC] broker 1.1.1.1 port 9092

Related commands

kafka-server

customlog character-encoding utf-8

Use customlog character-encoding utf-8 to configure fast log output to use the UTF-8 encoding.

Use undo customlog character-encoding to restore the default.

Syntax

customlog character-encoding utf-8

undo customlog character-encoding

Default

Fast log output uses the GB18030 encoding.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

For the log host to correctly display Chinese characters in received log messages, make sure the fast log output module uses the same character set encoding as the log host. Fast log output supports using GB18030 and UTF-8 encodings.

Examples

# Configure fast log output to use the UTF-8 encoding.

<Sysname> system-view

[Sysname] customlog character-encoding utf-8

customlog format

Use customlog format to enable fast log output.

Use undo customlog format to restore the default.

Syntax

customlog format { aft | aft-cmcc | aft-telecom | aft-unicom | attack-defense | cntm | dns | dpi [ anti-virus | audit | data-filter | file-filter | ips [ sgcc { policy-hit | signature-update } ] | netshare | reputation | sandbox | terminal | traffic-policy | url-filter [ unicom ] | waf ] | keepalive sgcc | lb [ dns-proxy | gslb | inbound | outbound | slb ] | nat { cmcc | telecom [ with-vni ] | unicom } | packet-filter [ sgcc ] | scd | security-policy sgcc | session | trusted-access { csap | iam [ authorization | notification ] }

undo customlog format { aft | aft-cmcc | aft-telecom | aft-unicom | attack-defense | cntm | dns | dpi [ audit | data-filter | file-filter | ips | netshare | reputation | sandbox | terminal | traffic-policy | url-filter [ unicom ] | waf ] * | keepalive | lb [ dns-proxy | gslb | inbound | outbound | slb ] * | nat | packet-filter | scd | security-policy | session | trusted-access { csap | iam [ authorization | notification ] } *

Default

Fast log output is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

aft: Enables fast log output for the AFT module.

aft-cmcc: Enables fast log output for the AFT module in CMCC format.

aft-telecom: Enables fast log output for the AFT module in TELECOM format.

aft-unicom: Enables fast log output for the AFT module in UNICOM format.

attack-defense: Enables fast log output for the attack defense module.

dns: Enables fast log output for the DNS module.

dpi: Enables fast log output for a DPI-related module. If you do not specify a DIP module keyword, this command enables fast log output for all the DPI-related modules.

anti-virus: Specifies the anti-virus module.

audit: Specifies the application audit and management module.

cntm: Specifies the content moderation module.

data-filter: Specifies the data filtering module.

file-filter: Specifies the file filtering module.

ips: Specifies the IPS module.

sgcc: Specifies the SGCC format for the specified type of IPS logs. If you do not specify this keyword, the standard format is used for fast output of the IPS logs.

policy-hit: Specifies the IPS policy hit logs.

signature-update: Specifies the IPS signature library update logs.

cmcc-kafka: Specifies the CMCC format for the system to output the IPS policy hit logs to the Kafka server. If you specify this keyword, you must also configure fast log output to the Kafka server. For more information, see Network Management and Monitoring Configuration Guide.

netshare: Specifies the netshare control module.

reputation: Specifies the IP reputation, domain reputation, and URL reputation modules.

sandbox: Specifies the sandbox module.

terminal: Specifies the terminal identification module.

traffic-policy: Specifies the bandwidth management module.

url-filter: Specifies the URL filtering module.

unicom: Specifies the UNICOM format for fast output URL filtering logs. If you do not specify this keyword, the standard format is used to output the logs.

waf: Specifies the Web application firewall module.

keepalive: Enables fast log output of keepalive logs. After this keyword is specified, the device sends keepalive logs to the log host periodically. If the log host cannot receive the keepalive logs in a specific period of time, the log host determines that the device is down. Non-default vSystems do not support this parameter.

lb: Enables fast log output for a load balancing module. If you do not specify a load balancing module, this command enables fast log output for all load balancing-related modules.

dns-proxy: Specifies the transparent DNS proxy module.

gslb: Specifies the global server load balancing module.

inbound: Specifies the inbound link load balancing module.

outbound: Specifies the outbound link load balancing module.

slb: Specifies the server load balancing module.

nat: Enables fast log output in a specific format for the NAT module.

·     cmcc: Specifies the CMCC format.

·     telecom: Specifies the TELECOM format.

·     unicom: Specifies the UNICOM format.

with-vni: Carries VNI (VXLAN ID) information in NAT logs.

packet-filter: Enables fast output of packet matching logs for the packet filter, object policy, and security policy modules.

scd: Enables fast log output for the service connection detection module.

security-policy: Enables fast output of security policy configuration logs for the security policy module. Non-default vSystems do not support this parameter.

session: Enables fast log output for the session management module.

sgcc: Specifies the SGCC format for the specified type of logs. If you do not specify this keyword, the standard format is used for fast output of the logs. Non-default vSystems do not support this parameter.

trusted-access: Enables fast log output for the trusted access module.

·     csap: Specifies the CSAP trusted access module.

·     iam: Specifies the IAM trusted access module. If you specify this keyword without the authorization or notification keyword, this command enables fast output for all logs of the IAM trusted access module.

¡     authorization: Specifies the authorization logs.

¡     notification: Specifies the notification logs.

Usage guidelines

The fast log output feature enables fast output of logs to log hosts.

Typically, logs generated by a service module are first sent to the information center, which then outputs the logs to the specified destination (such as to log hosts). When fast log output is configured, logs of service modules are sent directly to log hosts instead of to the information center. Compared to outputting logs to the information center, fast log output saves system resources.

Fast log output, flow log, and information center are exclusive from one another. When the customlog format command is configured, the specified service module uses only the fast log output method. For more information about flow log, see "Configuring flow log." For more information about the information center, see "Configuring the information center."

You cannot specify both the standard format and SGCC format for IPS logs. If you configure both formats, the most recent specified format takes effect. However, you can configure either of the two formats and the CMCC format for IPS logs simultaneously.

To output logs of the NAT module to a log host, you must specify the log format required by the log host in the customlog format and customlog host commands. Logs of other modules can be output only in one format. You do not need to specify the format for these logs.

You can configure the device to carry VNI information in NAT logs only if you specify the TELECOM format. NAT logs that carry the VNI field use a new format different from the TELECOM format.

Examples

# Enable fast log output for the session management module.

<Sysname> system

[Sysname] customlog format session

customlog host

Use customlog host to configure fast log output parameters.

Use undo customlog host to remove the fast log output configuration.

Syntax

customlog host [ vpn-instance vpn-instance-name ] { hostname | ipv4-address | ipv6 ipv6-address } [ port port-number ] export { aft | attack-defense | cmcc-sessionlog | cmcc-userlog | cntm | dns | dpi [ anti-virus | audit | data-filter | file-filter | ips | netshare | reputation | sandbox | terminal | traffic-policy | url-filter | waf ] * | keepalive | lb [ dns-proxy | gslb | inbound | outbound | slb ] * | packet-filter | scd | security-policy | session | telecom-sessionlog | telecom-userlog | trusted-access { csap | iam [ authorization | notification ] } * | unicom-sessionlog | unicom-userlog } *

undo customlog host [ vpn-instance vpn-instance-name ] { hostname | ipv4-address | ipv6 ipv6-address } [ port port-number ]

Default

Fast log output parameters are not configured.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the log host belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the log host is on the public network, do not specify this option.

hostname: Specifies a log host by its name, a case-insensitive string of 1 to 253 characters. The host name can contain letters, digits, hyphens (-), underscores (_), and dots (.).

ipv4-address: Specifies a log host by its IPv4 address.

ipv6 ipv6-address: Specifies a log host by its IPv6 address.

port port-number: Specifies the port number of the log host. The value range is 1 to 65535, and the default is 514. The setting must be the same as the port number configured on the log host. Otherwise, the log host cannot receive logs.

export: Specifies a source module for fast log output.

aft: Outputs logs of the AFT module to the log host.

attack-defense: Outputs logs of the attack defense module to the log host.

cmcc-sessionlog: Outputs NAT session logs in CMCC format to the log host.

cmcc-userlog: Outputs NAT444 user logs in CMCC format to the log host.

dns: Outputs logs of the DNS module to the log host.

dpi: Outputs logs of a DPI-related module to the log host. If you specify the dpi keyword without a DPI module keyword, this command outputs logs of all the DPI-related modules to the log host.

anti-virus: Specifies the anti-virus module.

audit: Specifies the application audit and management module.

cntm: Specifies the content moderation module.

data-filter: Specifies the data filtering module.

file-filter: Specifies the file filtering module.

ips: Specifies the IPS module.

netshare: Specifies the netshare control module.

reputation: Specifies the IP reputation, domain reputation, and URL reputation modules.

sandbox: Specifies the sandbox module.

terminal: Specifies the terminal identification module.

traffic-policy: Specifies the bandwidth management module.

url-filter: Specifies the URL filtering module.

waf: Specifies the Web application firewall module.

keepalive: Outputs keepalive logs to the log host. Non-default vSystems do not support this parameter.

lb: Outputs logs of a load balancing module to the log host. If you do not specify a load balancing module, this command outputs logs of all load balancing modules to the log host.

·     dns-proxy: Specifies the transparent DNS proxy module.

·     gslb: Specifies the global load balancing module.

·     inbound: Specifies the inbound link load balancing module.

·     outbound: Specifies the outbound link load balancing module.

·     slb: Specifies the server load balancing module.

packet-filter: Outputs packtet matching logs of the packet filter, object policy, and security policy modules to the log host.

scd: Outputs logs of the server connection detection module to the log host.

security-policy: Outputs security policy configuration logs of the security policy module to the log host. Non-default vSystems do not support this parameter.

session: Outputs logs of the session management module to the log host.

telecom-sessionlog: Outputs NAT session logs in TELECOM format to the log host.

telecom-userlog: Outputs NAT444 user logs in TELECOM format to the log host.

 

unicom-sessionlog: Outputs NAT session logs in UNICOM format to the log host.

unicom-userlog: Outputs NAT444 user logs in UNICOM format to the log host.

trusted-access: Outputs logs of a trusted access module to the log host.

·     iam: Specifies the IAM trusted access module. If you specify this keyword without the authorization or notification keyword, this command outputs all logs of the IAM trusted access module to the log host.

¡     authorization: Specifies the authorization logs.

¡     notification: Specifies the event notification logs.

·     csap: Specifies the CSAP trusted access module.

Usage guidelines

The customlog host command takes effect only after the customlog format command is configured.

To output NAT logs to a log host, you must specify the log format required by the log host in the customlog format and customlog host commands.

You can specify a maximum of 10 log hosts for fast log output.

Examples

# Output logs of the session management module to the log host at 1.1.1.1.

<Sysname> system-view

[Sysname] customlog host 1.1.1.1 port 1000 export session

customlog host source

Use customlog host source to specify a source IP address for fast log output.

Use undo customlog host source to restore the default.

Syntax

customlog host source interface-type interface-number

undo customlog host source

Default

The source IP address of fast output logs is the primary IP address of the outgoing interface.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

interface-type interface-number: Specifies a source interface by its type and number. The interface's primary IP address will be used as the source IP address of fast output logs.

Usage guidelines

Configure this command when you need to filter logs according to their source IP addresses on the log host.

The customlog host source command takes effect only after the customlog format and customlog host commands are configured.

Examples

# Use the IP address of Loopback 0 as the source IP address of fast output logs.

<Sysname> system-view

[Sysname] interface loopback 0

[Sysname-LoopBack0] ip address 2.2.2.2 32

[Sysname-LoopBack0] quit

[Sysname] customlog host source loopback 0

customlog kafka-server

Use customlog kafka-server to enable output of fast logs to a Kafka server.

Use undo customlog kafka-server to disable output of fast logs to a Kafka server.

Syntax

customlog kafka-server server-name topic topic-name export dpi ips

undo customlog kafka-server server-name topic topic-name export

Default

Output of fast logs to a Kafka server is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

server-name: Specifies a name for the Kafka server, a case-sensitive string of 1 to 15 characters. The name must start with a letter.

topic topic-name: Specifies a topic for the logs output to the Kafka server, a case-sensitive string of 1 to 249 characters. The topic can contain letters, numbers, hyphens (-), and underscores (_).

export: Specifies the type of logs to be output to the Kafka server.

dpi: Specifies the DPI module.

ips: Specifies the IPS module.

Usage guidelines

Non-default vSystems do not support this command.

This command takes effect only when you have enabled fast log output for the corresponding modules using the customlog format command.

Examples

# Enable fast output of IPS logs to Kafka server ABC.

<Sysname> system-view

[Sysname] customlog kafka-server ABC topic TP1 export dpi ips

Related commands

kafka-server

customlog timestamp

Use customlog timestamp localtime to configure the timestamp of fast output logs to show the system time.

Use undo customlog timestamp localtime to restore the default.

Syntax

customlog timestamp localtime

undo customlog timestamp localtime

Default

The timestamp of fast output logs shows the Greenwich Mean Time (GMT).

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Examples

# Configure the timestamp of fast output logs to show the system time.

<Sysname> system-view

[Sysname] customlog timestamp localtime

customlog with-sn

Use customlog with-sn to configure the device to carry its serial number in fast output logs.

Use undo customlog with-sn to restore the default.

Syntax

customlog with-sn

undo customlog with-sn

Default

The device does not carry its serial number in fast output logs.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This feature enables a device to add a serial number (SN) field to fast output log messages, helping users to identify the devices that sent the log messages.

This feature is not applicable to fast output logs in TELECOM, CMCC, and UNICOM formats.

Examples

# Configure the device to carry its serial number in fast output logs.

<Sysname> system-view

[Sysname] customlog with-sn

kafka-server

Use kafka-server to create a Kafka server and enter its view, or enter the view of an existing Kafka server.

Use undo kafka-server to delete a Kafka server.

Syntax

kafka-server server-name

undo kafka-server server-name

Default

No Kafka server exists.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

server-name: Specifies a name for the Kafka server, a case-sensitive string of 1 to 15 characters. The hostname can contain letters, numbers, and underscores (_).

Usage guidelines

Non-default vSystems do not support this command.

A Kafka server is a server for receiving fast logs in Kafka format. When you have deployed a Kafka log server in the network, you can create a Kafka server on the device to send fast logs in Kafka format to the Kafka log server.

Examples

# Create a Kafka server named ABC.

<Sysname> system-view

[Sysname] kafka-server ABC

[Sysname- kafka-server-ABC]

Related commands

customlog kafka-server

vpn-instance

Use vpn-instance to associate a VPN instance with a Kafka server.

Use undo vpn-instance to restore the default.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

A Kafka server is associated with the public network.

Views

Kafka server view

Predefined user roles

network-admin

context-admin

Parameters

vpn-instance-name: Specifies a VPN instance, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Non-default vSystems do not support this command.

Each Kafka server can be associated with only one VPN instance. If the VPN instance specified by this command does not exist, the Kafka server does not take effect. Once the VPN instance is created, the Kafka server takes effect.

Examples

# Associate VPN instance vpn1 with Kafka server ABC.

<Sysname> system-view

[Sysname] kafka-server ABC

[Sysname- kafka-server-ABC] vpn-instance vpn1

Related commands

kafka-server