Forwarding Log Files to an External Server


Log messages can be sent to an external Linux server and encrypted using TLS over TCP. Netvisor ONE supports only one external server for TCP-TLS export while the UDP syslog export can be done to more than one server.


Follow the steps below to configure exporting of logs to an external server:


  • Enable SFTP import/export using command below:


CLI (network-admin@Leaf1) > admin-sftp-modify enable

 

  • Create the private key and the Certificate Signing Request (CSR) for the switch using the command syslog-tls-cert-request-create.


syslog-tls-cert-request-create

This command creates a certificate request for the TLS connection.

country country-string

Specify the contact address starting with the country code.

state state-string

Specify the state or province.

city city-string

Specify the city.

organization organization-string

Specify the organization.

organizational-unit organizational-unit-string

Specify the organizational unit.

common-name common-name-string

Specify the common name. This name must match the switch hostname.


For example:


CLI (network-admin@Leaf1) > syslog-tls-cert-request-create country US state CA city Palo Alto organization QA organizational-unit engineering common-name Leaf1

 

This command creates a Certificate Signing Request (CSR) and places it in the directory /sftp/export used by Netvisor ONE. You must get the CSR signed by the Certificate Authority (CA) and import the ca.pem and server-cert.pem files to Netvisor ONE. 


  • To import the signed certificate and CA root certificate files, you must upload the my-cert.pem and the ca.pem files to /sftp/import directory in Netvisor ONE and run the following command:


CLI (network-admin@Leaf1) > syslog-tls-cert-import file-ca ca.pem file-cert my-cert.pem


syslog-tls-cert-import

Import certificates from /sftp/import directory.

Specify the following options:


file-ca file-ca-string

Name of the CA certificate file.

file-cert file-cert-string

Name of switch certificate file (signed by CA).

 

  • To enable TLS-TCP logging export, use the following syntax:

 

CLI (network-admin@Leaf1)>admin-syslog-create name audit-logs scope local host 172.16.21.33 transport tcp-tls port 10514


This command can be executed anywhere in the sequence.

 

  • To display and verify the syslog export configuration, use the admin-syslog-show command:

 

CLI (network-admin@leo-ext-23) > admin-syslog-show layout vertical

switch:                leo-ext-23

name:                  audit-logs

scope:                 local

host:                  172.16.21.33

port:                  10514

transport:             tcp-tls

message-format:        legacy

export-container-logs: off

export-os-logs:        off


To display alert messages related to syslog export, use the command log-alert-show. This command displays events such as a disruption in connection to the syslog TLS server and the restoration of the connection. For example:


CLI (network-admin@switch1) > log-alert-show

time:         07:31:32

switch:       switch1

code:         20006

name:         syslog_tls_server_down

count:        1

last-message: tcp-tls connection to syslog server=MYTLS down. Logs are not getting exported

time:         07:32:50

switch:       switch1

code:         20007

name:         syslog_tls_server_down

count:        1

last-message: tcp-tls connection to syslog server=MYTLS restored. Log export is operational


Related Commands

 

  • syslog-tls-cert-clear


Use this command to delete imported certificates.


For example:

CLI (network-admin@switch1) > syslog-tls-cert-clear

Successfully deleted all certificate files.


  • syslog-tls-cert-info-show


Use this command to display certificate information.


syslog-tls-cert-info-show

Display the certificate information.

Specify any of the following options:


cert-type ca|intermediate|server

Specify the one among the options  as the certificate type.

subject subject-string

Specify the the subject of the certificate.

issuer issuer-string

Specify the issuer of the certificate.

serial-number serial-number

Specify the serial number of the certificate.

valid-from valid-from-string

Specify the  time from which the certificate is valid.

valid-to valid-to-string

Specify the time at which the certificate expires and is no longer valid.


For example:


CLI (network-admin@switch1) > syslog-tls-cert-info-show

switch:        switch1

cert-type:     server

subject:       /C=US/ST=CA/L=PA/O=Eng/OU=TT/CN=switch1.pluribusnetworks.com

issuer:        /C=US/ST=CA/L=PA/O=Eng/OU=TT/CN=switch1.pluribusnetworks.com

serial-number: 1

valid-from:    Oct 20 09:06:02 2016 GMT

valid-to:      Oct 20 09:06:02 2017 GMT


  • The syslog-tls-cert-show displays the syslog TLS import certificate configuration.


syslog-tls-cert-show

Displays the certificate information.

Specify any of the following options:


file-ca file-ca-string

Specify the name of CA certificate file.

file-cert file-cert-string

Specify the name of switch certificate file (signed by CA).

cert-ca cert-ca-string

Specify the CA certificate.

cert-switch cert-switch-string

Specify the switch certificate.


For example:


CLI (network-admin@switch1) > syslog-tls-cert-show

file-ca file-cert

------- -----------

ca.pem  my-cert.pem


north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south