Forwarding Log Files to an External Server
Log messages can be sent to an external Linux server and encrypted using TLS over TCP. Netvisor ONE supports only one external server for TCP-TLS export while the UDP syslog export can be done to more than one server.
Follow the steps below to configure exporting of logs to an external server:
- Enable SFTP import/export using command below:
CLI (network-admin@Leaf1) > admin-sftp-modify enable
- Create the private key and the Certificate Signing Request (CSR) for the switch using the command syslog-tls-cert-request-create.
syslog-tls-cert-request-create |
This command creates a certificate request for the TLS connection. |
country country-string |
Specify the contact address starting with the country code. |
state state-string |
Specify the state or province. |
city city-string |
Specify the city. |
organization organization-string |
Specify the organization. |
organizational-unit organizational-unit-string |
Specify the organizational unit. |
common-name common-name-string |
Specify the common name. This name must match the switch hostname. |
For example:
CLI (network-admin@Leaf1) > syslog-tls-cert-request-create country US state CA city Palo Alto organization QA organizational-unit engineering common-name Leaf1
This command creates a Certificate Signing Request (CSR) and places it in the directory /sftp/export used by Netvisor ONE. You must get the CSR signed by the Certificate Authority (CA) and import the ca.pem and server-cert.pem files to Netvisor ONE.
- To import the signed certificate and CA root certificate files, you must upload the my-cert.pem and the ca.pem files to /sftp/import directory in Netvisor ONE and run the following command:
CLI (network-admin@Leaf1) > syslog-tls-cert-import file-ca ca.pem file-cert my-cert.pem
syslog-tls-cert-import |
Import certificates from /sftp/import directory. |
Specify the following options: |
|
file-ca file-ca-string |
Name of the CA certificate file. |
file-cert file-cert-string |
Name of switch certificate file (signed by CA). |
- To enable TLS-TCP logging export, use the following syntax:
CLI (network-admin@Leaf1)>admin-syslog-create name audit-logs scope local host 172.16.21.33 transport tcp-tls port 10514
This command can be executed anywhere in the sequence.
- To display and verify the syslog export configuration, use the admin-syslog-show command:
CLI (network-admin@leo-ext-23) > admin-syslog-show layout vertical
switch: leo-ext-23
name: audit-logs
scope: local
host: 172.16.21.33
port: 10514
transport: tcp-tls
message-format: legacy
export-container-logs: off
export-os-logs: off
To display alert messages related to syslog export, use the command log-alert-show. This command displays events such as a disruption in connection to the syslog TLS server and the restoration of the connection. For example:
CLI (network-admin@switch1) > log-alert-show
time: 07:31:32
switch: switch1
code: 20006
name: syslog_tls_server_down
count: 1
last-message: tcp-tls connection to syslog server=MYTLS down. Logs are not getting exported
time: 07:32:50
switch: switch1
code: 20007
name: syslog_tls_server_down
count: 1
last-message: tcp-tls connection to syslog server=MYTLS restored. Log export is operational
Related Commands
- syslog-tls-cert-clear
Use this command to delete imported certificates.
For example:
CLI (network-admin@switch1) > syslog-tls-cert-clear
Successfully deleted all certificate files.
- syslog-tls-cert-info-show
Use this command to display certificate information.
syslog-tls-cert-info-show |
Display the certificate information. |
Specify any of the following options: |
|
cert-type ca|intermediate|server |
Specify the one among the options as the certificate type. |
subject subject-string |
Specify the the subject of the certificate. |
issuer issuer-string |
Specify the issuer of the certificate. |
serial-number serial-number |
Specify the serial number of the certificate. |
valid-from valid-from-string |
Specify the time from which the certificate is valid. |
valid-to valid-to-string |
Specify the time at which the certificate expires and is no longer valid. |
For example:
CLI (network-admin@switch1) > syslog-tls-cert-info-show
switch: switch1
cert-type: server
subject: /C=US/ST=CA/L=PA/O=Eng/OU=TT/CN=switch1.pluribusnetworks.com
issuer: /C=US/ST=CA/L=PA/O=Eng/OU=TT/CN=switch1.pluribusnetworks.com
serial-number: 1
valid-from: Oct 20 09:06:02 2016 GMT
valid-to: Oct 20 09:06:02 2017 GMT
- The syslog-tls-cert-show displays the syslog TLS import certificate configuration.
syslog-tls-cert-show |
Displays the certificate information. |
Specify any of the following options: |
|
file-ca file-ca-string |
Specify the name of CA certificate file. |
file-cert file-cert-string |
Specify the name of switch certificate file (signed by CA). |
cert-ca cert-ca-string |
Specify the CA certificate. |
cert-switch cert-switch-string |
Specify the switch certificate. |
For example:
CLI (network-admin@switch1) > syslog-tls-cert-show
file-ca file-cert
------- -----------
ca.pem my-cert.pem