Forwarding Log Files to an External Server

Log messages can be sent to an external Linux server and encrypted using TLS over TCP. NetVisor OS supports only one external server for TCP-TLS export while the UDP syslog export can be done to more than one server.

Follow the steps below to configure exporting of logs to an external server:

  • Enable SFTP import/export using command below:

CLI (network-admin@Leaf1) > admin-sftp-modify enable


  • Create the private key and the Certificate Signing Request (CSR) for the switch using the command syslog-tls-cert-request-create.


This command creates a certificate request for the TLS connection.

country country-string

Specify the contact address starting with the country code.

state state-string

Specify the state or province.

city city-string

Specify the city.

organization organization-string

Specify the organization.

organizational-unit organizational-unit-string

Specify the organizational unit.

common-name common-name-string

Specify the common name. This name must match the switch hostname.

For example:

CLI (network-admin@Leaf1) > syslog-tls-cert-request-create country US state CA city Palo Alto organization QA organizational-unit engineering common-name Leaf1


This command creates a Certificate Signing Request (CSR) and places it in the directory /sftp/export used by NetVisor OS. You must get the CSR signed by the Certificate Authority (CA) and import the ca.pem and server-cert.pem files to NetVisor OS. 

  • To import the signed certificate and CA root certificate files, you must upload the my-cert.pem and the ca.pem files to /sftp/import directory in NetVisor OS and run the following command:

CLI (network-admin@Leaf1) > syslog-tls-cert-import file-ca ca.pem file-cert my-cert.pem


Import certificates from /sftp/import directory.

Specify the following options:

file-ca file-ca-string

Name of the CA certificate file.

file-cert file-cert-string

Name of switch certificate file (signed by CA).


  • To enable TLS-TCP logging export, use the following syntax:


CLI (network-admin@Leaf1)>admin-syslog-create name audit-logs scope local host transport tcp-tls port 10514

This command can be executed anywhere in the sequence.


  • To display and verify the syslog export configuration, use the admin-syslog-show command:


CLI (network-admin@leo-ext-23) > admin-syslog-show layout vertical

switch:                leo-ext-23

name:                  audit-logs

scope:                 local


port:                  10514

transport:             tcp-tls

message-format:        legacy

export-container-logs: off

export-os-logs:        off

To display alert messages related to syslog export, use the command log-alert-show. This command displays events such as a disruption in connection to the syslog TLS server and the restoration of the connection. For example:

CLI (network-admin@switch1) > log-alert-show

time:         07:31:32

switch:       switch1

code:         20006

name:         syslog_tls_server_down

count:        1

last-message: tcp-tls connection to syslog server=MYTLS down. Logs are not getting exported

time:         07:32:50

switch:       switch1

code:         20007

name:         syslog_tls_server_down

count:        1

last-message: tcp-tls connection to syslog server=MYTLS restored. Log export is operational

Related Commands


  • syslog-tls-cert-clear

Use this command to delete imported certificates.

For example:

CLI (network-admin@switch1) > syslog-tls-cert-clear

Successfully deleted all certificate files.

  • syslog-tls-cert-info-show

Use this command to display certificate information.


Display the certificate information.

Specify any of the following options:

cert-type ca|intermediate|server

Specify the one among the options  as the certificate type.

subject subject-string

Specify the the subject of the certificate.

issuer issuer-string

Specify the issuer of the certificate.

serial-number serial-number

Specify the serial number of the certificate.

valid-from valid-from-string

Specify the  time from which the certificate is valid.

valid-to valid-to-string

Specify the time at which the certificate expires and is no longer valid.

For example:

CLI (network-admin@switch1) > syslog-tls-cert-info-show

switch:        switch1

cert-type:     server

subject:       /C=US/ST=CA/L=PA/O=Eng/OU=TT/

issuer:        /C=US/ST=CA/L=PA/O=Eng/OU=TT/

serial-number: 1

valid-from:    Oct 20 09:06:02 2016 GMT

valid-to:      Oct 20 09:06:02 2017 GMT

  • The syslog-tls-cert-show displays the syslog TLS import certificate configuration.


Displays the certificate information.

Specify any of the following options:

file-ca file-ca-string

Specify the name of CA certificate file.

file-cert file-cert-string

Specify the name of switch certificate file (signed by CA).

cert-ca cert-ca-string

Specify the CA certificate.

cert-switch cert-switch-string

Specify the switch certificate.

For example:

CLI (network-admin@switch1) > syslog-tls-cert-show

file-ca file-cert

------- -----------

ca.pem  my-cert.pem