For feedback and comments: |
documentation.feedback@alcatel-lucent.com |
Event logging controls the generation, dissemination and recording of system events for monitoring status and troubleshooting faults within the system. The OS groups events into three major categories or event sources:Event control assigns the severity for each application event and whether the event should be generated or suppressed. The severity numbers and severity names supported in the OS conform to ITU standards M.3100 X.733 & X.21 and are listed in Table 39.
Table 39: Event Severity Levels Both event logs and accounting logs use a common mechanism for referencing a log destination. routers support the following log destinations:
•
•
• A file destination is the only type of log destination that can be configured for an accounting log.Log files can be used by both event logs and accounting logs and are stored on the compact flash devices (specifically cf1: or cf2:) in the file system. It is recommended that event and accounting logs not be configured on the cf3: device that is used for software images and bootup configuration.The retention time for a log file specifies the amount of time the file should be retained on the system based on the creation date and time of the file.Event log files are always created in the \log directory on the specified compact flash device. The naming convention for event log files is:ee is the event log IDff is the log file destination IDyyyy is the four-digit year (for example, 2007)mm is the two digit number representing the month (for example, 12 for December)dd is the two digit number representing the day of the month (for example, 03 for the 3rd of the month)hh is the two digit hour in a 24-hour clock (for example, 04 for 4 a.m.)mm is the two digit minute (for example, 30 for 30 minutes past the hour)ss is the two digit second (for example, 14 for 14)Accounting log files are created in the \act-collect directory on a compact flash device (specifically cf1 or cf2). The naming convention for accounting log files is nearly the same as for log files except the prefix act is used instead of the prefix log. The naming convention for accounting logs is:act aaff-timestamp.xml.gzaa is the accounting policy IDff is the log file destination IDyyyy is the four-digit year (for example, 2007)mm is the two digit number representing the month (for example, 12 for December)dd is the two digit number representing the day of the month (for example, 03 for the 3rd of the month)hh is the two digit hour in a 24-hour clock (for example, 04 for 4 a.m.)mm is the two digit minute (for example, 30 for 30 minutes past the hour)ss is the two digit second (for example, 14 for 14 seconds)The \act-collect directory is where active accounting logs are written. When an accounting log is rolled over, the active file is closed and archived in the \act directory before a new active accounting log file created in \act-collect.For SNMP traps that will be sent out-of-band through the Management Ethernet port on the SF/CPM, the source IP address of the trap is the IP interface address defined on the Management Ethernet port. For SNMP traps that will be sent in-band, the source IP address of the trap is the system IP address of the router.Because syslog uses eight severity levels whereas the router uses six internal severity levels, the severity levels are mapped to syslog severities. Table 40 displays the severity level mappings to syslog severities.
Table 40: Router to Syslog Severity Level Mappings HEADER is MMM DD HH:MM:SS <source IP addr>log-prefix is an optional 32 characters of text as configured in the log-prefix command. A ‘:’ will not appear at this point in the message if no log-prefix is configured.<PRI> (the ‘<’ and ‘>’ are included in the syslog message) is the configured facility*8+severity (as described in the System Management Guide and RFC3164)router-name is vprn1, vprn2, … | Base | management | vpls-managementsubject may be empty resulting in []:Figure 12 depicts a function block diagram of event logging.Figure 12: Event Logging Block DiagramExamples of applications within the system include IP, MPLS, OSPF, CLI, services, etc. The following example displays a partial sample of the show log applications command output which displays all applications.*A:ALA-48# show log applications==================================Log Event Application Names==================================Application Name----------------------------------...
BGPCCAGCFLOWDCHASSIS...
MPLSMSDPNTP...
TODUSERVRRPVRTR==================================*A:ALA-48#Simple event throttling is another method of event control and is configured similarly to the generation and suppression options. See Simple Logger Event Throttling .The log manager uses event filter policies to allow fine control over which events are forwarded or dropped based on various criteria. Like other policies with the 7750 SR, filter policies have a default action. The default actions are either:
•
•
Table 41: Valid Filter Policy Operators nnnn YYYY/MM/DD HH:MM:SS.SS <severity>:<application> # <event_id> <router-name> <subject> <message>475 2006/11/27 00:19:40.38 WARNING: SNMP #2007 Base 1/1/1"interface 1/1/1 came up"
Table 42: Log Entry Field Descriptions YYYY — YearMM — MonthDD — Date HH — Hours (24 hour format)MM — MinutesSS.SS — Seconds CLEARED — A cleared event (severity number 1).INFO — An indeterminate/informational severity event (severity level 2).CRITICAL — A critical severity event (severity level 3).MAJOR — A major severity event (severity level 4).MINOR — A minor severity event (severity level 5).WARNING — A warning severity event (severity 6). Simple event throttling provides a mechanism to protect event receivers from being overloaded when a scenario causes many events to be generated in a very short period of time. A throttling rate, # events/# seconds, can be configured. Specific event types can be configured to be throttled. Once the throttling event limit is exceeded in a throttling interval, any further events of that type cause the dropped events counter to be incremented. Dropped events counts are displayed by the show>log>event-control context. Events are dropped before being sent to one of the logger event collector tasks. There is no record of the details of the dropped events and therefore no way to retrieve event history data lost by this throttling method.Throttle rate applies commonly to all event types. It is not configurable for a specific event-type.ALA-1>config>log# info detail#------------------------------------------echo "Log Configuration "#------------------------------------------...snmp-trap-group 7exit...log-id 99description "Default system log"no filterfrom mainto memory 500no shutdownexit----------------------------------------------ALA-1>config>log#Figure 13: EHS Object RelationshipsWhen a log event is generated in SR OS it will be subject to discard via suppression and throttling (config>log>event-control) before it is evaluated as a trigger for EHS:
• EHS will trigger on log events that are dropped by user configured log filters that are assigned to individual logs (config>log>filter). The EHS event trigger logic occurs before the distribution of log event streams into individual logs.Before an accounting policy can be created a target log file must be created to collect the accounting records. The files are stored in system memory on compact flash (cf1: or cf2:) in a compressed (tar) XML format and can be retrieved using FTP or SCP.The record name, sub-record types, and default collection period for service and network accounting policies are shown below. Table 45, Table 46, and Table 47 provide field descriptions.
Refer to the Application Assurance Statistics Fields Generated per Record table in the 7750 SR-Series OS Integrated Services Adapter Guide for fields names for Application Assurance records.
Table 44: Accounting Record Name Details (***) If override counters on the HSMDA are configured (see the 7750 SR Quality of Service Guide).
Table 45: Policer Stats Field Descriptions
Table 46: Queue Group Record Types
Table 47: Queue Group Record Type Fields When a policy has been created and applied to a service or network port, the accounting file is stored on the compact flash in a compressed XML file format. The router creates two directories on the compact flash to store the files. The following output displays a directory named act-collect that holds accounting files that are open and actively collecting statistics. The directory named act stores the files that have been closed and are awaiting retrieval.ALA-1>file cf1:\# dir act*12/19/2006 06:08a <DIR> act-collect12/19/2006 06:08a <DIR> actALA-1>file cf1:\act-collect\ # dir
Directory of cf1:\act-collect#12/23/2006 01:46a <DIR> .12/23/2006 12:47a <DIR> ..12/23/2006 01:46a 112 act1111-20031223-014658.xml.gz12/23/2006 01:38a 197 act1212-20031223-013800.xml.gzAccounting files always have the prefix act followed by the accounting policy ID, log ID and timestamp. The accounting log file naming and log file destination properties like rollover and retention are discussed in more detail in Log Files .XML Accounting Files for Service and ESM-Based AccountingThe custom-record command in the config>subscr-mgmt>radius-accounting-policy context provide the flexibility to include individual counters in RADIUS accounting messages. See the CLI tree for commands and syntax.This concept is applicable to all methods used for gathering accounting information, such as an XML file and RADIUS, as well as to all applications using accounting, such as service-acct, ESM-acct, and Application Assurance.Specific to RADIUS accounting the significant-change command does not affect ACCT-STOP messages. ACCT-STOP messages will be always sent, regardless the amount of change of the corresponding host.
•
•
• Accounting policies must be configured in the config>log context before they can be applied to a service SAP or service interface, or applied to a network port.
•