Download the PDF 

Using Syslog with OLAN

Introduction 

This document will outline the uses of Syslog and how to configure the Tellabs OLAN system to output system events to syslog collectors. Syslog is supported on both the OLT and Panorama PON EMS.

Applies To 

• All OLT and EMS release SR29 and above for OLT Syslog.
• All EMS release SR31.3 and above for EMS Syslog.

Document Number 

ENG-010555

Document Revision History 

This section describes changes to this document:

What is Syslog? 

Syslog is a standard interface for message logging from software applications. The standardized interface allows system administrators to collect the informational and error logging from multiple systems and collect it into a single display.

The basic syslog architecture typically consists of a Syslog Originator, Syslog Collector, and optionally a Syslog Relay or Syslog Analyzer/Reporter.

• Syslog Originator – A system such as a computer, switch, router, or application which needs to log messages.
• Syslog Collector – A system which receives syslog messages from one or more syslog originators which at a minimum will log the messages to disk and possibly display them.
• Syslog Analyzer/Reporter – A system which is typically co-located with the Syslog Collector and provides various functions.
• Syslog Filtering – The ability to filter syslog messages by data contained within syslog messages. This allows the user to search for specific messages, or only messages from specific machines or time periods for use in troubleshooting.
• Syslog Reporting – The ability to generate reports from syslog data for use in analysis of the network or reporting on network health.
• Exporting of Data – Often tools can export data to a format usable by databases or spreadsheets.
• Email Hooks – Many tools have email hooks so that upon the reception of specific syslog messages, the system administrator can be immediately informed. This is very useful for proactive monitoring of the system.

The capability to aggregate logs from many devices into a single interface allows for many benefits when a good syslog server is deployed. Some of the benefits are:

• All failures/errors for the entire network or managed domain are collected in a single server.
• Failures can be more easily analyzed and correlated with failures on other systems for troubleshooting.
• Easier to see overall network health rather than looking at individual systems.

Once the fault or event has been analyzed, it can be then further analyzed by consulting the management system for the device which emitted the syslog message.

Anatomy of a Syslog Message 

While some of the basic parts of a syslog message are standardized, there is a great deal of variance in the specifics of the messages. This section will give a basic understanding of the format of a syslog message on Tellabs OLAN systems.

Fields of a Syslog Message:

• RTY
  • Date - Date of when the message was emitted.
• Time - Time when the message was emitted.
• Priority - Consists of two fields:
  • Facility - The subsystem which emitted the event. These were originally defined for unix systems. Olan like many systems reports all of its events by default on the local use 7 facility type or the security/authorization 4 facility.
    • 0             kernel messages
    • 1             user-level messages
    • 2             mail system
    • 3             system daemons
    • 4             security/authorization messages
    • 5             messages generated internally by syslogd
    • 6             line printer subsystem
    • 7             network news subsystem
    • 8             UUCP subsystem
    • 9             clock daemon
    • 10            security/authorization messages
    • 11            FTP daemon
    • 12            NTP subsystem
    • 13            log audit
    • 14            log alert
    • 15            clock daemon
    • 16            local use 0  (local0)
    • 17            local use 1  (local1)
    • 18            local use 2  (local2)
    • 19            local use 3  (local3)
    • 20            local use 4  (local4)
    • 21            local use 5  (local5)
    • 22            local use 6  (local6)
    • 23            local use 7  (local7) – Default facility for OLAN
  • Level - The severity level of the message.
    • 0 Emergency - System is unusable.
    • 1 Alert - Action must be taken immediately.
    • 2 Critical - Critical condition.
    • 3 Error - Error condition.
    • 4 Warning - Warning condition.
    • 5 Notice - normal but significant condition.
    • 6 Informational - Informational event, typically no an error, but just to log occurrences of events.
    • 7 Debug - Information logged to aid in later troubleshooting if an error does arise.
• Hostname / IP - Which system the event came from.
• Message - The body of the syslog message.

  CORP-1150 olan - 030002 - BOM %PROV-INFO-PROV UserID=emsuser From=172.28.224.15:1632 Command=setNACProfile Action=edit Object=PROFILE-NAC-GW-QoS-if02-p4-sv102-nv702

  The syslog message body in OLAN is a structured set of fields which are defined as follows:

  • Hostname – Gives the hostname of the OLT that emitted the message, in the example above CORP-1150.
  • Application Name – The name of the application which emitted the event. Will always be olan for Tellabs OLTs.
  • MSGID - Gives a numerical identifier for the type of message. In this example, it is 30002. This allows reporters and analyzers of syslog messages to have an easy way to filter messages. Later in this document, the MSGIDs for OLAN will be identified.
  • BOM - Standard field for syslog indicating Beginning Of Message body.
  • Structured Data - A set of structured fields which can be parsed. In this example: %PROV-INFO-PROV, which is of the form: CLASS-SEVERITY-EVENT.
    • CLASS - The class or type of event which has occurred. PROV in this example indicates it was a provisioning or configuration change.
      • AUTH - Authentication related events, login, logout, etc. Certificate related information will be displayed here if not already covered by an EVNT which goes to the EMS.
      • ALRM - Reporting of an Alarm Set or Clear
      • ACL - Reporting of an ACL violation
      • CLI - Reporting of changes initiated by CLI commands on the NE.
      • DEBUG - Capability to turn on debug logs and have them sent to syslog for debugging of specific issues. Those are logged to syslog with debug.
      • DNLD - Reporting of download and commanded switch events.
      • EVNT - Reporting of an Event message equivalent to the EMS event reports.
      • EXCPT - Messages that appear in the Exception log on the OLT. Those are typically high priority failures.
      • HTTP - Reporting of HTTP file transfer events.
      • INFO - Additional information items.
      • PROV - Reporting of a Provisioning change from the EMS.
      • PLATFM - Reporting of platform events, plug in, plug out, etc. Card reboots, startups, etc.
      • RADIUS - Reporting of events related to Radius.
      • SNMP - Reporting of events related to an SNMP agent.
      • SWITCH - Switching error/debug messages.
      • VOIP - Reporting of significant voice events.
    • SEVERITY - The message severity and it correlates with those defined for syslog (EMER/ALERT/CRIT/ERROR/WARN/NOTICE/INFO/DEBUG)
    • EVENT – If further classification can be given, the event field will further classify the event.
  • UserID – If the event involved a user action, the user id will be given. If the change was initiated by the EMS the userID will be EMS and the EMS log will have to be consulted to get the specific user.
  • From – If the event involved a change from a remote entity the IP address of the user session or EMS will be given.

Logging of Provisioning Changes 

Provisioning changes will all be logged using the %PROV-INFO-PROV structured data field.

  %PROV-INFO-PROV UserID=emsuser From=172.28.224.15:1632 Command=setNACProfile Action=edit Object=PROFILE-NAC-GW-QoS-if02-p4-sv102-nv702

• Command – This will indicate the provisioning command that was initiated, in this case setting of a NAC Profile.
• Action – Edit/Create/Delete, indicates whether the object was created, edited, or deleted.
• Object – Identification of the specific object that was modified. In the case of most changes it will be the name of a profile.

Logging of Alarms 

All alarms from the OLAN system are forwarded to syslog and so can be used to trigger emails or other notifications supported by the syslog server for automated dispatch on system failures.

A typical alarm is in the form of:

Where:

• Structured Data - %ALARM-<severity>-<alarm type>. In the example above, the alarm type would be ETHACCESS or an Ethernet Access Violation Alarm.
• SET/CLEAR – Indicates whether the alarm was SET or Cleared.
• AID – Access Identifier Where on the system the alarm occurred. In this case at port: ETH-1-1-31-1

Summary of Syslog Events 

The following section will define a catalog of reported syslog events.

Configuration of OLT Syslog 

The following section will define how to configure the OLT to emit Syslog messages to a syslog collector. Syslog by default is off and a collector address must be configured to activate syslog.

• Syslog Admin State - The admin state of the syslog on the OLT configures whether logging is on or off for ALL destinations.
• IP/Hostname - IP or hostname of a syslog collector which you wish to send messages to.
• Destination Configuration – For each destination, when you highlight it in the syslog IP/Hostname, you can configure the settings for that destination.
• Transport Layer Mapping - How will the syslog messages be sent to the syslog collector.
  • Protocol – Can be one of the following:
    • UDP – Messages are sent using UDP messages are best effort. The default port is 514.
    • TCP – Messages are sent using TCP; messages are guaranteed if connectivity exists. The default port is 6514.
    • TLS – Messages are encrypted to prevent snooping of syslog information. The default port is 6514.
• Facility Mapping – By default, Tellabs maps all messages to local7(23). If needed, specific types can be mapped to standard facilities. This allows segregation of messages by facility in the syslog collector.
• Filters – Specific types of messages can be sent to a specific destination. For example, you may have one syslog server only concerned with security events. Syslog events can be filtered such that only security events go to that server. Messages can be filtered by level and class.

Configuration of Panorama PON EMS Syslog 

The EMS can also be configured to emit syslog events for all major events within the EMS. The EMS syslog is configured in a very similar method to the OLT syslog.

The EMS configuration is accessed via the Edit Menu: Edit -> Syslog Server Configuration.

• IP/Hostname – Add new hostnames or IPs for each syslog destination you want to send to. For existing destinations, when you highlight it in the syslog IP/Hostname, you can configure the settings for that destination.
• Transport Layer Mapping – How will the syslog messages be sent to the syslog collector?
  • Protocol – can be one of the following:
    • UDP – Messages are sent using UDP messages are best effort. Default port is 514.
    • TCP – Messages are sent using TCP, messages are guaranteed if connectivity exists. Default port is 6514.
• Facility Mapping – Currently is static for the EMS with a class of Others, and a Local Facility.

Video