5.7. Log Command Reference

This command creates a text description stored in the configuration file for a configuration context. The description command associates a text string with a configuration context to help identify the content in the configuration file.

The no form of the command removes the string from the configuration.

This command administratively disables an entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command administratively enables an entity.

This command specifies that a particular event or all events associated with an application is either generated or suppressed.

Events are generated by an application and contain an event number and description describing the cause of the event. Each event has a default designation which directs it to be generated or suppressed.

Events are generated with a default severity level that can be modified by using the severity-level option.

Events that are suppressed by default are typically used for debugging purposes. Events are suppressed at the time the application requests the event’s generation. No event log entry is generated regardless of the destination. While this feature can save processor resources, there may be a negative effect on the ability to troubleshoot problems if the logging entries are squelched. In reverse, indiscriminate application may cause excessive overhead.

The rate of event generation can be throttled by using the throttle parameter.

The no form of the command reverts the parameters to the default setting for events for the application or a specific event within the application. The severity, generate, suppress, and throttle options will also be reset to the initial values.

This command specifies the primary and secondary routing preference for traffic generated for SNMP notifications and syslog messages. If the remote destination is not reachable through the routing context specified by primary route preference then the secondary routing preference will be attempted.

The no form of the command reverts to the default values.

This command enables the context to configure a file ID template to be used as a destination for an event log or billing file.

This command defines the file location and characteristics that are to be used as the destination for a log event message stream or accounting/billing information. The file defined in this context is subsequently specified in the to command under log-id or accounting-policy to direct specific logging or billing source streams to the file destination.

A file ID can only be assigned to either one log-id or one accounting-policy. It cannot be reused for multiple instances. A file ID and associated file definition must exist for each log and billing file that must be stored in the file system.

A file is created when the file ID defined in this command is selected as the destination type for a specific log or accounting record. Log files are collected in a “log” directory. Accounting files are collected in an “act” directory.

The file names for a log are created by the system as summarized in Table 48.

where:

yyyy is the year (for example, 2016)

mm is the month number (for example, 12 for December)

dd is the day of the month (for example, 03 for the 3rd of the month)

hh is the hour of the day in 24 hour format (for example, 04 for 4 a.m.)

mm is the minutes (for example, 30 for 30 minutes past the hour)

ss is the number of seconds (for example, 14 for 14 seconds)

When initialized, each file will contain following:

If the process of writing to a log file fails (for example, the compact flash card is full) and a backup location is not specified or fails, the log file will not become operational even if the compact flash card is replaced. Enter either a clear log command or a shutdown/no shutdown command to reinitialize the file.

If the primary location fails (for example, the compact flash card fills up during the write process), a trap is sent and logging continues to the specified backup location. This can result in truncated files in different locations.

The no form of this command removes the file-id from the configuration. A file-id can only be removed from the configuration if the file is not the designated output for a log destination. The actual file remains on the file system.

This command specifies the primary location where the log or billing file will be created.

When creating files, the primary location is used as long as there is available space. If no space is available, an attempt is made to delete unnecessary files that are past their retention date.

If sufficient space is not available, an attempt is made to remove the oldest to newest closed log or accounting files. After each file is deleted, the system attempts to create the new file.

A medium severity trap is issued to indicate that a compact flash is either not available or that no space is available on the specified flash and that the backup location is being used.

A high priority alarm condition is raised if none of the configured compact flash devices for this file ID are present or if there is insufficient space available. If space becomes available, the alarm condition will be cleared.

The no form of this command reverts to default settings.

This command configures how often an event or accounting log is rolled over or partitioned into a new file.

An event or accounting log is actually composed of multiple individual files. The system creates a new file for the log based on the rollover time, expressed in minutes.

The retention option, expressed in hours, allows you to modify the default time to keep the file in the system. The retention time is based on the rollover time of the file.

When multiple rollover commands for a file-id are entered, the last command overwrites the previous command.

This command configured an event filter. An event filter specifies whether to forward or drop an event or trap based on the match criteria.

Filters are configured in the filter filter-id context and applied to a log in the log-id log-id context. Only events for the configured log source streams destined to the log ID where the filter is applied are filtered.

Any changes made to an existing filter, using any of the sub-commands, are immediately applied to the destinations where the filter is applied.

The no form of the command removes the filter association from log IDs, which causes those logs to forward all events.

This command specifies the action that is applied to events when no action is specified in the event filter entries or when an event does not match the specified criteria. When multiple default-action commands are entered, the last command overwrites the previous command.

The no form of this command reverts the default action to the default value.

This command specifies a drop or forward action associated with the filter entry. If neither drop nor forward is specified, the default-action will be used for traffic that conforms to the match criteria. This could be considered a no-op filter entry used to explicitly exit a set of filter entries without modifying previous actions.

Multiple action statements entered will overwrite previous actions.

The no form of this command removes the specified action statement.

This command creates or edits an event filter entry. Multiple entries may be created using unique entry-id numbers. The -TiMOS implementation exits the filter on the first match found and executes the action in accordance with the action command.

Comparisons are performed in an ascending entry ID order. When entries are created, they should be arranged sequentially from the most explicit entry to the least explicit. Matching ceases when a packet matches an entry. The entry action is performed on the packet, either drop or forward. To be considered a match, the packet must meet all the conditions defined in the entry.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete. Entries without the action keyword will be considered incomplete and are rendered inactive.

The no form of this command removes the specified entry from the event filter. Entries removed from the event filter are immediately removed from all log-ids where the filter is applied.

This command creates or edits match criteria for a filter entry. When the match criteria is satisfied, the action associated with the entry is executed.

If more than one match parameter (within one match statement) is specified, all the criteria must be satisfied (and functional) before the action associated with the match is executed.

Use the application command to display a list of the valid applications.

Match context can consist of multiple match parameters (application, event-number, severity, subject), but multiple match statements cannot be entered per entry.

The no form of this command removes the match criteria for the entry-id.

This command adds a 7210 SAS application as an event filter match criterion.

A 7210 SAS application is the software entity that reports the event. Applications include IP, MPLS, OSPF, CLI, services, and so on. Only one application can be specified. The latest application command overwrites the previous command.

The no form of the command removes the application as a match criterion.

This command adds an application event number as a match criterion.

The event numbers uniquely identify a specific logging event within an application.

Only one number command can be entered per event filter entry. The latest number command overwrites the previous command.

The no form of the command removes the event number as a match criterion.

This command specifies the log event matches for the router.

This command adds an event severity level as a match criterion. Only one severity command can be entered per event filter entry. The latest severity command overwrites the previous command.

The no form of this command removes the severity match criterion.

This command adds an event subject as a match criterion.

The subject is the entity for which the event is reported, such as a port. In this case the port-id string would be the subject. Only one subject command can be entered per event filter entry. The latest subject command overwrites the previous command.

The no form of this command removes the subject match criterion.

This command enables the context to configure a syslog target host that is capable of receiving selected syslog messages from this network element.

A valid syslog-id must have the target syslog host address configured. A maximum of 10 syslog IDs can be configured.

No log events are sent to a syslog target address until the syslog-id has been configured as the log destination (to) in the log-id node.

The no form of this command removes the syslog configuration.

This command adds the syslog target host IP address to/from a syslog ID.

This parameter is mandatory. If no address is configured, syslog data cannot be forwarded to the syslog target host.

Only one address can be associated with a syslog-id. If multiple addresses are entered, the last address entered overwrites the previous address.

The same syslog target host can be used by multiple log IDs.

The no form of this command removes the syslog target host IP address.

This command configures the facility code for messages sent to the syslog target host.

Multiple syslog IDs can be created with the same target host, but each syslog ID can only have one facility code. If multiple facility codes are entered, the last facility code entered overwrites the previous facility code.

If multiple facilities need to be generated for a single syslog target host, multiple log-id entries must be created, each with its own filter criteria to select the events to be sent to the syslog target host with a specific facility code.

The no form of this command reverts to the default value.

This command adds the string prepended to every syslog message sent to the syslog host.

RFC 3164, The BSD syslog Protocol, allows an alphanumeric string (tag) to be prepended to the content of every log message sent to the syslog host. This alphanumeric string can, for example, be used to identify the node that generates the log entry. The software appends a colon (:) and a space to the string and it is inserted in the syslog message after the date stamp and before the syslog message content.

Only one string can be entered. If multiple strings are entered, the last string overwrites the previous string. The alphanumeric string can contain lowercase (a-z), uppercase (A-Z), and numeric (0-9) characters.

The no form of this command removes the log prefix string.

This command configures the syslog message severity level threshold. All messages with a severity level equal to or higher than the threshold are sent to the syslog target host. Severity levels are shown in Table 55.

Only a single threshold level can be specified. If multiple levels are entered, the last level entered will overwrite the previously entered commands.

The no form of this command reverts to the default value.

This command configures the UDP port that will be used to send syslog messages to the syslog target host.

The port configuration is needed if the syslog target host uses a port other than the standard UDP syslog port 514.

Only one port can be configured. If multiple port commands are entered, the last entered port overwrites the previously entered ports.

The no form of this command removes the value from the configuration.

This command configures an event throttling rate.

This command enables the context to configure a group of SNMP trap receivers and their operational parameters for a specific log-id.

A group specifies the types of SNMP traps and the log ID that will receive the group of SNMP traps. A trap group must be configured for SNMP traps to be sent.

To suppress the generation of all alarms and traps, see the event-control command. To suppress alarms and traps that are sent to this log-id, see the filter command. When alarms and traps are generated, they can be directed to one or more SNMP trap groups. Logger events that can be forwarded as SNMP traps are always defined on the main event source.

The no form of this command deletes the SNMP trap group.

This command enables the context to notify the SNMP trap server about node power failure. On power failure, the system sends dying gasp traps to the configured SNMP trap servers. Up to three SNMP trap servers can be configured to receive the trap. The traps are sent in the following order:

When this command is enabled, the node does not generate EFM OAM dying gasp message even if EFM OAM is enabled. That is, generation of an SNMP dying gasp trap is mutually exclusive to the use of an EFM OAM dying gasp message.

By default, the system generates an EFM OAM dying gasp message to remain compatible with earlier versions of the software releases. The user must explicitly configure the system to send out an SNMP trap on loss of power to the node using this command.

Typically, SNMP traps are generated only if the user configures a log to direct the system log events to SNMP. For an SNMP dying gasp trap, it is not required to do so. The DSCP value used by a SNMP dying gasp packet is AF (Assured Forwarding class, value 22).

Note: The system IP address must be configured. The node uses this address to generate dying gasp traps. If It is not configured, SNMP dying gasp traps are not generated. When sending out SNMP dying gasp traps, one of the available routes in either the management routing instance or the base routing instance is used to resolve the next-hop gateway IP address to reach the trap-server destinations configured under primary, secondary, and tertiary trap targets. The route to the destination is always searched first in the management routing instance and if not found, the routes in the base routing instance is looked up. Configuration of route preference does not change this behavior (that is, the order of route lookup does not change).

The no form of this command disables generation of SNMP trap messages. It enables generation of EFM OAM dying gasp on access-uplink ports, if EFM OAM is enabled on those ports. The generation of SNMP dying gasp traps is disabled by default.

This command adds or modifies a trap receiver and configures the operational parameters for the trap receiver. A trap reports significant events that occur on a network device such as errors or failures.

Before an SNMP trap can be issued to a trap receiver, the log-id, snmp-trap-group, and at least one trap-target must be configured.

The trap-target command is used to add or remove a trap receiver from an snmp-trap-group. The operational parameters specified in the command include the following:

A single snmp-trap-group log-id can have multiple trap receivers. Each trap receiver can have different operational parameters.

An address can be configured as a trap receiver more than once as long as a different port is used for each instance.

To prevent resource limitations, only configure a maximum of 10 trap receivers.

Note: If the same trap-target name port port parameter value is specified in more than one SNMP trap group, each trap destination should be configured with a different notify-community value. This allows a trap receiving an application, such as NMS, to reconcile a separate event sequence number stream for each 7210 SAS event log when multiple event logs are directed to the same IP address and port destination.

The no form of this command removes the SNMP trap receiver from the SNMP trap group.

This command adds an event filter policy with the log destination.

The filter command is optional. If no event filter is configured, all events, alarms, and traps generated by the source stream will be forwarded to the destination.

An event filter policy defines (limits) the events that are forwarded to the destination configured in the log-id. The event filter policy can also be used to select the alarms and traps to be forwarded to a destination snmp-trap-group.

The application of filters for debug messages is limited to application and subject only.

Accounting records cannot be filtered using the filter command.

Only one filter-id can be configured per log destination.

The no form of the command removes the specified event filter from the log-id.

This command specifies the source stream to be sent to a log destination.

One or more source streams must be specified. The source of the data stream must be identified using the from command before you can configure the destination using the to command. The from command can identify multiple source streams in a single statement (for example, from main change debug-trace).

Only one from command may be entered for a single log-id. If multiple from commands are configured, the last command entered overwrites the previous from command.

The no form of this command removes all previously configured source streams.

This command enables the context to configure destinations for event streams.

The log-id context is used to direct events, alarms and traps, and debug information to respective destinations.

A maximum of 10 logs can be configured.

Before an event can be associated with this log-id, the from command identifying the source of the event must be configured.

Only one destination can be specified for a log-id. The destination of an event stream can be an in-memory buffer, console, session, snmp-trap-group, syslog, or file.

Use the event-control command to suppress the generation of events, alarms, and traps for all log destinations.

An event filter policy can be applied in the log-id context to limit which events, alarms, and traps are sent to the specified log-id.

Log IDs 99 and 100 are created by the agent. Log ID 99 captures all log messages. Log ID 100 captures log messages with a severity level of major and above.

Note: Log ID 99 provides valuable information for the admin-tech file. Removing or changing the log configuration may hinder debugging capabilities. It is strongly recommended not to alter the configuration for log ID 99.

The no form of this command deletes the log destination ID from the configuration.

This command specifies a log ID destination. This parameter is mandatory when configuring a log destination. This command instructs the events selected for the log ID to be directed to the console. If the console is not connected, all entries are dropped.

The source of the data stream must be specified in the from command prior to configuring the destination with the to command.

The to command cannot be modified or re-entered. If the destination or maximum size of an SNMP or memory log needs to be modified, the log ID must be removed and then re-created.

This command specifies a log ID destination. This parameter is mandatory when configuring a log destination. This command instructs the events selected for the log ID to be directed to a specified file.

The source of the data stream must be specified in the from command prior to configuring the destination with the to command.

The to command cannot be modified or re-entered. If the destination or maximum size of an SNMP or memory log needs to be modified, the log ID must be removed and then re-created.

This command specifies a log ID destination. This parameter is mandatory when configuring a log destination. This command instructs the events selected for the log ID to be directed to a memory log. A memory file is a circular buffer. When the file is full, each new entry replaces the oldest entry in the log.

The source of the data stream must be specified in the from command prior to configuring the destination with the to command.

The to command cannot be modified or re-entered. If the destination or maximum size of an SNMP or memory log needs to be modified, the log ID must be removed and then re-created.

This command specifies a log ID destination. This parameter is mandatory when configuring a log destination. This command instructs the events selected for the log ID to be directed to the current console or telnet session. This command is only valid for the duration of the session. When the session is terminated the log ID is removed. A log ID with a session destination is not saved in the configuration file.

The source of the data stream must be specified in the from command prior to configuring the destination with the to command.

The to command cannot be modified or re-entered. If the destination or maximum size of an SNMP or memory log needs to be modified, the log ID must be removed and then re-created.

This command specifies the log ID destination. This parameter is mandatory when configuring a log destination. This command instructs the alarms and traps to be directed to the snmp-trap-group associated with log-id.

A local circular memory log is always maintained for SNMP notifications sent to the specified snmp-trap-group for the log-id.

The source of the data stream must be specified in the from command prior to configuring the destination with the to command.

The to command cannot be modified or re-entered. If the destination or maximum size of an SNMP or memory log needs to be modified, the log ID must be removed and then re-created.

This command also specifies the log ID destination. This parameter is mandatory when configuring a log destination.

This command instructs the alarms and traps to be directed to a specified syslog. To remain consistent with the standards governing syslog, messages to syslog are truncated to 1k bytes.

The source of the data stream must be specified in the from command prior to configuring the destination with the to command.

The to command cannot be modified or re-entered. If the destination or maximum size of an SNMP or memory log needs to be modified, the log ID must be removed and then re-created.

This command specifies whether the time should be displayed in the local or Coordinated Universal Time (UTC) format.

This command enables an access or network accounting policy. An accounting policy defines the accounting records that are created.

Access accounting policies are policies that can be applied to one or more SAPs or access ports.

Changes made to an existing policy, using any of the sub-commands, are applied immediately to all SAPs or access ports where this policy is applied.

If an accounting policy is not specified on a SAP or an access port, accounting records are produced in accordance with the access policy designated as the default. If a default access policy is not specified, no accounting records are collected other than the records for the accounting policies that are explicitly configured.

Network accounting policies can be applied to one or more network ports. Any changes made to an existing policy, using any of the subcommands, will be applied immediately to all network ports where this policy is applied.

If no accounting policy is defined on a network port, accounting records will be produced in accordance with the default network policy as designated with the default command. If no network default policy is created, no accounting records will be collected other than the records for the accounting policies explicitly configured.

A total of 16 accounting records are available on the 7210 SAS-D. A total of 17 accounting records are available on the 7210 SAS-Dxp.

There are three types of accounting policies:

When creating accounting policies, one access, access port, and network accounting policy can be defined as default. If statistics collection is enabled on an accounting object, and no accounting policy is applied, the respective default accounting policy is used. If no default policy is defined, no statistics are collected unless a specifically defined accounting policy is applied.

The no form of this command deletes the policy from the configuration. The accounting policy cannot be removed unless it is removed from all the SAPs, network ports, or channels where the policy is applied.

This command configures the accounting collection interval.

This command configures the default accounting policy to be used with all SAPs that do not have an accounting policy.

If no accounting policy is defined on an access or network object, accounting records are produced in accordance with the default access policy. If no default access policy is created, then no accounting records will be collected other than the records for the accounting policies that are explicitly configured.

When creating accounting policies, one access, one access port, and one network accounting policy can be defined as default.

The record name must be specified prior to assigning an accounting policy as default.

If a policy is configured as the default policy, a no default command must be issued before a new default policy can be configured.

The no form of this command removes the default policy designation from the policy ID. The accounting policy will be removed from all access or network object ports that do not have this policy explicitly defined.

This command adds the accounting record type to the accounting policy to be forwarded to the configured accounting file. A record name can only be used in one accounting policy. To obtain a list of all record types that can be configured, use the show log accounting-records command.

The following is an output sample for the 7210 SAS-D and 7210 SAS-Dxp.

The following is an output sample for 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, or 7210 SAS-K 3SFP+ 8C.

To configure an accounting policy for access SAPs, select a service record (for example, service-ingress-octets). To change the record name to another service record, enter the record command with the new record name and it will replace the old record name.

To configure an accounting policy for access ports, select access port type records such as access-egress packets. When changing the record name to another access port record, the record command with the new record name can be entered, and it will replace the old record name.

When configuring an accounting policy for network ports, a network record should be selected. When changing the record name to another network record, the record command with the new record name can be entered and it will replace the old record name.

If the change required modifies the record from one type to another, the old record name must be removed using the no form of this command.

Only one record may be configured in a single accounting policy. For example, if an accounting-policy is configured with an access-egress-packets record, to change it to service-ingress-octets, use the no record command under the accounting-policy to remove the old record and enter the service-ingress-octets record.

Note: Collecting excessive statistics can adversely affect the CPU utilization and take up large amounts of storage space

The no form of this command removes the record type from the policy.

This command specifies the destination for the accounting records selected for the accounting policy.

This command enables the system to allocate some RAM (that is, volatile memory) as a temporary storage to write accounting records every collection-interval. The accounting records are moved from the temporary storage to the accounting file on non-volatile memory (that is, flash), when either the rollover-interval expires or the temporary storage location gets full.

Note: The accounting records held in the temporary storage is lost on a reboot (either due to loss of power or due to user action).