Syslog DDA - Metasys - LIT-12013352 - M4-SNE10500-0 - M4-SNE10501-0 - M4-SNE11000-0 - M4-SNE11001-0 - M4-SNE110L0-0 - M4-SNE110L1-0 - M4-SNE22000-0 - M4-SNE22001-0 - Supervisory Device - SNE10 Network Engine - SNE11 Network Engine - SNE22 Network Engine - SNE Supervisory Network Engine - 12.0

SNE Commissioning Guide

Product
Network Engines > Network Control Engines > SNE22 Network Engine
Network Engines > Network Control Engines > SNE11 Network Engine
Document type
Commissioning Guide
Document number
LIT-12013352
Version
12.0
Revision date
2022-12-12
Product status
Active

An SNE configured as a Site Director has the optional capability of sending its configured audit log entries and alarm notifications to the central repository of an external, industry-standard, Syslog server, conforming to Internet published RFC 3164. After you save the Syslog DDA configuration, all messages are sent immediately to the configured Syslog server. You can then open a user interface at the Syslog server and use the provided filters to interrogate or apply forensic analysis on these messages. To assist in reading the log, a vertical bar symbol (|) separates individual fields of each Metasys message and a single character dash (-) replaces any blank field.

By default, the Syslog option is disabled. Changing the Syslog Reporting Enabled attribute to True on the Syslog window enables the Syslog function. The prerequisites to the Syslog DDA are as follows:

  • The Syslog server must be installed and running on a computer server or virtual machine that is reachable by the SNE.
  • No more than three Syslog destinations can be specified.
  • The firewall port must be open.

The definition of the Syslog DDA requires:

  • label to identify the Syslog server
  • IP address of the Syslog server
  • port numbers for the UDP send port and UDP receive port (for example, 514 for both)
  • event and audit filters to apply against all events and audit messages. Only those events and audit messages that match the filters are passed to the Syslog server.

The Syslog DDA attribute called Syslog Reporting Enabled appears on the Shared Configuration section of the Syslog tab of an SNE device object (Figure 1). This attribute has two selections: True or False.

When the Syslog Reporting Enabled attribute is set to True, the feature is active and your Metasys messages (events and audits) are forwarded to your destination Syslog server according to the filtering you specified. When the Syslog Reporting Enabled attribute is set to False, the feature is inactive and no Metasys messages are forwarded to the Syslog server. The configuration example in Figure 1 is set to route to the Syslog server all High Warning alarms that require acknowledgment.

The Syslog DDA implementation is UDP, not TCP. Therefore, any audits/events generated while the Syslog server is offline are not recorded at the Syslog server, even though the Metasys system, unable to determine the current status of the Syslog server, continues to send out messages. A gap in time is present between events when the Syslog server comes back online.

Figure 1. Syslog Tab in Engine's Device Object

Figure 2 shows an example of Metasys system messages as they appear on the Kiwi Syslog® Server Console user interface. Use the console to filter the messages. If you do not have a tool, open a web browser and type the following URL:

http://<IP of the server>>:<Port>/Events.aspx

For example:

http://SysLogserver1:8088/Events.aspx

When you browse to this site, type a valid username and password when prompted to gain access to the Syslog server. A user interface appears with the captured messages.

Figure 2. Syslog User Interface

If you run into any trouble while implementing the Syslog DDA functionality, consult this following table.

Table 1. Syslog Server Troubleshooting

Scenario

Behavior

The engine is starting up but the SysLog DDA has not yet started.

All generated audits and events are cached and sent to Syslog DDA once it is started. The maximum size of the cache is 1,000 audits and 1,000 events per hour.

The Syslog server crashes.

All generated audits and events that the engine sends to the Syslog server are lost; nothing is cached.

The Syslog server goes offline or is unreachable.

All generated audits and events that the engine sends to the Syslog server are lost; nothing is cached. No data is sent to the Syslog server until it comes back online or becomes reachable.

The IP address, name, or port numbers of the Syslog server as defined in the engine's object are invalid.

All generated audits and events that the engine sends to the Syslog server are lost; nothing is cached. No data is sent to the Syslog server until you correct the invalid parameters in the Syslog DDA.

The Syslog Reporting Enabled parameter is set to True, but no Syslog parameters are defined.

All generated audits and events that the engine sends to the Syslog server are lost; nothing is cached. No data is sent to the Syslog server until you specify the parameters that the Syslog DDA requires.

The UDP Send Port or UDP Receive Port is blocked by a firewall.

All generated audits and events that the engine sends to the Syslog server are lost; nothing is cached. No data is sent to the Syslog server until the ports on the Syslog server are opened.

A parameter of the Syslog server changes, but the corresponding parameter in the Syslog DDA of the engine is not likewise changed.

All generated audits and events that the engine sends to the Syslog server are lost; nothing is cached. No data is received at the Syslog server until you correct the invalid parameters in the Syslog DDA.