Syslog

Per default VyOSs has minimal syslog logging enabled which is stored and rotated locally. Errors will be always logged to a local file, which includes local7 error messages, emergency messages will be sent to the console, too.

To configure syslog, you need to switch into configuration mode.

Logging

Syslog supports logging to multiple targets, those targets could be a plain file on your VyOS installation itself, a serial console or a remote syslog server which is reached via IP UDP/TCP.

Global

system syslog global marker interval <number>

Interval (in seconds) for sending mark messages to the syslog input to indicate that the logging system is functioning.

system syslog global preserve-fqdn

If set, the domain part of the hostname is always sent, even within the same domain as the receiving system.

system rsyslog global facility <keyword> level <keyword>

Filter syslog messages based on facility and level.

Console

set system syslog console facility <keyword> level <keyword>

Log syslog messages to /dev/console, for an explanation on Facilities keywords and Severity Level keywords see tables below.

Custom File

set system syslog file <filename> facility <keyword> level <keyword>

Log syslog messages to file specified via <filename>, for an explanation on Facilities keywords and Severity Level keywords see tables below.

set system syslog file <filename> archive size <size>

Syslog will write <size> kilobytes into the file specified by <filename>. After this limit has been reached, the custom file is “rotated” by logrotate and a new custom file is created.

set system syslog file <filename> archive file <number>

Syslog uses logrotate to rotate logfiles after a number of gives bytes. We keep as many as <number> rotated file before they are deleted on the system.

Remote Host

Logging to a remote host leaves the local logging configuration intact, it can be configured in parallel to a custom file or console logging. You can log to multiple hosts at the same time, using either TCP or UDP. The default is sending the messages via port 514/UDP.

set system syslog host <address> facility <keyword> level <keyword>

Log syslog messages to remote host specified by <address>. The address can be specified by either FQDN or IP address. For an explanation on Facilities keywords and Severity Level keywords see tables below.

set system syslog host <address> facility <keyword> protocol <udp|tcp>

Configure protocol used for communication to remote syslog host. This can be either UDP or TCP.

set system syslog vrf <name>

Specify name of the VRF instance.

Local User Account

set system syslog user <username> facility <keyword> level <keyword>

If logging to a local user account is configured, all defined log messages are display on the console if the local user is logged in, if the user is not logged in, no messages are being displayed. For an explanation on Facilities keywords and Severity Level keywords see tables below.

Facilities

List of facilities used by syslog. Most facilities names are self explanatory. Facilities local0 - local7 common usage is f.e. as network logs facilities for nodes and network equipment. Generally it depends on the situation how to classify logs and put them to facilities. See facilities more as a tool rather than a directive to follow.

Facilities can be adjusted to meet the needs of the user:

Facility Code

Keyword

Description

all

All facilities

0

kern

Kernel messages

1

user

User-level messages

2

mail

Mail system

3

daemon

System daemons

4

auth

Security/authentication messages

5

syslog

Messages generated internally by syslogd

6

lpr

Line printer subsystem

7

news

Network news subsystem

8

uucp

UUCP subsystem

9

cron

Clock daemon

10

security

Security/authentication messages

11

ftp

FTP daemon

12

ntp

NTP subsystem

13

logaudit

Log audit

14

logalert

Log alert

15

clock

clock daemon (note 2)

16

local0

local use 0 (local0)

17

local1

local use 1 (local1)

18

local2

local use 2 (local2)

19

local3

local use 3 (local3)

20

local4

local use 4 (local4)

21

local5

local use 5 (local5)

22

local6

use 6 (local6)

23

local7

local use 7 (local7)

Severity Level

Value

Severity

Keyword

Description

all

Log everything

0

Emergency

emerg

System is unusable - a panic condition

1

Alert

alert

Action must be taken immediately - A condition that should be corrected immediately, such as a corrupted system database.

2

Critical

crit

Critical conditions - e.g. hard drive errors.

3

Error

err

Error conditions

4

Warning

warning

Warning conditions

5

Notice

notice

Normal but significant conditions - conditions that are not error conditions, but that may require special handling.

6

Informational

info

Informational messages

7

Debug

debug

Debug-level messages - Messages that contain information normally of use only when debugging a program.

Display Logs

show log [all | authorization | cluster | conntrack-sync | …]

Display log files of given category on the console. Use tab completion to get a list of available categories. Those categories could be: all, authorization, cluster, conntrack-sync, dhcp, directory, dns, file, firewall, https, image lldp, nat, openvpn, snmp, tail, vpn, vrrp

If no option is specified, this defaults to all.

show log image <name> [all | authorization | directory | file <file name> | tail <lines>]

Log messages from a specified image can be displayed on the console. Details of allowed parameters:

all

Display contents of all master log files of the specified image

authorization

Display all authorization attempts of the specified image

directory

Display list of all user-defined log files of the specified image

file <file name>

Display contents of a specified user-defined log file of the specified image

tail

Display last lines of the system log of the specified image

<lines>

Number of lines to be displayed, default 10

When no options/parameters are used, the contents of the main syslog file are displayed.

Hint

Use show log | strip-private if you want to hide private data when sharing your logs.

Delete Logs

delete log file <text>

Deletes the specified user-defined file <text> in the /var/log/user directory

Note that deleting the log file does not stop the system from logging events. If you use this command while the system is logging events, old log events will be deleted, but events after the delete operation will be recorded in the new file. To delete the file altogether, first delete logging to the file using system syslog Custom File command, and then delete the file.