close

keyboard_arrow_left

Table of Contents Expand all

Introduction
Get Started
play_arrow Apstra GUI
- Log in to Apstra GUI
- Reset Apstra GUI Admin Password
play_arrow Blueprints and Dashboard
- Create Datacenter Blueprint
- Blueprint Summaries and Dashboard
- Delete Datacenter Blueprint
play_arrow Analytics (Blueprints)
- Analytics Introduction
- play_arrow Dashboards
- play_arrow Anomalies
  - Anomalies (Analytics)
- play_arrow Widgets
- play_arrow Probes
- play_arrow Predefined Reports (Tech Preview)
- play_arrow Root Causes
  - Root Causes
play_arrow Staged (Datacenter Blueprints)
- Blueprint-Wide Search
- play_arrow Physical
- play_arrow Virtual
  - play_arrow Virtual Networks
  - play_arrow Routing Zones
  - Static Routes (Virtual)
  - Protocol Sessions (Virtual)
  - play_arrow Virtual Infrastructure
  - play_arrow Statistics
- play_arrow Policies
  - play_arrow Endpoints
  - Security Policies
  - Interface Policies
  - Routing Policies
  - Routing Zone (VRF) Constraints
  - play_arrow Routing Zone Policy (4.2.0)
    - Optimize Routing Zone Resource Usage (4.2.0)
- play_arrow Data Center Interconnect (DCI)
- play_arrow Catalog
  - play_arrow Logical Devices
    - Export Logical Device
  - play_arrow Interface Maps
    - Import Interface Map
    - Delete Interface Map (Blueprint)
  - play_arrow Property Sets
  - play_arrow Configlets
  - play_arrow AAA Servers
    - AAA Servers (Datacenter Blueprint)
  - play_arrow Tags
- play_arrow Tasks
  - Tasks (Datacenter) Staged
- play_arrow Connectivity Templates
- play_arrow Fabric Settings (4.2.1)
  - play_arrow Fabric Policy (4.2.1)
    - Update Fabric MTU (4.2.1)
    - Optimize Routing Zone Resource Usage (4.2.1)
  - play_arrow Severity Preferences (4.2.1)
    - Update Severity Preferences
- play_arrow Fabric Settings (4.2.0)
  - play_arrow Fabric Policy (4.2.0)
    - Enable IPv6 Applications
    - Update Fabric MTU (4.2.0)
  - play_arrow Virtual Network Policy (4.2.0)
    - Virtual Network Policy Introduction
    - Update Virtual Network Policy
  - play_arrow Anti-Affinity Policy (4.2.0)
    - Anti-Affinity Policy
  - play_arrow Validation Policy (4.2.0)
    - Update Validation Policy (Severity Preference)
- BGP Route Tagging
play_arrow Staged (Freeform Blueprints)
- Freeform Introduction
- play_arrow Blueprints
- play_arrow Physical
- play_arrow Resource Management
  - Resource Management Introduction (Freeform)
  - play_arrow Blueprint Resources
  - play_arrow Allocation Groups
    - Create Allocation Group (Freeform)
  - play_arrow Local Pools
    - Create Local Pool (Freeform)
    - Create Local Pool Generator (Freeform)
- play_arrow Catalog
  - play_arrow Config Templates
  - play_arrow Device Profiles
    - Import Device Profile (Freeform)
    - Delete Device Profile (Freeform Blueprint)
  - play_arrow Property Sets
  - play_arrow Tags
- play_arrow Tasks
  - Tasks - Staged (Freeform)
play_arrow Uncommitted (Blueprints)
- Uncommitted Introduction
- Commit / Revert Changes to Blueprint
play_arrow Active (Datacenter Blueprints)
- Active (Datacenter Blueprint)
- play_arrow Topology (Active)
- Nodes (Active)
- Links (Active)
- Racks (Active)
- Pods (Active)
- Query
- Anomalies (Service)
play_arrow Time Voyager (Blueprints)
- Time Voyager Introduction
- Roll Back Blueprint Revision
- Keep Blueprint Revision
- Change Number of Saved Blueprint Revisions
- Update Blueprint Revision Description
- Delete Blueprint Revision
play_arrow Devices
- Device Configuration Lifecycle
- play_arrow Managed Devices
- play_arrow System Agents
- play_arrow Pristine Config
  - Edit Pristine Config
  - Update Pristine Config from Device
- play_arrow Telemetry
  - Device Telemetry Services
  - All Telemetry Services
  - play_arrow Telemetry Service Registry
    - Service Registry
  - Telemetry Streaming
  - Route Anomalies for a Host - Example
  - Juniper Telemetry Commands
  - Cisco Telemetry Commands
  - Arista Telemetry Commands
  - Linux Server Telemetry Command
  - Debugging Telemetry
  - Extensible Telemetry Guide
- play_arrow Apstra ZTP
- play_arrow Device Profiles
play_arrow Design
- play_arrow Logical Devices
- play_arrow Interface Maps
- play_arrow Rack Types
- play_arrow Templates
- play_arrow Config Templates
  - Config Templates (Freeform Design)
- play_arrow Configlets (Datacenter)
- play_arrow Property Sets (Datacenter)
- play_arrow TCP/UDP Ports
- play_arrow Tags
play_arrow Resources
- Resources Introduction
- ASNs
- VNIs
- Integers
- IPv4 Addresses
- IPv6 Addresses
play_arrow Analytics
- play_arrow Apstra Flow
  - Apstra Flow Introduction
  - System Requirements
  - play_arrow Dashboards
    - Apstra Flow Dashboards
  - play_arrow Supported Flow Records
  - play_arrow Flow Enrichment
  - play_arrow Monitor Flow Data
    - Metrics
  - play_arrow Configuration Reference
  - play_arrow API
    - API Endpoints Options
  - play_arrow Additional Documentation
  - play_arrow Knowledge Base
play_arrow External Systems (RBAC Providers)
- play_arrow Providers
- play_arrow Provider Role Mapping
play_arrow Platform
- play_arrow User / Role Management
  - User / Role Management Introduction
  - play_arrow Users
  - play_arrow Roles
- play_arrow Security
- Syslog Configuration (Platform)
- Receivers (Platform)
- Global Statistics (Platform)
- Event Log (Audit Log)
- play_arrow Apstra VM Clusters
- play_arrow Developers
- play_arrow Technical Support
- Check Apstra Versions and Patent Numbers
Favorites & User
play_arrow Apstra Server Management
- Apstra Server Introduction
- Monitor Apstra Server via CLI
- Restart Apstra Server
- Reset Apstra Server VM Password
- Reinstall Apstra Server
- Apstra Database Overview
- Back up Apstra Database
- Restore Apstra Database
- Reset Apstra Database
- Migrate Apstra Database
- Replace SSL Certificate on Apstra Server with Signed One
- Replace SSL Certificate on Apstra Server with Self-Signed One
- Change Apstra Server Hostname
Apstra CLI Utility
play_arrow Guides
- 5-Stage Clos Architecture
- Juniper EVPN Support
- Intent-Based Analytics with apstra-cli Utility
- AOSOM-Streaming Guide
play_arrow References
- play_arrow Feature Matrix
  - Apstra 4.2.1 Feature Matrix
  - Apstra 4.2.0 Feature Matrix
- play_arrow Devices
- play_arrow Analytics
- Configlet Examples (Design)
- play_arrow Apstra CLI Commands
  - Apstra CLI Commands
- Apstra EVPN Support Addendum
- Apstra Server Configuration File
- Graph
- Juniper Apstra Technology Preview

list Table of Contents

English

Syslog Configuration (Platform)

Release: Juniper Apstra 4.2

date_range 07-Feb-24

arrow_backward

arrow_forward

Syslog Overview

System Log (syslog) is a running list of everything that's going on in your system. You can use these logs to audit events or review anomalies. You can configure syslog to send messages for specific types of systems (facilities) to external syslog servers. (You can also export event logs to a CSV file.)

Syslog configuration includes the following details:

Name	Description
IP Address	The remote syslog server IP address or hostname
Port	The remote syslog server port
Protocol	UDP or TCP
Facility	The type of system that's logging the messages Facilities are mapped to Apstra syslogs as follows: 0 - kern - kernal messages 1 - user - user-level messages 2 - mail - mail system 3 - daemon - system daemons 4 - auth - security/authentication messages 5 - syslog - messages generated internally by syslogd 6 - lpr - line printer subsystem 7 - news - network news subsystem 8 - uucp - UUCP subsystem 10 - authpriv - security/authentication messages 11 - ftp - FTP daemon 15 - cron - Cron subsystem 16 - local0 - locally used facilities 17 - local1 - locally used facilities 18 - local2 - locally used facilities 19 - local3 - locally used facilities 20 - local4 - locally used facilities 21 - local5 - locally used facilities 22 - local6 - locally used facilities 23 - local7 - locally used facilities
Time Zone	The syslog message time zone. If you have proper time zone translation, you won't need to synch the system time zone (or Docker time zone) with your external syslog server. Rather than assuming the message time is in Zulu/UTC-0, the time zone translation needs to append the correct time zone information to the timestamp. Then, you can better correlate Apstra events in your external message systems.

Syslog messages follow Common Event Format (CEF) conventions as shown below:

Note:

{host} is the the Apstra server hostname. If you want to change the hostname, you must use the procedure on the Change Apstra Server Hostname page. If you change the hostname with any other method, the new hostname won't be included in syslog entries.

content_copy zoom_out_map
AOS Log Format:

'{timestamp} {host}'
'CEF:{version}|{device_vendor}|{device_product}|{device_version}|'
'{device_event_class_id}|{name}|{severity}|{extension}

Where:

  {version}        : CEF version, currently always "0"
  {device_vendor}  : always "Apstra"
  {device_product} : always "AOS"
  {device_version} : current AOS version
  {device_event_class_id} : "100" for audit logs, "101" for anomaly logs
  {name}           : "Audit event" for audit logs, "Alert" for anomaly logs
  {severity}       : "5" for audit logs, "10" for anomaly logs

And where {extension} is either :

  For anomaly logs : msg=<json payload>
  For audit logs   : cat=<activity> src=<src_IP> suser=<username> act=<activity result> cs1Label=<field1_type> cs1=<field1_value> cs2Label=<field2_type> cs2=<field2_value> cs3Label=<field3_type> cs3=<field3_value>

Anomaly Log JSON Format

  blueprint_label : Name of the blueprint the anomaly was raised in.
  timestamp       : Unix timestamp when the Anomaly was raised.
  origin_name     : Serial Number of the device the anomaly affects.
  alert           : The value is a JSON Payload with the actual anomaly (see Alert JSON Payload below)
  origin_hostname : Hostname of the device the anomaly affects. It can be AOSHOST, an empty string if the hostname could not be determined or a valid value.
  device_hostname : Hostname of the device the anomaly affects or <device hostname unknown> if a hostname could not be determined
  origin_role     : Role of the device the anomaly affects.

Alert JSON Payload:
<ALERT TYPE>_alert: Contains a JSON payload with key-value pair of information pertaining to the alert. Here <ALERT TYPE>_alert can be valid anomaly/alert names such as hostname_alert, probe_alert, liveness_alert etc.
  id      	 : UUID of the anomaly.
  first_seen      : Unix timestamp when the Anomaly was raised for the first time.
  raised          : True when anomaly is present, False when it is cleared.
  severity        : The severity level of the anomaly. Set to 3 for critical, 2 for high, 1 for medium and 0 for low.

Audit Log Format:

  cat       : Activity performed. Valid values: "Login", "Logout","BlueprintCommit","BlueprintRevert","BlueprintRollback", "BlueprintDelete","DeviceConfigChange",
              "OperationModeChangeToMaintenance","OperationModeChangeToNormal","OperationModeChangeToReadOnly","RatelimitExceptionAdd","RatelimitExceptionDelete",
              "RatelimitClear","SystemChangeApiOperationModeToMaintenance","SystemChangeApiOperationModeToNormal","UserCrete","UserUpdate","UserDelete",
              "SyslogCreate","SyslogUpdate","SyslogDelete","AuthAclEnable","AuthAclDisable","AuthAclRuleAdd","AuthAclRuleUpdate" and "AuthAclRuleDelete".
  src       : Source IP of the client making HTTP requests to perform the activity.
  suser     : Who performed the activity.
  act       : Outcome of the activity - free-form string. In the case when the activity was performed successfully, the value stored is “Success“. In case of error, include error string. Ex: Unauthorized
  cs1Label  : The string “Blueprint Name”. Only exists if activity is associated with a blueprint (optional)
  cs1       : Name of the blueprint on which action was taken. Only exists if activity is associated with a blueprint (optional)
  cs2Label  : The string “Blueprint ID”. Only exists if activity is associated with a blueprint (optional)
  cs2       : Id of the blueprint on which action was taken. Only exists if activity is associated with a blueprint (optional)
  cs3Label  : The string “Commit Message”. Only exists if user has added a commit message (optional)
  cs3       : Commit Message. Only exists if user has added a commit message (optional)
  deviceExternalId : Id (typically serial number) of the managed device on which action was taken. Only exists if activity is associated with a device such as for “DeviceConfigChange” (optional)
  deviceConfig  : Config that is pushed and applied on the device where “#012” is used to indicate a line break to log collectors and parsers. Only exists if activity is associated with a device such as for “DeviceConfigChange” (optional)

Example of Audit Syslog Message:

content_copy zoom_out_map
Jan 31 03:11:01 aos-server - 2023-01-31T03:11:01.699190+0000 aos-server
CEF:0|Apstra|AOS|4.1.2-269|100|Audit event|5|cat=Logout src=172.24.212.62 suser=admin act=Success

Jan 31 03:11:01 aos-server - 2023-01-31T03:11:01.699190+0000 aos-server
CEF:0|Apstra|AOS|4.1.2-269|100|Audit event|5|cat=BlueprintCommit src=172.24.212.62 suser=admin act=Success cs1Label=Blueprint Name
cs1=rack-based-blueprint-33ded50f cs2Label=Blueprint ID cs2=rack-based-blueprint-33ded50f

Example of Anomaly Syslog Message:

content_copy zoom_out_map
Jan 31 03:11:01 aos-server - 2023-01-31T03:11:01.699190+0000 aos-server
CEF:0|Apstra|AOS|4.1.2-269|101|Alert|10|msg={u'blueprint_label': u'rack-based-blueprint-33ded50f', u'timestamp': 1679002758562407, u'origin_name':
u'time_series', u'alert': {u'probe_alert': {u'expected_int_max': 99, u'stage_name': u'leaf_match_perc_range', u'probe_label': u'leaf_to_spine_interface_statuses',
u'actual_int': 83, u'probe_id': u'60b03bb0-0e22-4a6d-b32d-e15085149b7b', u'key_value_pairs': [], u'item_id': u'1', u'expected_int': -9223372036854775808},
u'first_seen': 1679002758562121, u'raised': False, u'severity': 3, u'id': u'02a17b60-cc3e-4afb-baba-733a8c654df6'}, u'origin_hostname': u'AOSHOST',
'device_hostname': '<device hostname unknown>', u'origin_role': u''}

Jan 31 03:11:01 aos-server - 2023-01-31T03:11:01.699190+0000 aos-server
CEF:0|Apstra|AOS|4.1.2-269|101|Alert|10|msg={u'blueprint_label': u'rack-based-blueprint-33ded50f', u'timestamp': 1679002754682990, u'origin_name':
u'50540015FA9D', u'alert': {u'first_seen': 1679002749600167, u'raised': False, u'severity': 3, u'hostname_alert': {u'expected_hostname': u'leaf-3',
u'actual_hostname': u''}, u'id': u'0457a759-7d3a-4bf8-97e8-e13e518cf267'}, u'origin_hostname': u'', 'device_hostname': '<device hostname unknown>', u'origin_role': u'leaf'}

From the left navigation menu, navigate to Platform > External Services > Syslog Configuration to see configurations. You can create, clone, edit and delete syslog configurations.

Create Syslog Config

From the left navigation menu, navigate to Platform > External Services > Syslog Configuration and click Create Syslog Config (top-right).
Configure the Syslog server. (See overview above for details.)
Click Create to save the configuration and return to the table view.
To configure another Syslog server, repeat the steps above.
To enable messages to be sent to a configured server, toggle on Use for Audit and/or Forward Anomalies, as appropriate.

Edit Syslog Config

From the left navigation menu, navigate to Platform > External Services > Syslog Configuration and click the Edit button for the Syslog configuration to edit.
Make your changes.
Click Update to update the Syslog configuration and return to the table view.

Delete Syslog Config

From the left navigation menu, navigate to Platform > External Services > Syslog Configuration and click the Delete button for the Syslog configuration to delete.
Click Delete Syslog Config to delete the Syslog configuration and return to the table view.

arrow_backward PREVIOUS Edit Password Complexity Requirements

NEXT arrow_forward Receivers (Platform)

Juniper Apstra 4.2.2 / 4.2.1 / 4.2.0 User Guide

ON THIS PAGE