Saucepan

User Tools

Site Tools

Trace: dns_sinkhole motd ping wireshark dns_exfiltration
infoblox_nios:logging

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infoblox_nios:logging [2023/11/21 21:31] – [Exporting] bstaffordinfoblox_nios:logging [2025/12/07 13:07] (current) bstafford
Line 1: Line 1:
 ====== NIOS Logging ====== ====== NIOS Logging ======
 +[[https://docs.infoblox.com/space/nios90/193692008/Syslog|Syslog Documentation Examples]]
  
 +REMEMBER! If you have query logging enabled, if the box is busy then you can easily build up to the point where all logs only go back 1 hour and the support bundle is 3.3Gb.
 +===== Query Logging Warning =====
 +NIOS 9.0.7 introduced a useful warning when query/response logging is enabled (basically, don't do it unless you know what you are doing because it could have a massive impact on performance - expecially if you have configured the system to send all the logs out via SYSLOG.
 +
 +You can disable the warning with:
 +<code>set query_logging_warnings off</code>
 +<code>set query_logging_warnings on</code>
 +===== Syslog Errors =====
 +
 +Member offline log:
 +Facily = User
 +Server = monitor
 +Level = ALERT or ERROR
 +  * (ALERT) Type: controld, State: Red, Event: A controld failure has occurred.
 +  * (ALERT) Type: httpd, State: Red, Event: An Apache software failure has occurred.
 +  * (ALERT) Type: NTP Synchronization, State: Green, Event: The NTP service resumed synchronization. state change from 16 to 15
 +  * (ALERT) Type: NTP Synchronization, State: Red, Event: The NTP service is out of synchronization. state change from 15 to 16
 +  * (ALERT) Type: OSPF, State: Red, Event: An OSPF routing daemon failure has occurred. 
 +  * (ALERT) Type: DNS, State: Red, Event: A named daemon monitoring failure has occurred. 
 +  * (ALERT) Type: Replication, State: Red, Event: Offline
 +  * (ALERT) Type: SSH, State: Red, Event: An SSH daemon failure has occurred.
 +  * (ALERT) Type: Threat Analytics, State: Red, Event: Threat Analytics Service is failed state change from 125 to 128
 +  * (ALERT) Type: DNS, State: Red, Event: A named daemon monitoring failure has occurred. 
 +  * (ALERT) Type: DFP, State: Red, Event: NIOS/DFP Service has failed. Cloud/DFP is unhealthy. state change from 142 to 141
 +  * (ERROR) Type: DNS, State: Yellow, Event: DNS is still running even though DNS Traffic Control is not functioning properly state change from 32 to 106
 +  * (ERROR) Type: Cloud DNS Sync, State: Yellow, Event: Cloud DNS Sync Service is initializing. state change from 169 to 168
 +  * (ERROR) Type: DFP, State: Yellow, Event: NIOS/DFP Service is stopped by user. Cloud/DFP is healthy. state change from 142 to 143
 +  * (ERROR) Type: Replication, State: Yellow, Event: Synchronizing with grid
 +  * (ERROR) Type: DOT_DOH, State: Yellow, Event: DoT/DoH is enabled. You must manually reboot NIOS for DoT and DoH features. state change from 152 to 150
 ===== Audit Log Rolling ===== ===== Audit Log Rolling =====
 The audit log file has a maximum size of 100Mb. When the limit is reached, the file is wiped (or FIFO overwritten) and starts to fill up again. If rolling is enabled, then a backup of the file is taken before it is deleted. Up to nine rolled log files can be stored. e.g The audit log file has a maximum size of 100Mb. When the limit is reached, the file is wiped (or FIFO overwritten) and starts to fill up again. If rolling is enabled, then a backup of the file is taken before it is deleted. Up to nine rolled log files can be stored. e.g
Line 14: Line 44:
   * audit.log.8   * audit.log.8
   * audit.log.9   * audit.log.9
 +===== Backup Logs =====
  
 +Succeful backup via SCP generates the following syslog
 +  * Facility: Daemon
 +  * Level: Notice
 +  * Server: scheduled_scp_backups
 +  * Message: Scheduled backup to the SCP server was successful - Backup file /dir/path/to/backup/<gridname>_2025_07_25_11_15.tar.gz
 +
 +Successful backup locally generates the following syslog
 +  * Facility: Daemon
 +  * Level: Notice
 +  * Server: manage_scheduled_backups
 +  * Message: Backup to LOCAL was successful - Backup file /storage/backup/BACKUP_2025_07_25_11_15.tar.gz
 +
 +
 +===== DTC Logging =====
 +See [[infoblox_nios:dtc|DTC]] page for details on logging.
 ===== Downloading SYSLOG ===== ===== Downloading SYSLOG =====
 Under Administration > Logs > SysLog, you can Under Administration > Logs > SysLog, you can
Line 26: Line 72:
  
 Print will print a screen's worth of logs (about 8 pages). Print will print a screen's worth of logs (about 8 pages).
 +
 +Other options for getting logs
 +  * Pulling a support bundle from GM, GUI or WAPI
 +  * Pushing a support bundle from CLI
 +  * Fileop function (via WAPI)
 +===== Logs on CLI =====
 +
 +<code>show log
 +show log syslog
 +show log audit
 +show log syslog follow
 +show log audit follow
 +show log syslog tail 5
 +show log audit tail 5</code>
 +
 +
 +===== Logging Samples =====
 +Stopping BIND
 +
 +  * Facility = daemon
 +  * Level = INFO
 +  * Server = named[3361284]
 +  * Message = shutting down
 +
 +  * Facility = daemon
 +  * Level = NOTICE
 +  * Server = named[3361284]
 +  * Message = exiting
 +
 +
 +  * Facility = user
 +  * Level = ALERT
 +  * Server = monitor[1145192]
 +  * Message = Type: DNS, State: Red, Event: A named daemon monitoring failure has occurred.
 +
 +Starting BIND
 +
 +  * daemon NOTICE named[3391445] starting BIND 9.16.23-S1 (Supported Preview Version) <id:70b08b2>
 +  * daemon NOTICE named[3391445] running on Linux x86_64 5.8.0-63-generic #71~20.04.1-Ubuntu SMP Thu Jul 15 17:46:08 UTC 2021
 +  * daemon NOTICE named[3391445] adjusted limit on open files from 22000 to 1048576
 +  * daemon INFO named[3391445] found 4 CPUs, using 4 worker threads
 +  * daemon INFO named[3391445] using 4 UDP listeners per interface
 +  * daemon INFO named[3391445] using up to 21000 sockets
 +  * daemon INFO named[3391445] loading configuration from '/infoblox/var/named_conf/named.conf'
 +  * daemon INFO named[3391445] looking for GeoIP2 databases in '/usr/share/GeoIP'
 +  * daemon INFO named[3391445] using default UDP/IPv4 port range: [32768, 60999]
 +  * daemon INFO named[3391445] listening on IPv4 interface lo, 127.0.0.1#53
 +  * daemon INFO named[3391445] listening on IPv4 interface eth1, 192.168.1.53#53
 +  * daemon INFO named[3391445] all zones loaded
 +  * daemon INFO named[3391445] 3 zones from zone files
 +  * daemon NOTICE named[3391445] running
 +
 +====== RPZ Loggging =====
 +RPZ_SEVERITY
 +  * Informational = 4
 +  * Warning = 6
 +  * Major = 7
 +  * Critical = 8
 +
 +
 +MITIGATION_ACTION
 +  * A1 = Substitute
 +  * PT = Passthru
 +  * NX = No Such DOMAIN_NAME
 +  * ND = No Domain
 +
 +Log Breakdown
 +  * TIMESTAMP=2025-05-28 12:39:26,
 +  * VIEW=_default,
 +  * CLIENT=192.168.1.2,
 +  * RPZ_SEVERITY=7,
 +  * DOMAIN_NAME=www.slashdot.org,
 +  * RPZ_QNAME=www.slashdot.org.forward-control,
 +  * MITIGATION_ACTION=A1,
 +  * REDIRECTION_RECORD=N/A,
 +  * CAT=RPZ:forward-control,
 +  * GST=0,
 +  * LID=N/A
 +  
 +  <code>TIMESTAMP=2025-05-28 12:50:11,VIEW=_default,CLIENT=192.168.1.12,RPZ_SEVERITY=7,DOMAIN_NAME=passthru.slashdot.org,RPZ_QNAME=passthru.slashdot.org.forward-control,MITIGATION_ACTION=PT,REDIRECTION_RECORD=N/A,CAT=RPZ:forward-control,GST=0,LID=N/A</code>
 +  
 +  <code>TIMESTAMP=2025-05-28 12:50:04,VIEW=_default,CLIENT=192.168.1.12,RPZ_SEVERITY=7,DOMAIN_NAME=nosuchdomain.slashdot.org,RPZ_QNAME=nosuchdomain.slashdot.org.forward-control,MITIGATION_ACTION=NX,REDIRECTION_RECORD=N/A,CAT=RPZ:forward-control,GST=0,LID=N/A</code>
 +  
 +  <code>TIMESTAMP=2025-05-28 12:49:55,VIEW=_default,CLIENT=192.168.1.12,RPZ_SEVERITY=7,DOMAIN_NAME=blockname.slashdot.org,RPZ_QNAME=blockname.slashdot.org.forward-control,MITIGATION_ACTION=ND,REDIRECTION_RECORD=N/A,CAT=RPZ:forward-control,GST=0,LID=N/A</code>
 +  
 +
 +
 +
infoblox_nios/logging.1700602312.txt.gz · Last modified: by bstafford