====== NIOS Logging ======
[[https://docs.infoblox.com/space/nios90/193692008/Syslog|Syslog Documentation Examples]]

REMEMBER! If you have query logging enabled, if the box is busy then you can easily build up to the point where all logs only go back 1 hour and the support bundle is 3.3Gb.
===== Query Logging Warning =====
NIOS 9.0.7 introduced a useful warning when query/response logging is enabled (basically, don't do it unless you know what you are doing because it could have a massive impact on performance - expecially if you have configured the system to send all the logs out via SYSLOG.

You can disable the warning with:
<code>set query_logging_warnings off</code>
<code>set query_logging_warnings on</code>
===== Syslog Errors =====

Member offline log:
Facily = User
Server = monitor
Level = ALERT or ERROR
  * (ALERT) Type: controld, State: Red, Event: A controld failure has occurred.
  * (ALERT) Type: httpd, State: Red, Event: An Apache software failure has occurred.
  * (ALERT) Type: NTP Synchronization, State: Green, Event: The NTP service resumed synchronization. state change from 16 to 15
  * (ALERT) Type: NTP Synchronization, State: Red, Event: The NTP service is out of synchronization. state change from 15 to 16
  * (ALERT) Type: OSPF, State: Red, Event: An OSPF routing daemon failure has occurred. 
  * (ALERT) Type: DNS, State: Red, Event: A named daemon monitoring failure has occurred. 
  * (ALERT) Type: Replication, State: Red, Event: Offline
  * (ALERT) Type: SSH, State: Red, Event: An SSH daemon failure has occurred.
  * (ALERT) Type: Threat Analytics, State: Red, Event: Threat Analytics Service is failed state change from 125 to 128
  * (ALERT) Type: DNS, State: Red, Event: A named daemon monitoring failure has occurred. 
  * (ALERT) Type: DFP, State: Red, Event: NIOS/DFP Service has failed. Cloud/DFP is unhealthy. state change from 142 to 141
  * (ERROR) Type: DNS, State: Yellow, Event: DNS is still running even though DNS Traffic Control is not functioning properly state change from 32 to 106
  * (ERROR) Type: Cloud DNS Sync, State: Yellow, Event: Cloud DNS Sync Service is initializing. state change from 169 to 168
  * (ERROR) Type: DFP, State: Yellow, Event: NIOS/DFP Service is stopped by user. Cloud/DFP is healthy. state change from 142 to 143
  * (ERROR) Type: Replication, State: Yellow, Event: Synchronizing with grid
  * (ERROR) Type: DOT_DOH, State: Yellow, Event: DoT/DoH is enabled. You must manually reboot NIOS for DoT and DoH features. state change from 152 to 150
===== Audit Log Rolling =====
The audit log file has a maximum size of 100Mb. When the limit is reached, the file is wiped (or FIFO overwritten) and starts to fill up again. If rolling is enabled, then a backup of the file is taken before it is deleted. Up to nine rolled log files can be stored. e.g

  * audit.log
  * audit.log.1
  * audit.log.2
  * audit.log.3
  * audit.log.4
  * audit.log.5
  * audit.log.6
  * audit.log.7
  * audit.log.8
  * audit.log.9
===== Backup Logs =====

Succeful backup via SCP generates the following syslog
  * Facility: Daemon
  * Level: Notice
  * Server: scheduled_scp_backups
  * Message: Scheduled backup to the SCP server was successful - Backup file /dir/path/to/backup/<gridname>_2025_07_25_11_15.tar.gz

Successful backup locally generates the following syslog
  * Facility: Daemon
  * Level: Notice
  * Server: manage_scheduled_backups
  * Message: Backup to LOCAL was successful - Backup file /storage/backup/BACKUP_2025_07_25_11_15.tar.gz


===== DTC Logging =====
See [[infoblox_nios:dtc|DTC]] page for details on logging.
===== Downloading SYSLOG =====
Under Administration > Logs > SysLog, you can
  * Export
  * Download
  * Print

Export can be a big file (e.g. I just tested it on a small lab NIOS box and it was 141Mb CSV file). It is uncompressed CSV of everything. However, if you apply a log filter, you will only get filtered results.

Download will give you a file called ''sysLog.tar.gz'' that contains a file called messages which is the raw syslog file.

Print will print a screen's worth of logs (about 8 pages).

Other options for getting logs
  * Pulling a support bundle from GM, GUI or WAPI
  * Pushing a support bundle from CLI
  * Fileop function (via WAPI)
===== Logs on CLI =====

<code>show log
show log syslog
show log audit
show log syslog follow
show log audit follow
show log syslog tail 5
show log audit tail 5</code>


===== Logging Samples =====
Stopping BIND

  * Facility = daemon
  * Level = INFO
  * Server = named[3361284]
  * Message = shutting down

  * Facility = daemon
  * Level = NOTICE
  * Server = named[3361284]
  * Message = exiting


  * Facility = user
  * Level = ALERT
  * Server = monitor[1145192]
  * Message = Type: DNS, State: Red, Event: A named daemon monitoring failure has occurred.

Starting BIND

  * daemon	NOTICE	named[3391445]	starting BIND 9.16.23-S1 (Supported Preview Version) <id:70b08b2>
  * daemon	NOTICE	named[3391445]	running on Linux x86_64 5.8.0-63-generic #71~20.04.1-Ubuntu SMP Thu Jul 15 17:46:08 UTC 2021
  * daemon	NOTICE	named[3391445]	adjusted limit on open files from 22000 to 1048576
  * daemon	INFO	named[3391445]	found 4 CPUs, using 4 worker threads
  * daemon	INFO	named[3391445]	using 4 UDP listeners per interface
  * daemon	INFO	named[3391445]	using up to 21000 sockets
  * daemon	INFO	named[3391445]	loading configuration from '/infoblox/var/named_conf/named.conf'
  * daemon	INFO	named[3391445]	looking for GeoIP2 databases in '/usr/share/GeoIP'
  * daemon	INFO	named[3391445]	using default UDP/IPv4 port range: [32768, 60999]
  * daemon	INFO	named[3391445]	listening on IPv4 interface lo, 127.0.0.1#53
  * daemon	INFO	named[3391445]	listening on IPv4 interface eth1, 192.168.1.53#53
  * daemon	INFO	named[3391445]	all zones loaded
  * daemon	INFO	named[3391445]	3 zones from zone files
  * daemon	NOTICE	named[3391445]	running

====== RPZ Loggging =====
RPZ_SEVERITY
  * Informational = 4
  * Warning = 6
  * Major = 7
  * Critical = 8


MITIGATION_ACTION
  * A1 = Substitute
  * PT = Passthru
  * NX = No Such DOMAIN_NAME
  * ND = No Domain

Log Breakdown
  * TIMESTAMP=2025-05-28 12:39:26,
  * VIEW=_default,
  * CLIENT=192.168.1.2,
  * RPZ_SEVERITY=7,
  * DOMAIN_NAME=www.slashdot.org,
  * RPZ_QNAME=www.slashdot.org.forward-control,
  * MITIGATION_ACTION=A1,
  * REDIRECTION_RECORD=N/A,
  * CAT=RPZ:forward-control,
  * GST=0,
  * LID=N/A
  
  <code>TIMESTAMP=2025-05-28 12:50:11,VIEW=_default,CLIENT=192.168.1.12,RPZ_SEVERITY=7,DOMAIN_NAME=passthru.slashdot.org,RPZ_QNAME=passthru.slashdot.org.forward-control,MITIGATION_ACTION=PT,REDIRECTION_RECORD=N/A,CAT=RPZ:forward-control,GST=0,LID=N/A</code>
  
  <code>TIMESTAMP=2025-05-28 12:50:04,VIEW=_default,CLIENT=192.168.1.12,RPZ_SEVERITY=7,DOMAIN_NAME=nosuchdomain.slashdot.org,RPZ_QNAME=nosuchdomain.slashdot.org.forward-control,MITIGATION_ACTION=NX,REDIRECTION_RECORD=N/A,CAT=RPZ:forward-control,GST=0,LID=N/A</code>
  
  <code>TIMESTAMP=2025-05-28 12:49:55,VIEW=_default,CLIENT=192.168.1.12,RPZ_SEVERITY=7,DOMAIN_NAME=blockname.slashdot.org,RPZ_QNAME=blockname.slashdot.org.forward-control,MITIGATION_ACTION=ND,REDIRECTION_RECORD=N/A,CAT=RPZ:forward-control,GST=0,LID=N/A</code>