NIOS Logging
Syslog Documentation Examples
REMEMBER! If you have query logging enabled, if the box is busy then you can easily build up to the point where all logs only go back 1 hour and the support bundle is 3.3Gb.
Query Logging Warning
NIOS 9.0.7 introduced a useful warning when query/response logging is enabled (basically, don't do it unless you know what you are doing because it could have a massive impact on performance - expecially if you have configured the system to send all the logs out via SYSLOG.
You can disable the warning with:
set query_logging_warnings off
set query_logging_warnings on
Syslog Errors
Member offline log:
Facily = User
Server = monitor
Level = ALERT or ERROR
(ALERT) Type: controld, State: Red, Event: A controld failure has occurred.
(ALERT) Type: httpd, State: Red, Event: An Apache software failure has occurred.
(ALERT) Type: NTP Synchronization, State: Green, Event: The NTP service resumed synchronization. state change from 16 to 15
(ALERT) Type: NTP Synchronization, State: Red, Event: The NTP service is out of synchronization. state change from 15 to 16
(ALERT) Type: OSPF, State: Red, Event: An OSPF routing daemon failure has occurred.
(ALERT) Type:
DNS, State: Red, Event: A named daemon monitoring failure has occurred.
(ALERT) Type: Replication, State: Red, Event: Offline
(ALERT) Type: SSH, State: Red, Event: An SSH daemon failure has occurred.
(ALERT) Type: Threat Analytics, State: Red, Event: Threat Analytics Service is failed state change from 125 to 128
(ALERT) Type:
DNS, State: Red, Event: A named daemon monitoring failure has occurred.
(ALERT) Type: DFP, State: Red, Event: NIOS/DFP Service has failed. Cloud/DFP is unhealthy. state change from 142 to 141
(ERROR) Type:
DNS, State: Yellow, Event:
DNS is still running even though
DNS Traffic Control is not functioning properly state change from 32 to 106
(ERROR) Type: Cloud
DNS Sync, State: Yellow, Event: Cloud
DNS Sync Service is initializing. state change from 169 to 168
(ERROR) Type: DFP, State: Yellow, Event: NIOS/DFP Service is stopped by user. Cloud/DFP is healthy. state change from 142 to 143
(ERROR) Type: Replication, State: Yellow, Event: Synchronizing with grid
(ERROR) Type: DOT_DOH, State: Yellow, Event: DoT/DoH is enabled. You must manually reboot NIOS for DoT and DoH features. state change from 152 to 150
Audit Log Rolling
The audit log file has a maximum size of 100Mb. When the limit is reached, the file is wiped (or FIFO overwritten) and starts to fill up again. If rolling is enabled, then a backup of the file is taken before it is deleted. Up to nine rolled log files can be stored. e.g
audit.log
audit.log.1
audit.log.2
audit.log.3
audit.log.4
audit.log.5
audit.log.6
audit.log.7
audit.log.8
audit.log.9
Backup Logs
Succeful backup via SCP generates the following syslog
Successful backup locally generates the following syslog
DTC Logging
See DTC page for details on logging.
Downloading SYSLOG
Under Administration > Logs > SysLog, you can
Export can be a big file (e.g. I just tested it on a small lab NIOS box and it was 141Mb CSV file). It is uncompressed CSV of everything. However, if you apply a log filter, you will only get filtered results.
Download will give you a file called sysLog.tar.gz that contains a file called messages which is the raw syslog file.
Print will print a screen's worth of logs (about 8 pages).
Other options for getting logs
Logs on CLI
show log
show log syslog
show log audit
show log syslog follow
show log audit follow
show log syslog tail 5
show log audit tail 5
Logging Samples
Stopping BIND
Facility = daemon
Level = INFO
Server = named[3361284]
Message = shutting down
Facility = daemon
Level = NOTICE
Server = named[3361284]
Message = exiting
Starting BIND
daemon NOTICE named[3391445] starting BIND 9.16.23-S1 (Supported Preview Version) <id:70b08b2>
daemon NOTICE named[3391445] running on Linux x86_64 5.8.0-63-generic #71~20.04.1-Ubuntu SMP Thu Jul 15 17:46:08 UTC 2021
daemon NOTICE named[3391445] adjusted limit on open files from 22000 to 1048576
daemon INFO named[3391445] found 4 CPUs, using 4 worker threads
daemon INFO named[3391445] using 4 UDP listeners per interface
daemon INFO named[3391445] using up to 21000 sockets
daemon INFO named[3391445] loading configuration from '/infoblox/var/named_conf/named.conf'
daemon INFO named[3391445] looking for GeoIP2 databases in '/usr/share/GeoIP'
daemon INFO named[3391445] using default UDP/IPv4 port range: [32768, 60999]
daemon INFO named[3391445] listening on IPv4 interface lo, 127.0.0.1#53
daemon INFO named[3391445] listening on IPv4 interface eth1, 192.168.1.53#53
daemon INFO named[3391445] all zones loaded
daemon INFO named[3391445] 3 zones from zone files
daemon NOTICE named[3391445] running
RPZ Loggging
RPZ_SEVERITY
Informational = 4
Warning = 6
Major = 7
Critical = 8
MITIGATION_ACTION
A1 = Substitute
PT = Passthru
NX = No Such DOMAIN_NAME
ND = No Domain
Log Breakdown
TIMESTAMP=2025-05-28 12:50:11,VIEW=_default,CLIENT=192.168.1.12,RPZ_SEVERITY=7,DOMAIN_NAME=passthru.slashdot.org,RPZ_QNAME=passthru.slashdot.org.forward-control,MITIGATION_ACTION=PT,REDIRECTION_RECORD=N/A,CAT=RPZ:forward-control,GST=0,LID=N/A
<code>TIMESTAMP=2025-05-28 12:50:04,VIEW=_default,CLIENT=192.168.1.12,RPZ_SEVERITY=7,DOMAIN_NAME=nosuchdomain.slashdot.org,RPZ_QNAME=nosuchdomain.slashdot.org.forward-control,MITIGATION_ACTION=NX,REDIRECTION_RECORD=N/A,CAT=RPZ:forward-control,GST=0,LID=N/A</code>
<code>TIMESTAMP=2025-05-28 12:49:55,VIEW=_default,CLIENT=192.168.1.12,RPZ_SEVERITY=7,DOMAIN_NAME=blockname.slashdot.org,RPZ_QNAME=blockname.slashdot.org.forward-control,MITIGATION_ACTION=ND,REDIRECTION_RECORD=N/A,CAT=RPZ:forward-control,GST=0,LID=N/A</code>