EdgeConnect Appliance Logs
The following information describes the three methods for accessing the logs from the appliances.
Use Orchestrator for Log Export
-
The preferred method for exporting logs is to configure the logging template in Orchestrator and add remote log receivers. For more information, see the Logging Template and Remote Log Messages sections in the Orchestrator User Guide.
-
This allows EdgeConnect appliances to send Audit, Firewall, System, and other logs to an external Syslog server or a centralized SIEM system.
Use the EdgeConnect Web UI
-
Log in to the EdgeConnect web UI at https://<edgeconnect-appliance-ip> and navigate to Support > Technical Assistance > Log Viewer.
The Log Viewer opens.
-
Filter the logs by Type (Firewall Node, Alarm, Audit, and Event), End Date, and Record Count.
-
After you select the filters, click Retrieve Logs.
The table is updated to show only logs that meet the filter criteria you set.
To export the logs:
-
The preferred method for exporting logs is to configure the logging template in Orchestrator and add remote log receivers. For more information, see the Logging Template and Remote Log Messages sections in the Orchestrator User Guide.
-
This allows you to send the logs (audit, firewall, system, etc.) to a remote location, such as a Syslog server or SIEM system for further analysis.
Use Technical Support
-
In Orchestrator, navigate to Support > Technical Assistance > Tech Support Appliances.
-
From this tab you can do the following:
-
Filter logs and other system data by All, Logs, Sys Dump, Snapshot, or TCP Dump.
-
Create a case, generate sys dumps, and upload logs, sys dumps, or tcp dumps to HPE Aruba Networking support.
-
Download logs to Orchestrator for local review or storage.
-
-
For more information, see Tech Support - Appliances in the Orchestrator User Guide.
EdgeConnect appliances support eight log severity levels, as described in the following table.
| Severity Level | Description |
|---|---|
| Emergency | System is unusable. |
| Alert | Includes all alarms the appliance generates: CRITICAL, MAJOR, MINOR, and WARNING. |
| Critical | Critical event. |
| Error | An error. This is a non-urgent failure. |
| Warning | A warning condition. Indicates an error will occur if action is not taken. |
| Notice | A normal, but significant, condition. No immediate action required. |
| Info | Informational. Used by Support for debugging. |
| Debug | Used by Support for debugging. |
| None | This indicates that no events are logged. |
System Logs
Description: These logs contain information about general system operations. The sample log is a SYSLOG in /var/log/messages.
Sample Log:
Jan 23 19:37:36 2025 Madrid sysd[37228]: CPU 0 TID 140345765520832: [sysd.NOTICE]:
WDOG: Strobing the hardware watchdog text
Jan 23 19:37:37 2025 Madrid iptrackd[37210]: CPU 0 TID 139704950331264:
[iptrackd.NOTICE]: iptrack_mgr_send_http_mon_request: set http bindings as
url:https://sp-ipsla.silverpeak.cloud port:lan0.60 tunnelNONE ka:90 up:2 down:3
timeout:60 proxy: proxy port:0 user agent: sample_int:300 loss_up_thresh:0
loss_down_thresh:0 rtt_up_thresh:0 rtt_down_thresh:0 metric:OR
ECOS 9.5 System Log Data
| Field | Type | Description | Sample Log Value |
|---|---|---|---|
| date | String | The date and time of the log entry. | Jan 23 19:37:37 2025 |
| host | String | The hostname or appliance name from which the log was generated. | Madrid |
| process | String | The process generating the log. | sysd/iptrackd |
| pid | Integer | The process ID. | 37228/37210 |
| cpu | Integer | The CPU identifier. | 0 |
| tid | Integer | The thread ID. | 140345765520832/139704950331264 |
| log_level | String | The severity level of the log. | NOTICE |
| function | String | Function or module generating the log. | WDOG/iptrack_mgr_send_http_mon_request |
| description | String | Description of the event. | Strobing the hardware watchdog/set http bindings |
| url | String | HTTP bindings URL (if applicable). | https://sp-ipsla.silverpeak.cloud (from iptrackd) |
| port | String | Port details (if applicable). | lan0.60 (from iptrackd) |
| tunnel | String | Tunnel information (if applicable). | NONE (from iptrackd) |
| ka | Integer | Keepalive interval (if applicable). | 90 (from iptrackd) |
| up | Integer | Upstream value (if applicable). | 2 (from iptrackd) |
| down | Integer | Downstream value (if applicable). | 3 (from iptrackd) |
| timeout | Integer | Timeout value (if applicable). | 60 (from iptrackd) |
| proxy | String | Proxy information (if applicable. ) | proxy (from iptrackd) |
| proxy_port | Integer | Proxy port (if applicable). | 0 (from iptrackd) |
| user_agent | String | User agent details (if applicable). | sample_int (from iptrackd) |
| metric | String | Performance metric (if applicable). | OR (from iptrackd) |
Audit Logs
Description: These logs track user actions. The sample log is a SYSLOG in /var/log/auditlog.
Push or Pull: Push
Sample Log:
Jun 1 16:18:35 2022 ams-ecva mgmtd[8463]: Orchestrator@- action SYSTEM
setCapabilityToken succeeded params:name=overlayLimit ,enable=false ,limit=0 ,alarm=0
,renew=0 ,xpact=1 ,magic=92193114582973157
Jun 1 16:18:35 2022 ams-ecva mgmtd[8463]: Orchestrator@- action SYSTEM
setFeatureToken succeeded params:feature=ecMini ,name=ecMini ,enable=false ,desc=EC
Mini License - 50Mbps bandwidth limit ,tokens=bandwidthLimit
ECOS 9.5 Audit Log Data
| Field | Type | Description | Sample Log Value |
|---|---|---|---|
| date | String | The date and time of the log entry. | Jun 1 16:18:35 2022 |
| host | String | The hostname or appliance name from which the log was generated. | ams-ecva from log |
| process | String | The process generating the log. | mgmtd |
| pid | Integer | The process ID. | 8463 |
| user | String | User or entity performing the action. | Orchestrator |
| action | String | Action performed. | setFeatureToken |
| status | String | Status of the action. | succeeded |
| feature | String | Feature name. | ecMini |
| name | String | Name associated with the feature. | ecMini |
| enable | Boolean | Indicates whether the feature is enabled or not. | FALSE |
| description | String | Description of the feature. | EC Mini License - 50Mbps bandwidth limit |
| tokens | String | Associated tokens. | bandwidthLimit |
Firewall Logs
These logs contain information about firewall events. Logs available are firewall policy logs, DDOS threshold logs, and WAN drop logs.
Starting with Orchestrator release 9.4, the Logging template has a check box to enable JSON formatting for firewall logs. This option is not available if you are running Orchestrator 9.3 or lower. This feature was introduced alongside IP anonymization. If IP anonymization is selected, the JSON option is automatically enabled. It can also be selected if IP anonymization is not being used. This setting sends only the firewall logs to the receiver in JSON format. The structure of the JSON file can be configured in the Syslog configuration file. Unlike the log file, the JSON raw file does not contain the facility.
To view the Logging template, log in to Orchestrator and navigate to Configuration > Templates & Policies > Templates. If you can’t see the Logging template, click Show All and drag and drop it into the General Settings Template or your custom group template to configure logging. The following graphic shows how to select only the Jsonify check box in the Logging template.
To change the raw text delimiter JSON file and format to JSON raw, you can add the following to your destination. Add the text shown in bold below, in the destination block section of the Syslog server in /etc/syslog.conf:
destination d_json {
file("/var/log/silverpeak_json/${HOST}-DAY${DAY}.log" create_dirs(yes)
template("$(format_json --scope all --escape all --exclude date)"));
};
Firewall Policy Logs
Description: Sample log is a SYSLOG in /var/log/firewall.
Push or Pull: Push
Sample Log:
Oct 4 05:17:28 2021 sris-eva netflowd[10239]: [ALERT] Action:allow, Reason:flow create,
InputInt:lan0, OutputInt:Passthrough_INET1_DefaultOverlay, StartTime:Mon Oct 4
05:17:27 2021, EndTime:, RXPkts:2, TXPkts:2, RXOctets:108, TXOctets:258, Flow-
ID:145899, ingressVRFID:0, egressVRFID:0, VRFname:Default, SrcAddr:10.27.XX.XX,
DstAddr:8.8.8.8, SrcPort:49546, DstPort:53, Application:Dns, IPTos:be (0x0), Protocol:udp,
TCPFlags:0x0, Host:sris-eva, FromZone:LAN, ToZone:INTERNET, Tag:LAN_INTERNET_1030,
Direction:Outbound, Overlay:DefaultOverlay, NATSrcIP:10.80.XXX.XXX, NATSrcPort:49546
ECOS 9.5 Firewall Policy Log Data
| Field | Type | Description | Sample Log Value |
|---|---|---|---|
| Timestamp | String | The date and time the log entry was recorded. | Oct 4 05:17:28 2021 |
| Host | String | The hostname or appliance name from which the log was generated. | sris-eva |
| Action | String | Firewall action taken (allow/deny. | Allow |
| Reason | String | Reason for action. | Flow Create |
| Input Interface | String | Interface where the traffic entered. | lan0 |
| Output Interface | String | Interface where the traffic exited. | Passthrough_INET1_DefaultOverlay |
| Start Time | String | Start time of the flow. | Mon Oct 4 05:17:27 2021 |
| End Time | String | End time of the flow (empty if ongoing). | - (Empty) |
| RX Packets | Integer | Number of received packets. | 2 |
| TX Packets | Integer | Number of transmitted packets. | 2 |
| RX Bytes | Integer | Number of received bytes | 108 |
| TX Bytes | Integer | Number of transmitted bytes | 258 |
| Flow-ID | Integer | Unique identifier for the flow | 145899 |
| Ingress VRF ID | Integer | VRF ID of incoming traffic | 0 |
| Egress VRF ID | Integer | VRF ID of outgoing traffic | 0 |
| VRF Name | String | Name of the VRF | Default |
| Source IP | IP Address | Original source IP address of the traffic | 10.27.XX.XX |
| Destination IP | IP Address | Final destination IP address of the traffic | 8.8.8.8 |
| Source Port | Integer | Source port of the traffic | 49546 |
| Destination Port | Integer | Destination port of the traffic | 53 |
| Application | String | Identified application | DNS |
| IP TOS | String | Type of Service (TOS) value for traffic | be (0x0) |
| Protocol | String | Network protocol used | UDP |
| TCP Flags | String | TCP flag values (if applicable) | 0x0 |
| From Zone | String | Security zone of source traffic | LAN |
| To Zone | String | Security zone of destination traffic | INTERNET |
| Tag | String | Policy tag applied to traffic | LAN_INTERNET_1030 |
| Direction | String | Flow direction (Inbound/Outbound) | Outbound |
| Overlay | String | Overlay network name | DefaultOverlay |
| NAT Source IP | IP Address | NAT-ed source IP address | 10.80.XXX.XXX |
| NAT Source Port | Integer | NAT-ed source port | 49546 |
Sample Log in JSON Format:
Jan 28 02:45:09 10.43.14.33
{"vrfName":"Default","srcPort":"59332","dstPort":"443","start":"Tue Jan 28 02:43:51 2025",
"ipTos":"be (0x0)","protocol":"tcp","tcpFlags":"0x1b","fromZone":"TRUSTED",
"srcAddr":"192.168.XX.XXX","toZone":"UNTRUSTED","tag":"inspected","dstAddr":"162.125.X.XX",
"overlay":"SSE","userName":"unknown","timestamp":"Jan 28 02:45:09 2025","srcRole":"default",
"hostname":"Kennesaw4-Powers","dstRole":"default","proc":"netflowd[720]","tid":"937510336",
"level":"NOTICE","logType":"Zone Based Firewall","action":"allow","reason":"flowend",
"inputInt":"bwan0","outputInt":"HPESSE_INETC_Primary_A1","end":"Tue Jan 28 02:45:09 2025",
"rxPkts":"14","txPkts":"18","rxOctets":"1711","userDevice":"unknown","txOctets":"5833",
"direction":"Outbound","flowId":"198453","host":"Kennesaw4-Powers",
"ingressVrfId":"0","application":"Dropbox","egressVrfId":"0"}
Firewall Protection Profile (FPP) Logs
Description: Sample log is a SYSLOG in /var/log/firewall.
Sample Log:
Jun 7 07:30:18 2022 sris-eva tunneld[8375]: CPU 0 TID 964683264: [NOTICE]:
cddos_thresh_action_entry_exit_handler() DDOS: Raise Min threshold action. Source IP:
4.4.4.4 Zone id: 0 Threshold: 1 <Source-level,TCP,Flows per second> value: 128 Action: log
ECOS 9.5 DDoS Threshold Log Data
| Field | Type | Description | Sample Log Value |
|---|---|---|---|
| date | String | The date and time the log entry was recorded. | Jun 7 07:30:18 2022 |
| host | String | The hostname or appliance name from which the log was generated. | sris-eva |
| process | String | The process generating the log. | tunneld |
| pid | Integer | The process ID. | 8375 |
| cpu | Integer | The CPU identifier. | 0 |
| tid | Integer | The thread ID. | 964683264 |
| log_level | String | The severity level of the log. | NOTICE |
| function | String | Function generating the log. | cddos_thresh_action_entry_exit_handler |
| event_type | String | Type of event. | DDOS |
| event_desc | String | Description of the event or action logged. | Raise Min threshold action |
| source_ip | String | Source IP address. | 4.4.4.4 |
| zone_id | Integer | Zone identifier. | 0 |
| threshold | Integer | Threshold value. | 1 |
| metric | String | Performance metric. | Source-level, TCP, Flows per second |
| metric_value | Integer | Value of the metric. | 128 |
| action | String | Action taken. | log |
Sample Log in JSON Format:
timestamp="Jun 7 07:30:18 2022", hostname="sris-eva", process="tunneld[8375]",
cpu="0", tid="964683264", level="NOTICE",
function="cddos_thresh_action_entry_exit_handler()", event="DDOS: Raise Min threshold
action", source_ip="4.4.4.4", zone_id="0", threshold="1", value="128", action="log",
source_level="Source-level", protocol="TCP", flows_per_second="Flows per second"
WAN Drop Logs
Description: Sample log is a SYSLOG in /var/log/firewall.
Push or Pull: Push
Sample Log:
Jan 28 04:35:12 Sydney-Coleman tunnelId[29806]:CPU 0 TID 15762880 [NOTICE]:
LogType:Stateful WAN Drops,InputInt:wan0,SrcAddr:46.118.XX.XX,
DstAddr:180.222.XXX.XX, Protocol:tcp, SrcPort:52112, DstPort:23,
Len:60,Description:tcp Inbound drop on stateful wan interface
ECOS 9.5 WAN Drop Log Data
| Field | Type | Description | Sample Log Value |
|---|---|---|---|
| level | String | The severity level of the log. | NOTICE |
| protocol | String | Protocol used. | tcp |
| description | String | Description of the event or action logged. | Inbound drop on stateful wan interface |
| hostname | String | The hostname or appliance name from which the log was generated. | Sydney-Coleman |
| len | String | Length of the packet. | 60 |
| dstPort | String | Destination port number. | 23 |
| timestamp | String | The date and time the log entry was recorded. | 1/28/2025 4:35 |
| tid | String | Transaction ID. | 15762880 |
| srcAddr | String | Source IP address. | 46.118.XX.XX |
| srcPort | String | Source port number. | 52112 |
| logType | String | Type of log event. | Stateful WAN Drops |
| proc | String | Process name and ID. | tunneld[29806] |
| inputInt | String | Input interface. | wan0 |
| dstAddr | String | Destination IP address. | 180.222.XXX.XX |
Sample Log in JSON Format:
Jan 28 04:35:12 10.43.17.18 {"level":"NOTICE","protocol":"tcp","description":"Inbound
drop on stateful wan interface","hostname":"Sydney-Cole man",
"len":"60","dstPort":"23","timestamp":"Jan 28 04:35:11 2025","tid":"15762880",
"srcAddr":"46.118.XX.XX","srcPort":"52112","logType":"Stateful WAN Drops",
"proc":"tunneld[29806]","inputInt":"wan0","dstAddr":"180.222.XXX.XX"}
IDS/IPS Logs
Description: These logs track intrusion attempts. Sample log is a SYSLOG in /var/log/suricata.
Push or Pull: Push
Sample Log:
Jan 28 02:44:55 Kennesaw4-Powers suricata[1079]: [Inspect] sid=1:2035465:4
classification="Misc activity" priority=3 mode=ips-inline srcVRF=Default
srcZone=TRUSTED timestamp="Jan 28 02:44:44"
ECOS 9.5 IDS/IPS Log Data
| Field | Type | Description | Sample Log Value |
|---|---|---|---|
| Raw_Log | String | Contains the full, unmodified log entry. | See the sample log above. |
| Timestamp | String | The date and time the log entry was recorded. | Jan 29 19:49:31 2025 |
| Hostname | String | The hostname or appliance name from which the log was generated. | Kennesaw4-Powers |
| Message_Type | String | The severity level of the log. | INFO |
| Event_Description | String | Description of the event or action logged. | Forking then execing binary ‘/usr/bin/wc |
| File_Path | String | The path to the file referenced in the log entry (if any). | /var/opt/tms/idsips/ipsChangeSidAction |
| Return_Code | Integer | The return code from the operation, if applicable. | 0 |
Sample Log in JSON Format:
Jan 28 02:44:55 10.43.14.33 {"hostname":"Kennesaw4-Powers",
"proc":"suricata[1079]","action":"[Inspect]","sid":"1:2035465:4",
"classification":" Misc activity","priority":"3","mode":"ips-inline",
"srcVRF":"Default","srcZone":"TRUSTED","timestamp":"Jan 28 02:44:44