Syslog Configuration (Platform)
Syslog Configuration Overview
You can use the Syslog protocol for auditing and for forwarding anomaly messages to one or more external Syslog servers. Alarms can be generated for use in an NMS alarming environment.
Syslog messages follow Common Event Format (CEF) conventions as shown below:
AOS Log Format:
'{timestamp} {host} '
'CEF:{version}|{device_vendor}|{device_product}|{device_version}|'
'{device_event_class_id}|{name}|{severity}|{extension}
Where:
{version} : always "0"
{device_vendor} : always "Apstra"
{device_product} : always "AOS"
{device_version} : current AOS version
{device_event_class_id} : "100" for audit logs, "101" for anomaly logs
{name} : "Audit event" for audit logs, "Alert" for anomaly logs
{severity} : "medium" for audit logs, "Very-High" for anomaly logs
And where {extension} is either :
For anomaly logs : msg=<json payload>
For audit logs : cat=<activity> src=<src_IP> suser=<username> act=<activity result> cs1Label=<field1_type> cs1=<field1_value> cs2Label=<field2_type> cs2=<field2_value> cs3Label=<field3_type> cs3=<field3_value>
Anomaly Log JSON Format
u'blueprint_label' : Name of the blueprint the anomaly was raised in.
u'timestamp' : Unix timestamp when the Anomaly was raised.
u'origin_name' : Serial Number of the device the anomaly affects.
u'alert' : The value is a JSON Payload with the actual anomaly (see next table)
u'origin_hostname' : Hostname of the device the anomaly affects.
u'device_hostname' : Hostname of the device the anomaly affects.
u'origin_role : Role of the device the anomaly affects.
u'first_seen' : Unix timestamp when the Anomaly was raised for the first time.
u'raised' : Always True.
u'severity : The severity level of the anomaly. Always 3.
Audit Log Extension Format:
cat : Activity performed. Valid values: “Login”, “Logout”, “BlueprintCommit”, “DeviceConfigChange”, “BlueprintDelete”.
src : Source IP of the client making HTTP requests.
suser : Who performed the activity.
act : Outcome of the activity - free-form string. In case of error, include error string. Ex: Unauthorized
cs1Label : The string “Blueprint Name”
cs1 : Name of the blueprint on which action was taken.
cs2Label : The string “Blueprint ID”
cs2 : Id of the blueprint on which action was taken.
cs3Label : The string “Commit Message”. Only exists if user has added a commit message (optional)
cs3 : Commit Message. Only exists if user has added a commit message (optional)
deviceExternalId : Id (typically serial number) of the managed device on which action was taken.
deviceConfig : Config that is pushed and applied on the device where “#012” is used to indicate a line break to log collectors and parsers.An example of Syslog messages is shown below:
Jul 31 03:10:36 aos-server - 2019-07-31T03:10:36.797839+0000 aos-server
CEF:0|Apstra|AOS|3.0.0-151|101|Alert|Very-High|msg={'device_hostname':
'<device hostname unknown>', u'timestamp': 1564542636797839, u'alert':
{u'probe_alert': {u'stage_name': u'Anomaly', u'actual_int': 9711, u'probe_id':
u'46b827c2-be4d-47a5-95f9-1ed0a57224f6', u'key_value_pairs': [{u'value':
u'"Ethernet5"', u'key': u'interface'}, {u'value': u'"2CC260994101"', u'key':
u'system_id'}], u'item_id': u'anomaly,probe\=46b827c2-be4d-47a5-95f9-1ed0a57224f6
,proc\=Anomaly,stage\=out,interface\=Ethernet5,system_id\=2CC260994101',
u'expected_int': 8000}, u'first_seen': 1564542636797795, u'raised': True,
u'severity': 3, u'id': u'4981e646-e665-481b-bada-391689e7ebf3'}, u'origin_name':
u'anomaly,probe\=46b827c2-be4d-47a5-95f9-1ed0a57224f6,proc\=Anomaly,stage\=out,
interface\=Ethernet5,system_id\=2CC260994101'}
Jul 31 03:11:01 aos-server - 2019-07-31T03:11:01.699190+0000 aos-server
CEF:0|Apstra|AOS|3.0.0-151|101|Alert|Very-High|msg={'device_hostname':
'<device hostname unknown>', u'timestamp': 1564542661699190, u'alert':
{u'probe_alert': {u'stage_name': u'Anomaly', u'actual_int': 12890, u'probe_id':
u'46b827c2-be4d-47a5-95f9-1ed0a57224f6', u'key_value_pairs': [{u'value':
u'"Ethernet5"', u'key': u'interface'}, {u'value': u'"2CC260994101"', u'key':
u'system_id'}], u'item_id': u'anomaly,probe\=46b827c2-be4d-47a5-95f9-1ed0a57224f6,
proc\=Anomaly,stage\=out,interface\=Ethernet5,system_id\=2CC260994101',
u'expected_int': 8000}, u'first_seen': 1564542636797795, u'raised': False,
u'severity': 3, u'id': u'4981e646-e665-481b-bada-391689e7ebf3'}, u'origin_name':
u'anomaly,probe\=46b827c2-be4d-47a5-95f9-1ed0a57224f6,proc\=Anomaly,stage\=
out,interface\=Ethernet5,system_id\=2CC260994101'}From the left navigation menu, navigate to Platform > External Services
> Syslog Configuration to see configurations. You can create,
clone, edit and delete syslog configuration. 
Create Syslog Config
Edit Syslog Config
- From the left navigation menu, navigate to Platform > External Services > Syslog Configuration and click the Edit button for the Syslog configuration to edit.
- Make your changes.
- Click Update to update the Syslog configuration and return to the list view.
Delete Syslog Config
- From the left navigation menu, navigate to Platform > External Services > Syslog Configuration and click the Delete button for the Syslog configuration to delete.
- Click Delete Syslog Config to delete the Syslog configuration and return to the list view.