Data Domain - Configuring syslog and secure-syslog

Summary: Some log messages can be sent from the protection system to other systems. DDOS uses syslog to publish log messages to remote systems.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Configuring syslog

A protection system exports the following facility.priority selectors for log files.

For information about managing the selectors and receiving messages on a third-party system, see your vendor-supplied documentation for the receiving system.

  • *.notice - Sends all messages at the notice priority and higher.
  • *.alert - Sends all messages at the alert priority and higher (alerts are included in *.notice).
  • kern.* - Sends all kernel messages (kern.info log files).

Be advised the internal software used for handling local and remote logging depends on the DDOS version :

  • DDOS 7.12 and earlier ship with "syslogd", which does not include the DD hostname within the log messages when being sent to a remote log host
  • DDOS 7.13 and later ship with "rsyslog", which includes the DD hostname within the log messages when being sent to a remote log host

Either case, the CLI is the same, except for those features added in later DDOS not present in older ones (ie secure syslog).

 

The "log host" commands manage the process of sending log messages to another system.

Viewing the log file transmission configuration

Use the "log host show" CLI command to view whether log file transmission is enabled and which hosts receive log files.

Steps
To display the configuration, enter the log host show command.

Example

# log host show

Remote logging is enabled.
Remote logging hosts
<Log-server name or IP>

Enabling and disabling log message transmission

You must use CLI commands to enable or disable log message transmission.

Steps

  1. To enable sending log messages to other systems, use the "log host enable" command.
  2. To disable sending log messages to other systems, use the "log host disable" command.

Adding or removing a receiver host

You must use CLI commands to add or remove a receiver host.

Steps

  1. To add a system to the list that receives protection system log messages, use the command. # "log host add <log-server name or IP> "
  2. To remove a system from the list that receives system log messages, use the command: # "log host del <log-server name or IP>"

Example
The following command adds the system that is named "my.log.server" to the hosts that receive log messages.

# log host add my.log.server

The following command removes the system named "my.log.server" from the hosts that receive log messages.

# log host del my.log.server

The following command disables the sending of logs and clears the list of destination hostnames.

# log host reset

Changing the syslog port: 

Steps

  1. To view the port that syslog sends log messages to, use the command. # "log server-port show "
  2. To change the port that syslog sends log messages to, use the command. # "log server-port set <port number> "
  3. To reset (default 514) the port that syslog sends log messages to, use the command. # "log server-port reset"

Example
The following command displays the syslog server-port that is being used.

# log server-port show

The following command sets the syslog server-port to "519"

# log server-port set 519

The following command resets the syslog server-port back to default. (514).

# log server-port reset

 

 

Configuring secure-syslog for encrypted log forwarding

Note: Secure-syslog is available starting DDOS 7.12.  (Only normal syslog or secure-syslog can be used at once, not both at the same time.)

DDOS provides the ability to encrypt log-forwarding to a remote host. Use the CLI to configure this functionality.

About this task
Secure-syslog supports anonymous mode, which only uses server-side certificate authentication. This requires importing:

Example Steps

Next steps

The syslog server requires a CA certificate, host certificate, and host key. The following example shows a sample server-side

configuration for secure-syslog:

global(

DefaultNetstreamDriver="gtls"

DefaultNetstreamDriverCAFile="/etc/rsyslog.d/cert/cacert.pem"

DefaultNetstreamDriverCertFile="/etc/rsyslog.d/cert/ser_cert.pem"

DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/cert/serkey.pem"

)

$ModLoad imtcp # TCP listener

$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode

$InputTCPServerStreamDriverAuthMode anon

$InputTCPServerRun 10514 # start up listener at port 10514

 

  • The syslog server CA certificate on the DD system
  • The host certificate and host key on the syslog server system
    The default secure-syslog server port is 10514. DDOS supports multiple syslog servers. When multiple syslog servers are configured, they use the same secure-syslog server port configured on the DD system.
  • Connection to the secure-syslog server fails
  • The secure-syslog server CA certificate appears to be invalid
    Complete the following steps to configure secure-syslog.

    1. Run the "log secure-syslog host add <host>" command to add the secure-syslog host to the system.

      # log secure-syslog host add 10.10.10.10

      Secure remote host logging is not enabled. Enable with 'log secure-syslog host enable'.

      Host "10.10.10.10" added.

      •The host must match the CN generate during creation of the host certificate.

      •Also make sure that DD can resolve that name.

    2. Run the "adminaccess certificate import ca application secure-syslog" command to import the CA certificate for the secure-syslog server.

      # adminaccess certificate import ca application secure-syslog

      Enter the certificate and then press Control-D, or press Control-C to cancel.

      MIIDgTCCAmmgAwIBAgIJAIsFi6huU/QSMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV BAYTAlVTMQswCQYDVQQIDAJZWTELMAkGA1UEBwwCSlMxHDAaBgNVBAoME0RlZmF1 bHQgQ29tcGFueSBMdGQxEDAOBgNVBAMMBzEuMi4zLjQwHhcNMjMwMzI4MDc0MzAz WhcNMjYwMzI3MDc0MzAzWjBXMQswCQYDVQQGEwJVUzELMAkGA1UECAwCWVkxCzAJ BgNVBAcMAkpTMRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRAwDgYDVQQD DAcxLjIuMy40MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArQIWAlhv KqSY/iaXS5O6vxJ9HHSgts7OWI/uhjO9yA/may2yHBvjxmLheg1ixseOjpKxvLfY Of9ufLGKWpbVIJGoXkG6x+zde1hwbctK4EhN0XTJ/xoUVVu/F2DqeeM1B6bt+26Q GR2xx3kJuFMBxtDvcrql/yXPH2BNPHyJJ6CIa1hwbx5iwxJJNUkLe/pjKBhRNyS0 T4trEwGgsNOVSyYGCkAo3BWPyijBagatPQFs36SrOVc3AcFu3ie9q67NEJDxOwfk

	iFHvT8zYVRkDNYYmN7wt76TGK4G8HuldyZ19z+0fa6m6pMKbuOht19PtiP3MBXWh e+jZYuzrmPVRHwIDAQABo1AwTjAdBgNVHQ4EFgQUXLSU4KHIiNlnXAKJdCexeA9X ROwwHwYDVR0jBBgwFoAUXLSU4KHIiNlnXAKJdCexeA9XROwwDAYDVR0TBAUwAwEB /zANBgkqhkiG9w0BAQsFAAOCAQEAUt0kgFbSfegkskrVDv4DwKKWlIkxgBJEVsvH y+T16KszhedvUOUIM2quv6J1E1BqmrUlQSYb8RbJqOO6vWpruxVd4RYBSRIJzQT0 p3fGV3M90oi/bhmSt7v/Q7DpzzJgxDVSuKNXMf4WgPY212pubmUMfJFkDkK0t/pG 5OnLL9ChsAvZSX5mHDr7wbojO+GJJNAeLvLSBVtnNyB1e1xj0dpheIYyVP329sPN C79uP+HdXma0ujOQgqpnpwAYY0faB6tcb/mkn/SyL30Fx01HaXRwdF6CivoakOgw Hkrf88XDMPXBK4kstEqGoO0RRFPL0tAQN4hu+hQpRmr03nzhyQ==

      The SHA1 fingerprint for the imported CA certificate is:

      AD:61:28:84:71:EB:5B:7F:E7:9A:EC:3B:16:25:9B:99:28:9E:33:58

      Do you want to import this certificate? (yes|no) [yes]: yes

      CA certificate imported for applications : "secure-syslog".

    3. Run the "adminaccess certificate show imported-ca application secure-syslog" to verify that the certificate was imported.

      # adminaccess certificate show imported-ca application secure-syslog

	Subject Type Application Valid From Valid Until

	 Fingerprint

	------- ----------- ------------- ------------------------

	------------------------ -----------------------------------------------------------

	1.2.3.4 imported-ca secure-syslog Tue Mar 28 00:43:03 2023 Fri Mar 27 00:43:03

	2026 AD:61:28:84:71:EB:5B:7F:E7:9A:EC:3B:16:25:9B:99:28:9E:33:58

	------- ----------- ------------- ------------------------

	------------------------ -----------------------------------------------------------

	Certificate signing request (CSR) exists at /ddvar/certificates/

	CertificateSigningRequest.csr

    4. Run the "log secure-syslog host enable" command to enable secure-syslog log forwarding.

      # log secure-syslog host enable

      Secure-syslog remote host logging is enabled.

    5. Run the "log secure-syslog host show" command to verify secure-syslog log forwarding is enabled.

      # log secure-syslog host show

      Secure-syslog remote logging is enabled.

      Remote logging hosts
      10.10.10.10

    6. Run the "log secure-syslog server-port show" command to check the port for secure-syslog log forwarding.

      # log secure-syslog server-port show

      Server-port 10514

    7. If necessary, run the "log secure-syslog server-port set <port-number>" command to change the port number.

Additional Information

Syslog commands summary:

  log host add <host>                  Add a remote logging host
  log host del <host>                  Remove a remote logging host
  log host disable                     Disable logging to remote hosts
  log host enable                      Enable logging to remote hosts
  log host reset                       Reset (to default) all remote logging hosts
  log host show                        Show remote logging hosts

  * server-port is customer configurable starting in DD OS 7.4+
  log server-port reset                Resets the syslog port number
  log server-port set <port-number>    Sets the syslog port number
  log server-port show                            Show syslog service port

++ secure-syslog is available starting DD OS 7.12+

  log secure-syslog host add <host>    Add a secure-syslog remote logging host
  log secure-syslog host del <host>    Remove a remote logging host
  log secure-syslog host disable       Disable secure-syslog logging to remote
                                       hosts
  log secure-syslog host enable        Enable secure-syslog logging to remote
                                       hosts
  log secure-syslog host show          Show secure-syslog remote logging hosts
  log secure-syslog reset              Reset secure-syslog  configuration
  log secure-syslog server-port reset  Resets the secure-syslog server port
                                       number.
  log secure-syslog server-port set <port-number>
                                       Sets the secure-syslog port number
  log secure-syslog server-port show   Show secure-syslog server port.

 

 

Service Protocol Port Port Configurable Default Description
Syslog UDP 514 Yes* Disabled

Used by the system to send syslog messages, if enabled. Use "log host show" to display destination hosts and service status.

Use (where applicable *)

# log server-port set <port-number>

 to set the destination host port. The port configured is the same for all destination hosts configured for normal syslog.

Only normal syslog or secure-syslog can be used at once, not both at the same time.
Secure-syslog TCP 10514 Yes Disabled

 Used by the system to send encrypted syslog messages, if enabled. Use "log secure-syslog host show" to display destination host and service status.

Use 

# log secure-syslog server-port <set port-number>

to set the destination host port. The port configured is the same for all destination hosts configured.

Only normal syslog or secure-syslog can be used at once, not both at the same time.
  • * syslog server port is customer configurable starting in DD OS 7.4.


 

Affected Products

Data Domain
Article Properties
Article Number: 000205689
Article Type: How To
Last Modified: 08 Feb 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.