cc/td/doc/product/vpn/vpn3002/4_7
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Events

Event Class

Event Severity Level

Event Log

Event Log Data

Configuration | System | Events

Configuration | System | Events | General

Syslog Format

Severity to Log

Severity to Console

Severity to Syslog

Severity to Trap

Apply/Cancel

Configuration | System | Events | Classes

Configured Event Classes

Add/Modify/Delete

Configuration | System | Events | Classes | Add or Modify

Class Name

Enable

Severity to Log

Severity to Console

Severity to Syslog

Severity to Trap

Add or Apply/Cancel

Configuration | System | Events | Trap Destinations

Trap Destinations

Add/Modify/Delete

Configuration | System | Events | Trap Destinations | Add or Modify

Destination

SNMP Version

Community

Port

Add or Apply/Cancel

Configuration | System | Events | Syslog Servers

Syslog Servers

Add/Modify/Delete

Configuration | System | Events | Syslog Servers | Add or Modify

Syslog Server

Port

Facility

Add or Apply/Cancel


Events


An event is any significant occurrence within or affecting the VPN 3002 such as an alarm, trap, error condition, network problem, task completion, threshold breach, or status change. The VPN 3002 records events in an event log, which is stored in nonvolatile memory. You can also specify that certain events trigger a console message, a UNIX syslog record, or an SNMP management system trap.

Event attributes include class and severity level. For detailed information about event classes and severity levels, see the VPN 3002 Hardware Client Reference, available online only.

Event Class

Event class denotes the source of the event and refers to a specific hardware or software subsystem within the VPN 3002. The following table describes the event classes.

Table 9-1 Event Classes

Class Name
Class Description (Event Source)
(*Cisco-specific Event Class)

AUTH

Authentication*

AUTHDBG

Authentication debugging*

AUTHDECODE

Authentication protocol decoding*

AUTOUPDATE

Autoupdate subsystem*

CAPI

Cryptography subsystem*

CERT

Digital certificates subsystem

CONFIG

Configuration subsystem*

DHCP

DHCP subsystem

DHCPDBG

DHCP debugging*

DHCPDECODE

DHCP decoding*

DM

Data Movement subsystem*

DNS

DNS subsystem

DNSDBG

DNS debugging*

DNSDECODE

DNS decoding*

EVENT

Event subsystem*

EVENTDBG

Event subsystem debugging*

EVENTMIB

Event MIB changes*

FSM

Finite State Machine subsystem (for debugging)*

FTPD

FTP daemon subsystem

GENERAL

NTP subsystem and other general events

HARDWAREMON

Hardware monitoring (fans, temperature, voltages, etc.)

HTTP

HTTP subsystem

HWDIAG

Hardware diagnostics for WAN module*

IKE

ISAKMP/Oakley (IKE) subsystem

IKEDBG

ISAKMP/Oakley (IKE) debugging*

IKEDECODE

ISAKMP/Oakley (IKE) decoding*

IP

IP router subsystem

IPDBG

IP router debugging*

IPDECODE

IP packet decoding*

IPSEC

IP Security subsystem

IPSECDBG

IP Security debugging*

IPSECDECODE

IP Security decoding*

LBSSF

Load Balancing/Secure Session Failover subsystem*

MIB2TRAP

MIB-II trap subsystem: SNMP MIB-II traps*

PPP

PPP subsystem

PPPDBG

PPP debugging*

PPPDECODE

PPP decoding*

PPPoE

PPPoE subsystem

PSH

Operating system command shell*

PSOS

Embedded real-time operating system*

QUEUE

System queue*

REBOOT

System rebooting

RM

Resource Manager subsystem*

SNMP

SNMP trap subsystem

SSH

SSH subsystem

SSL

SSL subsystem

SYSTEM

Buffer, heap, and other system utilities*

TCP

TCP subsystem

TELNET

Telnet subsystem

TELNETDBG

Telnet debugging*

TELNETDECODE

Telnet decoding*

TIME

System time (clock)



Note The Cisco-specific event classes provide information that is meaningful only to Cisco engineering or support personnel. Also, the DBG and DECODE events require significant system resources and might seriously degrade performance. We recommend that you avoid logging these events unless Cisco requests it.


Event Severity Level

Severity level indicates how serious or significant the event is; that is, how likely it is to cause unstable operation of the VPN 3002, whether it represents a high-level or low-level operation, or whether it returns little or great detail. Level 1 is most significant. Table 9-2 describes the severity levels.

Table 9-2 Event Severity Levels

Level
Category
Description

1

Fault

A crash or non-recoverable error.

2

Warning

A pending crash or severe problem that requires user intervention.

3

Warning

A potentially serious problem that may require user action.

4

Information

An information-only event with few details.

5

Information

An information-only event with moderate detail.

6

Information

An information-only event with greatest detail.

7

Debug

Least amount of debugging detail.

8

Debug

Moderate amount of debugging detail.

9

Debug

Greatest amount of debugging detail.

10

Packet Decode

High-level packet header decoding.

11

Packet Decode

Low-level packet header decoding.

12

Packet Decode

Hex dump of header.

13

Packet Decode

Hex dump of packet.


Within a severity level category, higher-numbered events provide more details than lower-numbered events, without necessarily duplicating the lower-level details. For example, within the Information category, Level 6 provides greater detail than Level 4 but does not necessarily include the same information as Level 4.

Logging higher-numbered severity levels degrades performance, since more system resources are used to log and handle these events.


Note The Debug (7-9) and Packet Decode (10-13) severity levels are intended for use by Cisco engineering and support personnel. We recommend that you avoid logging these events unless Cisco requests it.


The VPN 3002, by default, displays all events of severity level 1 through 3 on the console. It writes all events of severity level 1 through 5 to the event log. You can change these defaults on the
Configuration | System | Events | General screen, and you can configure specific events for special handling on the Configuration | System | Events | Classes screens.

Event Log

The VPN 3002 records events in an event log, which is stored in nonvolatile memory. Thus the event log persists even if the system is powered off. For troubleshooting any system difficulty, or just to examine details of system activity, consult the event log first.

The VPN 3002 holds 256 events. The log wraps when it is full; that is, newer events overwrite older events when the log is full.

For the event log, you can configure which event classes and severity levels to log.


Note The VPN 3002 automatically saves the log file if it crashes, and when it is rebooted. This log file is named SAVELOG.TXT, and it overwrites any existing file with that name. The SAVELOG.TXT file is useful for debugging.


Event Log Data

Each entry (record) in the event log consists of several fields including:

A sequence number.

Date and time.

Event severity level.

Event class and number.

Event repetition count.

Event IP address (only for certain events).

Description string.

For more information, see the Monitoring | Filterable Event Log screen.

Configuration | System | Events

This section of the Manager lets you configure how the VPN 3002 handles events. Events provide information for system monitoring, auditing, management, accounting, and troubleshooting.

Figure 9-1 Configuration | System | Events Screen

Configuration | System | Events | General

This Manager screen lets you configure the general, or default, handling of all events. These defaults apply to all event classes.

You can override these default settings by configuring specific events for special handling on the Configuration | System | Events | Classes screens.

Figure 9-2 Configuration | System | Events | General Screen

Syslog Format

Click the Syslog Format drop-down menu button and choose the format for all events sent to UNIX syslog servers. Choices are:

Original = Original VPN 3002 event format with information on one line. Each entry in the event log consists of the following fields:

Sequence Date Time SEV=Severity Class/Number RPT=RepeatCount String

Sequence: The sequence number of the event.

Date: The date the event occurred. The date is in the following format: MM/DD/YYYY.

Time: The time the event occurred. The time is in the following format: hh:mm:ss.ttt.

Severity: The severity of the event (1-13). To see how this original severity level maps to Cisco IOS severity levels, see the "Cisco IOS Severities" table.

Class/Number: The event class and event number. For a list of event classes, see the "Events" chapter.

RepeatCount: The number of times this particular event has occurred since the VPN 3002 was last booted.

String: The description of the event. The string sometimes includes the IP address of the user whose session generated the event.

For example:

3 12/06/1999 14:37:06.680 SEV=4 HTTP/47 RPT=17 10.10.1.35 New administrator login: admin.

Cisco IOS Compatible = Event format that is compatible with Cisco syslog management applications. Each entry in the event log is one line consisting of the following fields:

Sequence: Date Time TimeZone TimeZoneOffset %Class-Severity-Number: RPT=RepeatCount: String

Sequence: The sequence number of the event.

Date: The date the event occurred. The date is in the following format: YYYY MMM DD.

Time: The time the event occurred. The time is in the following format: hh:mm:ss.ttt.

TimeZone: The time zone in which the event occurred.

TimeZoneOffset: The offset of the time zone from GMT.

Class: The event class. For a list of event classes, see the "Events" chapter.

Severity: The Cisco IOS severity of the event (0-7). The "Cisco IOS Severities" table shows the mapping between Cisco IOS format severity levels and Original format severity levels.

Number: The event number.

RepeatCount: The number of times this particular event has occurred since the VPN Concentrator was last booted.

String: The description of the event. The string sometimes includes the IP address of the user whose session generated the event.

For example:

3 1999 Dec 06 14:37:06.680 EDT -4:00 %HTTP-5-47:RPT=17 10.10.1.35: New administrator login: admin.

The Original severities and the Cisco IOS severities differ. Original severities number from 1-13. (For the meaning of each Original severity, see Table 8-1.) Cisco IOS severities number from 0-7. The "Cisco IOS Severities" table that follows shows the meaning of Cisco IOS severities and how they map to Original severities.

Table 9-3 Cisco IOS Severities

Cisco IOS Severity
Meaning
Original Severity

0

Emergencies

1

1

Alerts

Not used

2

Critical

2

3

Errors

Not used

4

Warning

3

5

Notification

4

6

Informational

5, 6

7

Debugging

7-13


Severity to Log

Click the drop-down menu button and select the range of event severity levels to enter in the event log by default. The choices are: None, 1, 1-2, 1-3, ..., 1-13. The default is 1-5; if you choose this range, all events of severity level 1 through severity level 5 are entered in the event log.

Severity to Console

Click the drop-down menu button and select the range of event severity levels to display on the console by default. The choices are: None, 1, 1-2, 1-3, ..., 1-13. The default is 1-3; if you choose this range, all events of severity level 1 through severity level 3 are displayed on the console.

Severity to Syslog

Click the drop-down menu button and select the range of event severity levels to send to a UNIX syslog server by default. The choices are: None, 1, 1-2, 1-3, ..., 1-6. The default is None; if you choose this range, no events are sent to a syslog server.

If you select any severity levels to send, you must also configure the syslog server(s) on the Configuration | System | Events | Syslog Servers screens.

Severity to Trap

Click the drop-down menu button and select the range of event severity levels to send to an SNMP network management system (NMS) by default. Event messages sent to SNMP systems are called "traps." The choices are: None, 1, 1-2, 1-3. The default is None; if you choose this range, no events are sent as SNMP traps.

If you select any severity levels to send, you must also configure SNMP destination system parameters on the Configuration | System | Events | Trap Destinations screens.

The VPN 3002 can send the standard, or "well-known," SNMP traps listed in Table 9-4. To have an SNMP NMS receive them, you must configure the events as in the table, and configure a trap destination.

Table 9-4 Configuring "Well-Known" SNMP Traps

To send this "well-known"
SNMP trap
Configure either General event handling or this Event Class
With this Severity to Trap

coldStart

EVENT

1 or higher

linkDown

IP

1-3 or higher

linkUp

IP

1-3 or higher

authFailure1

SNMP

1-3 or higher

1 This trap is SNMP authentication failure, not tunnel authentication failure.


Apply/Cancel

To include your settings for default event handling in the active configuration, click Apply. The Manager returns to the Configuration | System | Events screen.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | System | Events screen.

Configuration | System | Events | Classes

This section of the Manager lets you add, configure, modify, and delete specific event classes for special handling. You can thus override the general, or default, handling of event classes. For example, you might want to send email for HARDWAREMON events of severity 1-2, whereas default event handling does not send any email.

Event classes denote the source of an event and refer to a specific hardware or software subsystem within the VPN 3002. Table 8-1 describes the event classes.

Figure 9-3 Configuration | System | Events | Classes Screen

To configure default event handling, click the highlighted link that says "Click here to configure general event parameters."

Configured Event Classes

The Configured Event Classes list shows the event classes that have been configured for special handling. The initial default entry is MIB2TRAP, which are SNMP MIB-II events, or "traps," that you might want to monitor with an SNMP network management system. Other configured event classes are listed in order by class number and name. If no classes have been configured for special handling, the list shows --Empty--.

Add/Modify/Delete

To configure and add a new event class for special handling, click Add. See Configuration | System | Events | Classes | Add.

To modify an event class that has been configured for special handling, select the event class from the list and click Modify. See Configuration | System | Events | Classes | Modify.

To remove an event class that has been configured for special handling, select the event class from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the list.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | System | Events | Classes | Add or Modify

These screens let you:

Add: Configure and add the special handling of a specific event class.

Modify: Modify the special handling of a specific event class.

Figure 9-4 Configuration | System | Events | Classes | Add Screen

Class Name

Add screen:

Click the drop-down menu button and select the event class you want to add and configure for special handling. (Please note that Select Class is an instruction reminder, not a class.) Table 8-1 describes the event classes.

Modify screen:

The field shows the configured event class you are modifying. You cannot change this field.

All subsequent parameters on this screen apply to this event class only.

Enable

Check this box to enable the special handling of this event class. (The box is checked by default.)

Clearing this box lets you set up the parameters for the event class but activate it later, or temporarily disable special handling without deleting the entry. The Configured Event Classes list on the Configuration | System | Events | Classes screen indicates disabled event classes. Disabled event classes are handled according to the default parameters for all event classes.

Severity to Log

Click the drop-down menu button and select the range of event severity levels to enter in the event log. The choices are: None, 1, 1-2, 1-3,..., 1-13. The default is 1-5; if you choose this range, events of severity level 1 through severity level 5 are entered in the event log.

Severity to Console

Click the drop-down menu button and select the range of event severity levels to display on the console. The choices are: None, 1, 1-2, 1-3,..., 1-13. The default is 1-3; if you choose this range, events of severity level 1 through severity level 3 are displayed on the console.

Severity to Syslog

Click the drop-down menu button and select the range of event severity levels to send to a UNIX syslog server. The choices are: None, 1, 1-2, 1-3,..., 1-13. The default is None; if you choose this range, no events are sent to a syslog server.


Note Sending events to a syslog server generates IP packets, which can generate new events if this setting is above level 9. We strongly recommend that you keep this setting at or below level 6. Avoid setting this parameter above level 9.


If you select any severity levels to send, you must also configure the syslog server(s) on the Configuration | System | Events | Syslog Servers screens, and you should configure the Syslog Format on the Configuration | System | Events | General screen.

Severity to Trap

Click the drop-down menu button and select the range of event severity levels to send to an SNMP network management system. Event messages sent to SNMP systems are called "traps." The choices are: None, 1, 1-2, 1-3, 1-4, 1-5. The default is None; if you choose this range, no events are sent as SNMP traps.

If you select any severity levels to send, you must also configure SNMP destination system parameters on the Configuration | System | Events | Trap Destinations screens.

To configure "well-known" SNMP traps, see Table 9-4 under Severity to Trap for Configuration | System | Events | General.

Add or Apply/Cancel

To add this event class to the list of those with special handling, click Add. Or to apply your changes to this configured event class, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Classes screen. Any new event class appears in the Configured Event Classes list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | System | Events | Classes screen.

Configuration | System | Events | Trap Destinations

This section of the Manager lets you configure SNMP network management systems as destinations of event traps. Event messages sent to SNMP systems are called "traps." If you configure any event handling, default or special, with values in Severity to Trap fields, you must configure trap destinations in this section.

To configure default event handling, click the highlighted link that says "Click here to configure general event parameters." To configure special event handling, see the Configuration | System | Events | Classes screens.

To configure "well-known" SNMP traps, see Table 9-4 under Severity to Trap for Configuration |
System | Events | General.

To have an SNMP-based network management system (NMS) receive any events, you must also configure the NMS to "see" the VPN 3002 as a managed device or "agent" in the NMS domain.

Figure 9-5 Configuration | System | Events | Trap Destinations Screen

Trap Destinations

The Trap Destinations list shows the SNMP network management systems that have been configured as destinations for event trap messages, and the SNMP protocol version associated with each destination. If no trap destinations have been configured, the list shows --Empty--.

Add/Modify/Delete

To configure a new SNMP trap destination, click Add. See Configuration | System | Events | Trap Destinations | Add.

To modify an SNMP trap destination that has been configured, select the destination from the list and click Modify. See Configuration | System | Events | Trap Destinations | Modify.

To remove an SNMP trap destination that has been configured, select the destination from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the list.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | System | Events | Trap Destinations | Add or Modify

These screens let you:

Add: Configure and add an SNMP destination system for event trap messages.

Modify: Modify a configured SNMP destination system for event trap messages.

Figure 9-6 Configuration | System | Events | Trap Destinations | Add Screen

Destination

Enter the IP address or hostname of the SNMP network management system that is a destination for event trap messages. (If you have configured a DNS server, you can enter a hostname; otherwise enter an IP address.)

SNMP Version

Click the drop-down menu button and select the SNMP protocol version to use when formatting traps to this destination. Choices are SNMPv1 (version 1; the default) and SNMPv2 (version 2).

Community

Enter the community string to use in identifying traps from the VPN 3002 to this destination. The community string is like a password: it validates messages between the VPN 3002 and this NMS destination. If you leave this field blank, the default community string is public.

Port

Enter the UDP port number by which you access the destination SNMP server. Use a decimal number from 0 to 65535. The default is 162, which is the well-known port number for SNMP traps.

Add or Apply/Cancel

To add this system to the list of SNMP trap destinations, click Add. Or to apply your changes to this trap destination, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Trap Destinations screen. Any new destination system appears in the Trap Destinations list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | System | Events | Trap Destinations screen, and the Trap Destinations list is unchanged.

Configuration | System | Events | Syslog Servers

This section of the Manager lets you configure UNIX syslog servers as recipients of event messages. Syslog is a UNIX daemon, or background process, that records events. The VPN 3002 can send event messages in two syslog formats to configured syslog systems. If you configure any event handling, default or special, with values in Severity to Syslog fields, you must configure syslog servers in this section.

To configure default event handling and syslog formats, click the highlighted link that says "Click here to configure general event parameters." To configure special event handling, see the Configuration | System | Events | Classes screens.

Figure 9-7 Configuration | System | Events | Syslog Servers Screen

Syslog Servers

The Syslog Servers list shows the UNIX syslog servers that have been configured as recipients of event messages. You can configure a maximum of five syslog servers. If no syslog servers have been configured, the list shows --Empty--.

Add/Modify/Delete

To configure a new syslog server, click Add. See Configuration | System | Events | Syslog Servers | Add.

To modify a syslog server that has been configured, select the server from the list and click Modify. See Configuration | System | Events | Syslog Servers | Modify.

To remove a syslog server that has been configured, select the server from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the list.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | System | Events | Syslog Servers | Add or Modify

These Manager screens let you:

Add: Configure and add a UNIX syslog server as a recipient of event messages. You can configure a maximum of five syslog servers.

Modify: Modify a configured UNIX syslog server that is a recipient of event messages.

Figure 9-8 Configuration | System | Events | Syslog Servers | Add Screen

Syslog Server

Enter the IP address or hostname of the UNIX syslog server to receive event messages. (If you have configured a DNS server, you can enter a hostname; otherwise, enter an IP address.)

Port

Enter the UDP port number by which you access the syslog server. Use a decimal number from 0 to 65535. The default is 514, which is the well-known port number.

Facility

Click the drop-down menu button and select the syslog facility tag for events sent to this server. The facility tag lets the syslog server sort messages into different files or destinations. The choices are:

User = Random user-process messages.

Mail = Mail system.

Daemon = System daemons.

Auth = Security or authorization messages.

Syslog = Internal syslogd-generated messages.

LPR = Line printer subsystem.

News = Network news subsystem.

UUCP = UUCP (UNIX-to-UNIX Copy Program) subsystem.

Reserved (9) through Reserved (14) = Outside the Local range, with no name or assignment yet, but usable.

CRON = Clock daemon.

Local 0 through Local 7 (default) = User defined.

Add or Apply/Cancel

To add this server to the list of syslog servers, click Add. Or to apply your changes to this syslog server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Syslog Servers screen. Any new server appears in the Syslog Servers list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your entries, click Cancel. The Manager returns to the Configuration | System | Events | Syslog Servers screen, and the Syslog Servers list is unchanged.


hometocprevnextglossaryfeedbacksearchhelp

Posted: Tue Apr 19 12:43:58 PDT 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.