ACOS 4.1.

4-GR1-P5
Event Logging Guide
for A10 Thunder® Series
16 August 2021
© 2020 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.

PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the
virtual patent marking provisions of various jurisdictions including the virtual patent marking provisions of the America
Invents Act. A10 Networks' products, including all Thunder Series products, are protected by one or more of U.S. patents and
patents pending listed at:

https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking

TRADEMARKS
A10 Networks trademarks are listed at:

https://www.a10networks.com/company/legal-notices/a10-trademarks

CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas
herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written
consent of A10 Networks, Inc.

A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees
to treat Software as confidential information.

Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), pro-
vided later in this document or available separately. Customer shall not:

1. Reverse engineer, reverse compile, reverse de-assemble, or otherwise translate the Software by any means.
2. Sub-license, rent, or lease the Software.

DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services,
including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to
verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All informa-
tion is provided "as-is." The product specifications and features described in this publication are based on the latest informa-
tion available; however, specifications are subject to change without notice, and certain features may not be available upon
initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ prod-
ucts and services are subject to A10 Networks’ standard terms and conditions.

ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types,
please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper dis-
posal of electronic components in your area.

FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Net-
works location, which can be found by visiting www.a10networks.com.
Table of Contents

Syslog .............................................................................................................................................. 5
Common Event Format (CEF)..................................................................................................... 5
Log Event Extended Format (LEEF).......................................................................................... 6
Unique Log Identifier.....................................................................................................................7
View Event Logs ............................................................................................................................ 9

3
ACOS 4.1.4-GR1-P5 Events Logging Guide
Contents

4
Feedback ACOS 4.1.4-GR1-P5 Events Logging Guide

EVENT LOGGING SYSTEM

The event logging is a flexible and extensible mechanism for logging events that occur in the
ACOS system. Currently, the following log formats are supported:

• Syslog

• Common Event Format (CEF)

• Log Event Extended Format (LEEF)

Syslog
The Syslog format specifies a message format as well as a message transport mechanism. The
message format consists of a small header followed by the log message body. The log message
is unstructured (that is, unformatted) text.

Header format

Example Aug 30 11:47:00 vThunder a10logd: [ACOS]<6> Server s1

is created

• <facility|severity> assists receiver to filter the message

• Aug 30 11:47:00 is the timestamp

• vThunder is the Thunder hostname

• a10logd is the name of the process

• [ACOS] is the name of the module

• <6> is the severity of the generated log with values from 0 to 7 with 0 being most critical

• Remaining text is the body of the message

Common Event Format (CEF)

The CEF format is a class of structured log message specifications, which uses syslog as a
transport. In syslog, the message is just plain text. However, CEF specifies the encoding of the

5
ACOS 4.1.4-GR1-P5 Events Logging Guide FeedbackF
Fee
e
Log Event Extended Format (LEEF)

commonly-used fields in a key-value format. It also provides an extension mechanism for

specifying additional fields.

Header format

Example Aug 30 11:58:36 vThunder CEF:0|A10|ADC|4.1.4-GR1-

P2|486758195662946306|SLB Server creation or deletion|2|cs1=s1 cs1La-
bel=Server Name cs2=created cs2Label=Action

• Aug 30 11:58:36 is the timestamp

• vThunder is the Thunder hostname

• CEF:0 is the CEF version string

• A10 is the Device Vendor

• ADC is the Device Product

• 4.1.4-GR1-P2 is the Device Version

• 486758195662946306 is the Log ID (Unique Log Identifier)

• SLB Server creation or deletion is the descriptive name of the log

• 2 is the CEF specific severity (importance)

• Other text is the extension portion of the message which is a placeholder for additional
fields in the key-value pairs. Extensions are optional.
• If an extension is unavailable then the CEF log portion will be empty in the documentation
and only CEF header will be logged. CEF log can have headers with the descriptive-name
or documentation providing the details of the event.
• If an extension is available, the keys can be of three types:

• Predefined keywords (as supported by Arcsight CEF logger)

• Custom keys (cs*, cn*,c6a1*, etc) with its respective Label
• Custom predefined keywords (a list of commonly used A10 specific custom keys, search
for 'CEF: A10 specific custom pre-defined keywords’ in Eventlogs.

Log Event Extended Format (LEEF)

The LEEF format comprises key-value pairs similar to CEF, but with different headers and
different separators between contents.

6
Feedback ACOS 4.1.4-GR1-P5 Events Logging Guide
Unique Log Identifier

Unique Log Identifier

A unique log identifier (64 bit ID) can be used to identify each log in each release. By default,
syslog
format do not display Log ID. To enable the unique log identifier in syslog format, use the below
command in the configuration:

acos-events log-properties add-msgid-in-header

The following changes takes place in the syslog message:

• Unique message ID is added in the syslog header:

• Before: Aug 28 10:05:38 vThunder a10logd: [ACOS]<6> Server s1 is created

• After: Aug 28 10:05:38 vThunder a10logd: [ACOS]<6> 486758195662946306
Server s1 is created
• Device Event Class ID in CEF changes from custom signature string + unique
message ID to unique message ID
Before: vThunder CEF:0|A10|CFW|4.1.4-GR1-P2|SLB 486758195662946308|SLB
Server exceeded Conn Limit or Conn Rate Limit|4|cs1=server cs1Label=Server Name
cs2=Too many connections cs2Label=Reason cn1=293 cn1Label=Limit
After: vThunder CEF:0|A10|CFW|4.1.4-GR1-P2|486758195662946308|SLB Server
exceeded Conn Limit or Conn Rate Limit|4|cs1=server cs1Label=Server Name cs2=Too many
connections cs2Label=Reason cn1=293 cn1Label=Limit

Below is a comprehensive list of all the different fields in the documentation:

ObjectLineag
Logname LogID Description Severity e
config_failure 24319437987800 Failed to add a Warning class-list
6795 class list

• Logname: The name of the log. This is not part of the log but used in the configuration if
that level of granularity is needed.
• LogID: The unique log Identifier to identify each log in each release.

• Description: The description of the event (this is added in the descriptive-name field of
the CEF/LEEF headers)
• Severity: The default severity of the event. The other severity values are emergency,
alert, critical, error, warning, notification, information and debugging. This can be changed
using acos-events message-id configuration in shared partition.

7
ACOS 4.1.4-GR1-P5 Events Logging Guide FeedbackF
Fee
e
Unique Log Identifier

• ObjectLineage: The internal hierarchy of the event. Object Lineage + Log Name can be
used to uniquely identify an event across releases. This can be used in the message-
selector configuration to enable or disable a log. For more information, see acos-events
message-selector.

Click on the Logname to view more details about particular event. For more details, see below
example.

Example 1: This configuration enables all the logs except class-list.config_failure log

acos-events message-selector sel1

rule 1
drop
message-id class-list.config_failure log-field-only
rule 2
message-id cmroot all
!

Example 2: This configuration disables all the logs, except the logs under the class-list object

acos-events message-selector sel1

rule 1
message-id class-list all
rule 2
drop
message-id cmroot all
!

Config_failure 2431943798780 Failed to add a Warning Class-list

06795 class list
CEF
Format cs1=$name:%s: cs1Label=List Name cs2=$config_type:%s: cs2La-
bel=Config Type cs3=$str:%s: cs3Label=String
Example cs1=clist_name cs1Label=List Name cs2=string cs2Label=Config Type
cs3=a10networks cs3Label=String
Syslog
Format Classlist $name:%s:: Fail to config $config_type:%s: $str:%s:.
Example Classlist clist_name: Fail to config string a10networks.
Variable Type Value Description
Name String {class_list_name Class-list name
}
config_type String string domain Type
str String {class_list_string Class list string or domain
_or_do- name
main_name}

8
Feedback ACOS 4.1.4-GR1-P5 Events Logging Guide
View Event Logs

• CEF: The CEF log of the event, if available.

• SYSLOG: The syslog of the event, if available.

• Format: The log format with the placeholders for run-time values. For example, $name:%s.

• Here the name is the variable name and ‘%s’ is for data type.
• The data-types are: s – String, u – Unsigned Integer, d – Integer, l – Long, x – Hexadeci-
mal Integer.
• Example: The format string is expanded with variables substituted by an example value.

• Variable: The variable name from each format consolidated in a single list.

• Type: Data type of the variable. More types are provided to get better clarity about the
variable.
IP V4 Address, IP V6 Address as unsigned, IP V6 Address, IP Address, String, Unsigned
Integer, Integer, Long, Hexadecimal Integer, MAC Address.
• Value: Could Either be a

• Range
Example: 1-127
• Multi-line possible values that variable can take
Example: string domain
• A name describing a run-time or user-defined value
Example {server_name}
• Description: The description of the variable.

View Event Logs

For detailed event logging information, refer to Logs [HTML | PDF].

9
ACOS 4.1.4-GR1-P5 Events Logging Guide FeedbackF
Fee
e
View Event Logs

10
ACOS 4.1.4-GR1-P5 Event Logging Guide for A10 Thunder Series
Contents

11
1