9.2. Logging format

The Steelhead appliance uses the standard Unix syslog format with a timestamp, a hostname, the process name and the process ID, the facility, the priority and the line to be logged:

Figure 9.1. Example log lines

Dec 12 16:21:59 CSH mgmtd[5082]: [mgmtd.NOTICE]: Configuration changed by user admin
Dec 12 16:26:27 CSH sport[24798]: [splice/client.INFO] 2 {10.0.1.1:60832 192.168.1.1:25} i \
    nit client 10.0.1.1:60832 server 192.168.1.1:25 cfe 10.0.1.6:7801 sfe 192.168.1.6:7800 \
     client connected: yes 
May 30 17:46:09 SSH webasd[6763]: [web.NOTICE]: web: Attempt to Authenticate admin 
May 30 17:46:10 SSH last message repeated 2 times

The timestamp is the English three letter abbreviation for the month, the day of the month and the 24 hour time.

The hostname is the hostname of the machine the line is logged on.

If the process name is sport, that is the optimization service. The list of the process names can be found in the The processes on the Steelhead appliance section in the Riverbed Approach to WAN Optimization chapter. The number behind the process name is the Unix process ID.

The facility is the internal part of the various services. For the process sport that might be:

Some facilities can be further specified, for example:

The priorities are: Debug, Info, Notice, Warning, Error, Critical, Alert, and Emergency. Under normal operation, the logging level should be set to Notice. Under troubleshooting operation with Riverbed TAC, the logging level could be set to Info. Setting it to Warning or higher will reduce the ability of Riverbed TAC to properly analyze what was going on on the Steelhead appliance and should not be used. Do not use Debug.

It is possible to increase the logging level for a single part of the optimization service with the command logging filter, for example to have the HTTP latency optimization service set to Info level logging while the rest is on the default Notice level, use the following command: logging filter http level info.

Figure 9.2. Change the logging level of a single part of the optimization level

SH (config) # logging filter http level info
SH (config) # show logging
Local logging level: notice
Default remote logging level: notice
No remote syslog receivers configured.
Number of archived log files to keep: 10
Log rotation frequency: daily
SH (config) # show logging filter
Local logging level: notice
Process  Description                   Level
-------- ----------------------------- --------
http     HTTP Optimization             info

The rest of the line is the message being logged. For optimized TCP connections they start with the string in the format <splicenumber> {<client IP address>:<client TCP port> <server IP address>:<server TCP port>}. This string can be used to match multiple lines to a single optimized TCP session.