The Steelhead appliance uses the standard Unix syslog format with a timestamp, a hostname, the process name and the process ID, the facility, the priority and the line to be logged:
Figure 9.1. Example log lines
Dec 12 16:21:59 CSH mgmtd[5082]: [mgmtd.NOTICE]: Configuration changed by user admin Dec 12 16:26:27 CSH sport[24798]: [splice/client.INFO] 2 {10.0.1.1:60832 192.168.1.1:25} i \ nit client 10.0.1.1:60832 server 192.168.1.1:25 cfe 10.0.1.6:7801 sfe 192.168.1.6:7800 \ client connected: yes May 30 17:46:09 SSH webasd[6763]: [web.NOTICE]: web: Attempt to Authenticate admin May 30 17:46:10 SSH last message repeated 2 times
The timestamp is the English three letter abbreviation for the month, the day of the month and the 24 hour time.
The hostname is the hostname of the machine the line is logged on.
If the process name is sport, that is the optimization service. The list of the process names can be found in the The processes on the Steelhead appliance section in the Riverbed Approach to WAN Optimization chapter. The number behind the process name is the Unix process ID.
The facility is the internal part of the various services. For the process sport that might be:
splice: The setup and termination of TCP sessions used for optimization.
mapi: MAPI latency optimization.
smbcfe: CIFS latency optimization where this Steelhead appliance is the client-side Steelhead appliance.
smbsfe: CIFS latency optimization where this Steelhead appliance is the server-side Steelhead appliance.
Some facilities can be further specified, for example:
splice/oob: The Out-of-Band Splice related messages.
splice/probe: The auto-discovery part of the setup of optimized TCP sessions.
The priorities are: Debug, Info, Notice, Warning, Error, Critical, Alert, and Emergency. Under normal operation, the logging level should be set to Notice. Under troubleshooting operation with Riverbed TAC, the logging level could be set to Info. Setting it to Warning or higher will reduce the ability of Riverbed TAC to properly analyze what was going on on the Steelhead appliance and should not be used. Do not use Debug.
It is possible to increase the logging level for a single part of the
optimization service with the command
logging filter
,
for example to have the HTTP latency optimization service set to Info
level logging while the rest is on the default Notice level, use the
following command:
logging filter http level info
.
Figure 9.2. Change the logging level of a single part of the optimization level
SH (config) # logging filter http level info SH (config) # show logging Local logging level: notice Default remote logging level: notice No remote syslog receivers configured. Number of archived log files to keep: 10 Log rotation frequency: daily SH (config) # show logging filter Local logging level: notice Process Description Level -------- ----------------------------- -------- http HTTP Optimization info
The rest of the line is the message being logged. For optimized TCP
connections they start with the string in the format
<splicenumber> {<client IP address>:<client TCP port> <server IP address>:<server TCP port>}
.
This string can be used to match multiple lines to a single optimized
TCP session.