VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring, Release 4.7 - Filterable Event Log [Cisco VPN 3000 Series Concentrators]

Table Of Contents

Filterable Event Log

Monitoring | Filterable Event Log

Screen Elements

Event Log Format

Monitoring | Live Event Log

Screen Elements

Filterable Event Log

Monitoring | Filterable Event Log

This screen shows the events in the current event log, lets you filter and display events by various criteria, and lets you manage the event log file. For troubleshooting any system difficulty, or just to examine details of system activity, consult the event log first.

The VPN Concentrator records events in nonvolatile memory, thus the event log persists even if the system is powered off. The Model 3015-3080 event log holds 2048 events, the Model 3005 holds 256 events, and it wraps when it is full; that is, entry 2049 (or 257) overwrites entry 1, etc. Use the scroll controls (if present) to display more events in the log.

To configure event handling, see the Configuration | System | Events screens.

To Get, Save, or Clear the event log file, you must have Access Rights to Read/Write Files. See the Administration | Access Rights | Administrators | Modify Properties screen.

Figure 15-1 Monitoring | Filterable Event Log Screen

Screen Elements

•Select Filter Options — You can select any or all of the options for filtering and displaying the event log. After selecting the option(s), click any one of the four Page buttons. The Manager refreshes the screen and displays the event log in accordance with your selections.

Your filter options remain in effect as long as you continue working within and viewing Monitoring | Filterable Event Log screens. The Manager resets all options to their defaults if you leave and return, or if you click Filterable Event Log in the left frame of the Manager window (the table of contents). You cannot save filter options.

•Event Class — To display all the events in a single event class, choose the event class from this list. To choose a contiguous range of event classes, select the first class in the range, hold down the keyboard Shift key, and select the last class in the range. To select multiple event classes, select the first class, hold down the keyboard Ctrl key, and select the other classes. By default, the Manager displays All Classes of events. For a description of event classes, refer to VPN 3000 Series Concentrator Reference Volume 1: Configuration.

•Severities — To display all events of a single severity level, choose the severity level from this list. To choose a contiguous range of severity levels, select the first severity level in the range, hold down the keyboard Shift key, and select the last severity level in the range. To select multiple severity levels, select the first severity level, hold down the keyboard Ctrl key, and select the other severity levels. By default, the Manager displays All severity levels. For an explanation of event severity levels, refer to VPN 3000 Series Concentrator Reference Volume 1: Configuration.

•Client IP Address — To display all events relating to a single IP address, enter the IP address in this field, for example: 10.10.1.35. By default, the Manager displays all IP addresses. To restore the default, enter 0.0.0.0.

•Events/Page — To display a given number of events per Manager screen (page), click this drop-down menu button and choose the number. Choices are 10, 25, 50, 100, 250, and ALL. By default, the Manager displays 100 events per screen.

•Group — Choose a group from the menu to monitor events for that group only. The default is --All--, which displays events for all groups.

•Direction — To display events in a different chronological order, click the Direction drop-down menu button and choose the order. Choices are:

–Oldest to Newest = Display events in actual chronological order, with oldest events at the top of the screen. This is the default selection.

–Newest to Oldest = Display events in reverse chronological order, with newest events at the top of the screen.

•

First Page — To display the first page (screen) of the event log, click this button. By default, the Manager displays the first page of the event log when you first open this screen.

•

Previous Page — To display the previous page (screen) of the event log, click this button.

•

Next Page — To display the next page (screen) of the event log, click this button.

•

Last Page — To display the last page (screen) of the event log, click this button.

All four Page buttons are also present at the bottom of the screen.

•Get Log — Click to download the event log from VPN Concentrator memory to your PC and view it or save it as a text file. The Manager opens a new browser window to display the file. The browser address bar shows the VPN Concentrator address and log file default filename; for example, 10.10.4.6/LOG/vpn3000log.txt.

To save a copy of the log file on your PC, click the File menu on the new browser window and choose Save As.... The browser opens a dialog box that lets you save the file. The default filename is vpn3000log.txt.

Alternatively, you can use the secondary mouse button to click Get Log on this Monitoring | Filterable Event Log screen. A pop-up menu presents choices of which the exact wording depends on your browser, but among them are:

–Open Link, Open Link in New Window, Open in New Window = Open and view the file in a new browser window.

–Save Target As..., Save Link As... = Save a copy of the log file on your PC. Your system will prompt for a filename and location. The default filename is vpn3000log.txt.

When you are finished viewing or saving the file, close the new browser window.

•Save Log — Click to save a copy of the current event log as a file on the VPN Concentrator. The browser prompts you for a filename, which must conform to the 8.3 naming convention.

Caution If the filename you enter is the same as an existing file, the browser overwrites the existing file without asking for confirmation.

To list and manage files on the VPN Concentrator, see the Administration | File Management screen.

•Clear Log — Click to clear the current event log from memory. The Manager refreshes the screen and shows the empty log.

Caution The Manager immediately erases the event log from memory without asking for confirmation. There is no undo feature for this action.

Event Log Format

Each entry (record) in the event log consists of eight or nine fields:

Sequence Date Time Severity Class/Number Repeat (IPAddress)

String

(The IPAddress field only appears in certain events.)

For example:
3 12/06/1999 14:37:06.680 SEV=4 HTTP/47 RPT=17 10.10.1.35
New administrator login: admin.
•Event Sequence — The number of the logged entry. Event sequence numbers are sequential (they proceed from lower to higher) but not consecutive. For example, a series of events could have the following sequence numbers: 1, 2, 4, 7, 8.

Numbering starts or restarts from 1 when the system powers up, when you save the event log, or when you clear the event log. When the log file wraps after 2048 entries (Model 3015-3080; 256 entries on Model 3005), numbering continues with event 2049 (or 257) overwriting event 1. The maximum sequence number is 65536.

Although numbering restarts at 1 when the system powers up, it does not overwrite existing entries in the event log; it appends them. Assuming the log doesn't wrap, it could contain several sequences of events starting at 1. Thus you can examine events preceding and following reboot or reset cycles.

•Event Date — The date of the event: MM/DD/YYYY. For example, 12/06/1999 identifies an event that occurred on December 6, 1999.

•Event Time — The time of the event: hour:minute:second.millisecond. The hour is based on a 24-hour clock. For example, 14:37:06.680 identifies an event that occurred at 2:37:06.680 PM.

•Event Severity — The severity level of the event; for example: SEV=4 identifies an event of severity level 4. For an explanation of event severity levels, refer to VPN 3000 Series Concentrator Reference Volume 1: Configuration.

•Event Class / Number — The class, or source, of the event, and the internal reference number associated with the specific event within the event class. For example: HTTP/47 identifies that an administrator logged in to the VPN Concentrator using HTTP to connect to the Manager. For a description of event classes, refer to VPN 3000 Series Concentrator Reference Volume 1: Configuration. The internal reference number assists Cisco support personnel if they need to examine a log file.

•Event Repeat — The number of times that this specific event has occurred since the VPN Concentrator was last booted or reset. For example, RPT=17 indicates that this is the seventeenth occurrence of this specific event.

•Event IP Address — The IP address of the client or host associated with this event. Only certain events have this field. For tunnel-related events, this is typically the "outer" or tunnel endpoint address. In the Event log format example, 10.10.1.35 is the IP address of the host PC from which admin logged in using the Manager.

•Event String — The string, or message, that describes the specific event. Each event class comprises many possible events, and the string gives a brief description. Event strings usually do not exceed 80 characters. In the Event log format example, "New administrator login: admin" describes the event.

Monitoring | Live Event Log

Note The live event log requires Netscape versions 4.5- 4.7 or 6.0. It does not run on other versions of Netscape.

This screen shows events in the current event log and automatically updates the display every 5 seconds. The events might take a few seconds to load when you first open the screen.

The screen always displays the most recent event at the bottom. Use the scroll bar to view earlier events. To filter and display events by various criteria, see the Monitoring | Filterable Event Log section.

Note If you keep this VPN Concentrator Manager screen open, your administrative session does not time out. Each automatic screen update resets the inactivity timer. See Session Idle Timeout on the Administration | Access Rights | Access Settings screen.

Figure 15-2 Monitoring | Live Event Log Screen

Screen Elements

•Pause Display / Resume Display — To suppress the display of new events, click Pause Display. While paused, the button changes to Resume Display, and the timer counts down to 0 and stops. You can still scroll through the event log. Click the Resume Display button to return to displaying new events and restart the timer.

•Clear Display — Click to clear the event display. This action does not clear the event log, only the display of events on this screen.

•Restart — Click to clear the event display and reload the entire event log in the display. This action does not clear the event log, only the display of events on this screen.

•Timer — The timer counts 5 - 4 - 3 - 2 - 1 to show where it is in the 5-second refresh cycle. A momentary Receiving... message indicates receipt of new events. A steady 0 indicates the display has been paused.

	VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring, Release 4.7
	Filterable Event Log
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring, Release 4.7 A PDF Version of the Entire Book Preface Administration Administer Sessions Software Update System Reboot Reboot Status Ping Traceroute Monitoring Refresh Access Rights File Management Certificate Management Monitoring Routing Table Dynamic Filters Filterable Event Log System Status Sessions Statistics Using the Comand-Line Interface Troubleshooting and System Errors Copyrights, Licenses, and Notices Index	Download this chapter Filterable Event Log Table Of Contents Filterable Event Log Monitoring \| Filterable Event Log Screen Elements Event Log Format Monitoring \| Live Event Log Screen Elements Filterable Event Log Monitoring \| Filterable Event Log This screen shows the events in the current event log, lets you filter and display events by various criteria, and lets you manage the event log file. For troubleshooting any system difficulty, or just to examine details of system activity, consult the event log first. The VPN Concentrator records events in nonvolatile memory, thus the event log persists even if the system is powered off. The Model 3015-3080 event log holds 2048 events, the Model 3005 holds 256 events, and it wraps when it is full; that is, entry 2049 (or 257) overwrites entry 1, etc. Use the scroll controls (if present) to display more events in the log. To configure event handling, see the Configuration \| System \| Events screens. To Get, Save, or Clear the event log file, you must have Access Rights to Read/Write Files. See the Administration \| Access Rights \| Administrators \| Modify Properties screen. Figure 15-1 Monitoring \| Filterable Event Log Screen Screen Elements •Select Filter Options — You can select any or all of the options for filtering and displaying the event log. After selecting the option(s), click any one of the four Page buttons. The Manager refreshes the screen and displays the event log in accordance with your selections. Your filter options remain in effect as long as you continue working within and viewing Monitoring \| Filterable Event Log screens. The Manager resets all options to their defaults if you leave and return, or if you click Filterable Event Log in the left frame of the Manager window (the table of contents). You cannot save filter options. •Event Class — To display all the events in a single event class, choose the event class from this list. To choose a contiguous range of event classes, select the first class in the range, hold down the keyboard Shift key, and select the last class in the range. To select multiple event classes, select the first class, hold down the keyboard Ctrl key, and select the other classes. By default, the Manager displays All Classes of events. For a description of event classes, refer to VPN 3000 Series Concentrator Reference Volume 1: Configuration. •Severities — To display all events of a single severity level, choose the severity level from this list. To choose a contiguous range of severity levels, select the first severity level in the range, hold down the keyboard Shift key, and select the last severity level in the range. To select multiple severity levels, select the first severity level, hold down the keyboard Ctrl key, and select the other severity levels. By default, the Manager displays All severity levels. For an explanation of event severity levels, refer to VPN 3000 Series Concentrator Reference Volume 1: Configuration. •Client IP Address — To display all events relating to a single IP address, enter the IP address in this field, for example: 10.10.1.35. By default, the Manager displays all IP addresses. To restore the default, enter 0.0.0.0. •Events/Page — To display a given number of events per Manager screen (page), click this drop-down menu button and choose the number. Choices are 10, 25, 50, 100, 250, and ALL. By default, the Manager displays 100 events per screen. •Group — Choose a group from the menu to monitor events for that group only. The default is --All--, which displays events for all groups. •Direction — To display events in a different chronological order, click the Direction drop-down menu button and choose the order. Choices are: –Oldest to Newest = Display events in actual chronological order, with oldest events at the top of the screen. This is the default selection. –Newest to Oldest = Display events in reverse chronological order, with newest events at the top of the screen. • First Page — To display the first page (screen) of the event log, click this button. By default, the Manager displays the first page of the event log when you first open this screen. • Previous Page — To display the previous page (screen) of the event log, click this button. • Next Page — To display the next page (screen) of the event log, click this button. • Last Page — To display the last page (screen) of the event log, click this button. All four Page buttons are also present at the bottom of the screen. •Get Log — Click to download the event log from VPN Concentrator memory to your PC and view it or save it as a text file. The Manager opens a new browser window to display the file. The browser address bar shows the VPN Concentrator address and log file default filename; for example, `10.10.4.6/LOG/vpn3000log.txt`. To save a copy of the log file on your PC, click the File menu on the new browser window and choose Save As.... The browser opens a dialog box that lets you save the file. The default filename is `vpn3000log.txt`. Alternatively, you can use the secondary mouse button to click Get Log on this Monitoring \| Filterable Event Log screen. A pop-up menu presents choices of which the exact wording depends on your browser, but among them are: –Open Link, Open Link in New Window, Open in New Window = Open and view the file in a new browser window. –Save Target As..., Save Link As... = Save a copy of the log file on your PC. Your system will prompt for a filename and location. The default filename is vpn3000log.txt. When you are finished viewing or saving the file, close the new browser window. •Save Log — Click to save a copy of the current event log as a file on the VPN Concentrator. The browser prompts you for a filename, which must conform to the 8.3 naming convention. Caution If the filename you enter is the same as an existing file, the browser overwrites the existing file without asking for confirmation. To list and manage files on the VPN Concentrator, see the Administration \| File Management screen. •Clear Log — Click to clear the current event log from memory. The Manager refreshes the screen and shows the empty log. Caution The Manager immediately erases the event log from memory without asking for confirmation. There is no undo feature for this action. Event Log Format Each entry (record) in the event log consists of eight or nine fields: Sequence Date Time Severity Class/Number Repeat (IPAddress) String (The IPAddress field only appears in certain events.) For example: 3 12/06/1999 14:37:06.680 SEV=4 HTTP/47 RPT=17 10.10.1.35 New administrator login: admin. •Event Sequence — The number of the logged entry. Event sequence numbers are sequential (they proceed from lower to higher) but not consecutive. For example, a series of events could have the following sequence numbers: 1, 2, 4, 7, 8. Numbering starts or restarts from 1 when the system powers up, when you save the event log, or when you clear the event log. When the log file wraps after 2048 entries (Model 3015-3080; 256 entries on Model 3005), numbering continues with event 2049 (or 257) overwriting event 1. The maximum sequence number is 65536. Although numbering restarts at 1 when the system powers up, it does not overwrite existing entries in the event log; it appends them. Assuming the log doesn't wrap, it could contain several sequences of events starting at 1. Thus you can examine events preceding and following reboot or reset cycles. •Event Date — The date of the event: MM/DD/YYYY. For example, 12/06/1999 identifies an event that occurred on December 6, 1999. •Event Time — The time of the event: hour:minute:second.millisecond. The hour is based on a 24-hour clock. For example, 14:37:06.680 identifies an event that occurred at 2:37:06.680 PM. •Event Severity — The severity level of the event; for example: SEV=4 identifies an event of severity level 4. For an explanation of event severity levels, refer to VPN 3000 Series Concentrator Reference Volume 1: Configuration. •Event Class / Number — The class, or source, of the event, and the internal reference number associated with the specific event within the event class. For example: HTTP/47 identifies that an administrator logged in to the VPN Concentrator using HTTP to connect to the Manager. For a description of event classes, refer to VPN 3000 Series Concentrator Reference Volume 1: Configuration. The internal reference number assists Cisco support personnel if they need to examine a log file. •Event Repeat — The number of times that this specific event has occurred since the VPN Concentrator was last booted or reset. For example, RPT=17 indicates that this is the seventeenth occurrence of this specific event. •Event IP Address — The IP address of the client or host associated with this event. Only certain events have this field. For tunnel-related events, this is typically the "outer" or tunnel endpoint address. In the Event log format example, 10.10.1.35 is the IP address of the host PC from which admin logged in using the Manager. •Event String — The string, or message, that describes the specific event. Each event class comprises many possible events, and the string gives a brief description. Event strings usually do not exceed 80 characters. In the Event log format example, "`New administrator login: admin`" describes the event. Monitoring \| Live Event Log Note The live event log requires Netscape versions 4.5- 4.7 or 6.0. It does not run on other versions of Netscape. This screen shows events in the current event log and automatically updates the display every 5 seconds. The events might take a few seconds to load when you first open the screen. The screen always displays the most recent event at the bottom. Use the scroll bar to view earlier events. To filter and display events by various criteria, see the Monitoring \| Filterable Event Log section. Note If you keep this VPN Concentrator Manager screen open, your administrative session does not time out. Each automatic screen update resets the inactivity timer. See Session Idle Timeout on the Administration \| Access Rights \| Access Settings screen. Figure 15-2 Monitoring \| Live Event Log Screen Screen Elements •Pause Display / Resume Display — To suppress the display of new events, click Pause Display. While paused, the button changes to Resume Display, and the timer counts down to 0 and stops. You can still scroll through the event log. Click the Resume Display button to return to displaying new events and restart the timer. •Clear Display — Click to clear the event display. This action does not clear the event log, only the display of events on this screen. •Restart — Click to clear the event display and reload the entire event log in the display. This action does not clear the event log, only the display of events on this screen. •Timer — The timer counts `5` - `4` - `3` - `2` - `1` to show where it is in the 5-second refresh cycle. A momentary `Receiving...` message indicates receipt of new events. A steady `0` indicates the display has been paused.
	© 1992-2008 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.