Collecting BlueRange Gateway Logs

Overview

While you have the possibility of logging into the WebUI of our BlueRange Gateway, you might need to collect the logs of multiple gateways at a central place or you might want to access them remotely. Follow this guide to set up the necessary configuration.

Using the System Logging Setting it is possible to centralize the log outputs of your BlueRange Gateways by providing a suitable rsyslog configuration. After you created this configuration, you can assign it to one or multiple gateways.

ElasticSearch Example

Writing the syslog to an ELK installation such as e.g. exampleserver.eu-west-1.es.amazonaws.com the following configuration can be used. You can either use a commercially hosted solution or install the stack yourself.

# Provides UDP syslog reception
module(load="imudp")
input(type="imudp"
  port="514")
# Provides TCP syslog reception
module(load="imtcp")
input(type="imtcp"
  port="514")

module(load="mmutf8fix")
action(type="mmutf8fix" replacementChar="?")

# JSON conversion
reset $.msg = $msg;
set $.msg = replace($.msg, "\\", "\\\\");
set $.msg = replace($.msg, "\"", "\\\"");
set $.msg = replace($.msg, "#011", "\\t");
set $.msg = replace($.msg, "#012", "\\n");

# ElasticSearch output
module(load="omelasticsearch")
template(name="meshgw-syslog" type="list") {
    constant(value="{")
    constant(value="\"@timestamp\":\"")     property(name="timereported" dateFormat="rfc3339")
    constant(value="\",\"host\":\"")        property(name="hostname")
    constant(value="\",\"severity-num\":")  property(name="syslogseverity")
    constant(value=",\"facility-num\":")    property(name="syslogfacility")
    constant(value=",\"severity\":\"")      property(name="syslogseverity-text")
    constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
    constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
    constant(value="\",\"message\":\"")     property(name="$.msg")
    constant(value="\"}")
}
template(name="meshgw-index" type="string" string="meshgw-%$YEAR%.%$MONTH%.%$DAY%")
action(type="omelasticsearch"
  server="exampleserver.eu-west-1.es.amazonaws.com"
  serverport="443"
  #uid="some-username"
  #pwd="some-password"
  usehttps="on"
  #allowunsignedcerts="on"
  template="meshgw-syslog"
  searchIndex="meshgw-index"
  dynSearchIndex="on"
  bulkmode="on"
  errorOnly="on"
  errorfile="/var/log/omelasticsearch.log")

Depending on your particular needs, ElasticSearch logon credentials may be given as uid and pwd settings above, replacing some-username and some-password as appropriate. Also notice, the allowunsignedcerts is required when using self-signed certificates.

The use of client certificates is supported by the Global TLS settings section used for configuration of the netstream driver. The input fields provided offer a way of specifying the PEM certificate and RSA key files, respectively. These settings add the global(..) statements to the top of the configuration file automatically as needed.

Rapid7/LogEntries Example

Also it is possible to send the syslog to the commercial Rapid 7 online service like this:

# Additional SSL/TLS settings like $DefaultNetstreamDriverCAFile
# are set outside of config file as part of a configuration
$ActionSendStreamDriverPermittedPeer *.logentries.com
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

# Must replace 12345678-1234-5678-ABCD-EF0123456789 by token below
$MaxMessageSize 64k
$template LogentriesFormat,"12345678-1234-5678-ABCD-EF0123456789 %HOSTNAME% %syslogtag%%msg%\n"

*.* @@api.logentries.com:20000;LogentriesFormat

The access token 12345678-1234-5678-ABCD-EF0123456789 above needs to be replaced by the actual value given by the online service provider for your service account.

The particular API endpoint might differ from api.logentries.com:20000 in some cases. When changing this, the $ActionSendStreamDriverPermittedPeer needs to be adjusted as well.

Collecting Diagnostic Logs

Apart from this configuration, current BlueRange Gateway versions will also upload diagnostic logs to the BlueRange server if they are able to reach the server which can be used to analyze hardware or connectivity issues.

See Gateway Troubleshooting for more information.