Log Inspection and Browsing

Log mechanisms, processed through user-defined or ad hoc filters, provide the ability to inspect previously retrieved stored logs. The results are either stored as logs or converted to displayable text. Using the administration GUI, a Screen's active log file can be browsed in either a historical or live mode. You must enter the name of the Admin Interface of the Screen as listed in the Naming Service or in the hosts file.

Log Filters and the logdump Command

Screen log filtering employs a common mechanism and language, regardless of the context in which it is used. This mechanism and language is embodied in the logdump command. The logdump command is based on, and is a superset of, the snoop program, which is provided with the standard Solaris operating environment.

logdump can be used on an Administration Station to filter and inspect logs during active retrieval or on logs previously retrieved and stored. In conjunction with the logmacro facility, predefined filters can be employed to simplify and regularize routine log processing tasks.

The general usage for logdump is as a subcommand of ssadm. ssadm provides character-set translation between strings embedded in log events and the local character set of the Solaris system on which it runs.

Although logdump is used directly as an ssadm subcommand, all other places in SunScreen where log filtering is allowed employ the same filter specification language. The examples in this section are prototypical of these other usage contexts.

Nominally, logdump input is either a log record stream directly from a possibly remote Screen, or captured log records from a file. This source of input is specified by the -i option.

Examples: logdump Command

To process (piped-in) records from the standard input:

admin% ssadm -r Screen log get | ssadm logdump -i- [output args] [filter args]

To process local file log record input:

admin% ssadm logdump -i local_log_file[output args] [filter args]

logdump fundamentally outputs either a stream of log records or readable text in various formats (after applying specified filters).

The presence of the -o option causes (binary) log records to be produced:

admin%ssadm logdump -i input arg -o local_log_file [filter args] 

Omit the -o option to output readable text.

The formatting options for readable text are common to snoop; these are -v, -V, -t[r|a|d], and -xoffset[,length]. For more information, see snoop(1M) man page.

logdump Extensions

logdump is an extension of the standard snoop packet monitoring tool provided with the Solaris operating environment. Any expertise in the use of snoop is directly applicable to use of logdump.

The facilities of logdump that are common to snoop are detailed in the ssadm-logdump(1m) man page.

logdump has been extended to provide for the special additional needs of SunScreen. These extensions are summarized as:

• Extensions to the format of network packets logged: inclusion of the interface on which logged packets arrive and inclusion of the reason packets are logged (whycodes)

• Provisions for SUMMARY logging (wherein only a size-limited packet preamble is logged)

• Logging of network packets on routing mode (ROUTING) interfaces removes the MAC-layer header

• Addition of session- and extended-log events (previously described)

• Enforcement and synthesis of unique timestamps

• True filter (pipeable) processing. Standard snoop can process a captured packet stream, or produce a captured packet stream, but not both; logdump allows both.

• Addition of filtering operators for selection of various log event types (loglvl), event severity (logsev), logging program component (logapp), packet log interface (logiface), and packet log reason (logwhy)

• Addition of range operands for IP addresses and port numbers to mirror the semantics of SunScreen address and service objects

• Display of SKIP packet encapsulations

• Display of all extensions listed above

logdump is also fundamentally different from snoop in that it is not involved in decisions as to what SunScreen logs. (Rules and variables previously described provide this control.) snoop is often used to filter network input during the process of capture or direct display. logdump serves as a means to postprocess log file content only.

SunScreen logs and snoop-captured files are not interoperable.