Event Logging & Syslog Integration (Live)

Objective

Demonstrate that the z40 Gateway Router and Director:

• Generate live event logs for security and system activities.
• Display those logs in Director in near real-time.
• Forward syslog messages to an external syslog server (via RSYSLOG) using TCP or UDP.
• Validate that events are received on the external server.

Prerequisites

• z40 onboarded to the Director tenant, tunnels up to the cloud vGR.
• LAN client connected on LAN00.
• Admin access to Director.
• External syslog server reachable (IP/hostname, port, protocol).
• Ability to generate benign test events (DNS block/allow, Geo-fence trigger, WAN link toggle).

Test 1 — Live Event Logs in Director

Setup

1. In Director, go to Edge Controllers → [z40] → System → Logs.
2. Confirm access to:
   • DNS ALERT (blocked/allowed DNS lookups)
   • SYSLOG → GEO-FENCE (Geo-fence policy events)
   • SYSLOG → All Logs (aggregate stream)

Steps

1. From LAN client, browse to a domain that is blocked by DNS filtering.
2. Add an allow-override for the same domain and retry.
3. Trigger a Geo-fence event (e.g., using test GPS location).

Validation

• DNS ALERT shows the blocked attempt, then the allowed attempt.
• SYSLOG → GEO-FENCE shows a new entry when the condition is triggered.
• All Logs reflects both events in the same window.

Evidence

• DNS ALERT entries with block/allow states.
• GEO-FENCE entries for the test trigger.
• All Logs showing both events.

Test 2 — Time Window & Auto-Refresh Controls

Setup

1. On any Logs page, set time range to Last 15 minutes.
2. Enable auto-refresh interval if available.

Steps

• Trigger DNS block/allow again while the Logs page is open.

Validation

• Entry appears within the current live window.
• Auto-refresh updates the page without reload.

Test 3 — Device Analytics Correlation

Setup

1. In Director, go to Edge Controllers → [z40] → Analytics → Statistics → Logs and Events.

Steps

• Trigger DNS block/allow or Geo-fence alert while viewing this page.

Validation

• The same event shows in Logs and Events with matching timestamp.
• Confirms alignment between System → Logs and Analytics → Logs and Events.

Test 4 — Configure Remote Syslog Forwarding

Setup

1. Navigate to Edge Controllers → [z40] → System → Monitoring → RSYSLOG.
2. Click ADD REMOTE SERVER.

Steps

1. Enter the following in Remote Server Configuration:
   • Remote Server IP: <syslog_server_IP>
   • Port: <port> (default 514 or as required; example: 5000)
   • Protocol: select TCP or UDP
   • Status: set to Enabled
2. Save configuration.
3. Verify the entry appears in the RSYSLOG list with the configured IP, port, protocol, and Status = Enabled.

Validation

• The syslog server receives log messages from the z40.
• Director RSYSLOG page shows the remote server entry active.

Evidence

• RSYSLOG table lists remote server with correct IP/Port/Protocol/Status.
• Syslog server shows corresponding entries arriving in real time.

Negative / Edge Tests

• Invalid server: Configure wrong IP or port; RSYSLOG entry shows Enabled, but server receives nothing.
• Disable forwarding: Toggle Status to Disabled, generate an event, confirm no new messages arrive on syslog server.
• Protocol mismatch: Configure server for UDP but client sends TCP (or vice-versa) → no events received.

Acceptance Criteria

• Live DNS and Geo-fence events appear immediately in Director logs.
• Events correlate between System → Logs and Analytics → Logs and Events.
• Remote syslog forwarding can be configured under System → Monitoring → RSYSLOG.
• Syslog server receives forwarded events with correct IP, port, and protocol.
• Disabling forwarding stops events at the remote server without impacting local Director logs.

Notes & Tips

• Use deterministic events (DNS block/allow, Geo-fence) so you know exactly when a log should be created.
• Short windows (Last 15 minutes) make it easy to confirm new entries.
• If integrating with ELK/Kibana, confirm logs appear in the dashboard with correct device identifiers.
• For troubleshooting, confirm network connectivity from z40 to syslog server (ping/telnet to port).