How to enable debugging for "tonicd" in Security Analytics ?

book

Article ID: 169118

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

How to enable debugging for "tonicd" in Security Analytics ?

Resolution

Enable ‘debug’ in syslog-ng, and change “log_threshold” to 10 in /etc/tonic.d/tonic.conf

Detailed instructions

  1. Edit /etc/syslog-ng/syslog-ng.conf.tmpl (make sure it is the .tmpl version, not just syslog-ng.conf)
  2. Search for ‘emerg’ and change
filter f_filter2   { level(info..emerg) and not facility(mail,authpriv,cron); };
to
filter f_filter2   { level(debug..emerg) and not facility(mail,authpriv,cron); };
  1. Save and exit the text editor
  2. Run /etc/syslog-ng/generate_syslog_ng_conf to rewrite the config and restart syslog.
  3. Change “log_threshold” to 10 in /etc/tonic.d/tonic.conf

 

Additional Information

The logging in tonic is much more fine grained. Instead of just a ‘be quiet’ and ‘be super noisy’ setting, there are several levels that can be set.  The “log_threshold” setting in /etc/tonic.d/tonic.conf is the global setting for tonic logging. A log_threshold of 6 will log all messages of priority INFO and higher (warning, error, critical). A log_threshold of 10 will include DEBUG level messages.  All logging goes to syslog.

The file /var/run/tonic/info/dmesg contains startup messages not found in syslog, since the logging plugin has not been loaded at that time. If something unexpected is observed missing from tonic, check the dmesg file first to see if something failed to load or connect.

The /var/run/tonic/info directory also tracks various statistics and can be used for troubleshooting.