SFlow Events

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/HTML/5200-8214/Content/fir-int.htm

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/5200-8214.pdf

SFlow Events

Base Rule

sFlow Virtual Information

Information

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

Event ID

<vmid>

Number

Event ID 1001, 1002, 1003, 1004, 1005, 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1014, 1015, 1016, 1017, 1018, 1019, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, 1032

Severity

<severity>

Text/String

For 1023-1032: Information
For 1001-1022: Error

Message

<subject>
<action>
<result>

Text/String

Event ID 1001:
Log a failure when trying to start/stop/restart host sFlow daemon.

<subject>
<action>
<result>
<object>

Text/String

Event ID 1002:
Log a failure when trying to read/write to host sFlow configuration file.

<subject>
<action>
<result>
<object>

Text/String

Event ID 1003:
Log a failure when trying to configure sFlow on SIM OVS.

<subject>
<result>

Text/String

Event ID 1004:
Log a failure when trying to delete all iptable rules added for sFlow.

<subject>
<action>
<result>
<object>
<dport>

Text/String/Number

Event ID 1005:
Log a failure when trying to add/delete an iptable rule for sFlow.

<subject>

Text/String

Event ID 1006:
Logs an error if sFlow initialization fails.

<subject>

Text/String

Event ID 1007:
Logs an error for an invalid packet in sFlow callback.

<subject>
<dinterface>

Text/String

Event ID 1008:
Logs an error if an interface does not have a netdev class.

<subject>

Text/String

Event ID 1009:
Logs an error if the description to create a filter is blank.

<subject>
<object>

Text/String

Event ID 1010:
Logs an error if sFlow KNET filter creation fails.

<subject>

Text/String

Event ID 1011:
Logs an error if sampled packet is null.

<subject>

Text/String

Event ID 1012:
Logs an error if sFlow agent is not initialized.

<subject>

Text/String

Event ID 1013:
Logs an error if sFlow sampler is not initialized.

<subject>
<dport>

Text/String/Number

Event ID 1014:
Logs an error if sFlow is enabled/disabled on an invalid port.

<subject>
<dport>

Text/String/Number

Event ID 1015:
Logs an error if sFlow sampler is missing on a port.

<subject>

Text/String

Event ID 1016:
Logs an error if sFlow receiver is not available.

<subject>
<result>

Text/String

Event ID 1017:
Logs an error if port configuration is not available.

<subject>
<result>
<dport>

Text/String/Number

Event ID 1018:
Logs an error if setting a sampling rate on a port fails.

<subject>
<result>
<dport>

Text/String/Number

Event ID 1019:
Logs an error if unable to retrieve sampling rate on a port.

<subject>
<dip>

Text/String/IP Address

Event ID 1020:
Logs an error in case of invalid agent interface IP address configuration.

<subject>
<dip>

Text/String/IP Address

Event ID 1021:
Logs an error in case of invalid collector IP address configuration.

<subject>
<result>
<dport>

Text/String/Number

Event ID 1022:
Logs an error if unable to retrieve interface statistics.

<subject>

Text/String

Event ID 1023:
Logs creation of sFlow agent.

<subject>

Text/String

Event ID 1024:
Logs deletion of sFlow agent.

<subject>
<amount>

Text/String/Number

Event ID 1025:
Logs a change in sFlow sampling rate.

<subject>
<size>

Text/String/Number

Event ID 1026:
Logs sFlow agents header length event.

<subject>
<dip>

Text/String/IP Address

Event ID 1027:
Logs setting IP address to sFlow agent.

<subject>
<size>

Text/String/Number

Event ID 1028:
Log setting max datagram size on sFlow agent.

<subject>
<dport>
<object>

Text/String/Number

Event ID 1029:
Add sFlow poller on a port.

<subject>
<object>

Text/String

Event ID 1030:
Delete sFlow poller on a port.

<subject>

Text/String

Event ID 1031:
Set polling interval for sFlow agent.

<subject>
<action>

Text/String

Event ID 1032:
Logs change in sFlow mode.