Log Management
Log Management provides real-time syslog monitoring and analysis for all network devices sending syslog messages to WhiteOwl. The page combines summary statistics, a log activity timeline, top event type breakdown, and a searchable log table — giving you a single view into device-level events across your entire infrastructure.
The header displays the total event count for the selected time window (e.g., "Real-time syslog monitoring • 211 events").
Global Controls
| Control | Description |
|---|---|
| Time Range | Select the time window for log data. Defaults to Last 24 Hours. |
| Refresh | Re-fetch the latest log data. |
| Filter | Open additional filter controls. |
Summary Tiles
Five color-coded tiles across the top provide an at-a-glance severity breakdown:
| Tile | Color | Description |
|---|---|---|
| Total Logs | Blue | Total number of syslog messages received in the selected time window. |
| Critical | Red | Count of messages with Critical severity — events requiring immediate attention (e.g., hardware failures, process crashes). |
| Errors | Blue | Count of Error severity messages — significant issues that may affect service (e.g., configuration parse failures, authentication errors). |
| Warnings | Yellow | Count of Warning severity messages — potential issues that should be monitored (e.g., interface flaps, config resolve failures, high resource usage). |
| Info | Light Blue | Count of Informational messages — routine operational events (e.g., interface up/down transitions, login events, configuration changes). |
Log Activity Timeline
The time series chart below the summary tiles visualizes log volume over time, with separate lines for each severity level. This makes it easy to spot spikes in log activity that correlate with network events.
Use the timeline to identify:
- Log storms — Sudden spikes in log volume often indicate a cascading failure or flapping condition.
- Recurring patterns — Regular spikes at specific times may indicate scheduled jobs, backups, or maintenance windows.
- Severity shifts — A shift from Info-dominated logs to Warning or Error-dominated logs signals developing issues.
Top Event Types
The panel to the right of the timeline ranks the most common syslog event types by count with color-coded horizontal bars. Examples include:
| Event Type | Description |
|---|---|
CONFIG_RESOLVE_FAILURE | Device failed to parse or resolve a configuration file. |
UPDOWN | Interface or line protocol state change (up/down transition). |
INTERFACE_STATE | Interface operational state change notification. |
LOGGINGHOST_STARTSTOP | Syslog logging host connection started or stopped. |
This ranking helps you quickly identify the dominant event types driving log volume. A high count of UPDOWN events, for example, may indicate interface flapping that needs investigation.
Log Table
The main log table displays individual syslog messages with full details.
Filters
Four filter controls above the table allow you to narrow the displayed logs:
| Filter | Description |
|---|---|
| Search | Free-text search across all log message content. |
| All Severities | Filter by severity level: Critical, Error, Warning, Info, or All. |
| All Event Types | Filter by specific event type (e.g., SYS-CONFIG_RESOLVE_FAILURE, UPDOWN). |
| All Devices | Filter to logs from a specific device. |
Filters can be combined — for example, showing only Warning-level UPDOWN events from a specific router.
Table Columns
| Column | Description |
|---|---|
| Time | Timestamp of the syslog message, including date (e.g., "5:43:33 PM, 2/8/2026"). |
| Severity | Color-coded severity badge: critical (red), warning (orange/yellow), error (blue), info (light blue). |
| Device | The device hostname and IP address that sent the syslog message (e.g., "cisco-router1.eve-ng / 192.168.100.65"). |
| Event Type | The classified event type with an icon badge (e.g., "⚡ SYS-CONFIG_RESOLVE_FAILURE"). WhiteOwl parses syslog messages and extracts the Cisco mnemonic or equivalent event classifier. |
| Message | The full syslog message text (e.g., "System config parse from (tftp://255.255.255.255/cisco-ro.cfg) failed"). |
| Actions | View (👁️) — Opens the full log detail view with the complete raw syslog message and parsed fields. |
Syslog Configuration
For devices to appear in Log Management, they must be configured to send syslog messages to the WhiteOwl server. Typical device-side configuration:
Cisco IOS / IOS-XE:
logging host <whiteowl-server-ip>
logging trap warnings
logging facility local0
Arista EOS:
logging host <whiteowl-server-ip>
logging trap warnings
logging facility local0
WhiteOwl listens for syslog on UDP port 514 by default. Ensure this port is open on the WhiteOwl server's firewall and that network routing allows syslog traffic from your devices to reach the server.
You can deploy syslog configuration to multiple devices simultaneously using Config Management. Create a Jinja2 template with the logging commands and push it to all target devices in a single job.
Use Cases
- Troubleshooting — Search for error messages related to a specific device or timeframe to diagnose issues reported by users.
- Interface flap detection — Filter for
UPDOWNevents to identify interfaces that are flapping, then correlate with SNMP interface metrics and flow data. - Configuration audit — Monitor
CONFIG_RESOLVE_FAILUREand configuration change events to detect unauthorized or failed configuration changes. - Security monitoring — Search for authentication failure messages, unauthorized access attempts, or ACL deny events.
- Compliance — Centralized log collection satisfies logging requirements for security frameworks and audit standards.