Forwarding logs to a remote server

Learn how to configure sending system log events from IBM® Cloud Pak for Data System control nodes to a remote log server with the apsyslog utility.

apsyslog changes the configuration file on the rsyslog server and all the connected control nodes. As a result, all configured messages are passed to rsyslogd and, then, the required messages are redirected to the log servers.

Before you begin

  • Note that the feature can only be configured on IBM Cloud Pak for Data System control nodes which have the external IP configured.
  • You must enable the remote logging server to accept the forwarding messages from control nodes.
  • You must enable the control nodes before configuring any forwarding rule.
  • For audit log redirection, the utility configures the file /etc/audisp/plugins.d/syslog.conf and defines the audit forwarding rule in rsyslog.conf.
    The valid audit log facility options are LOG_LOCAL0 through 7. In file /etc/audisp/plugins.d/syslog.conf:
    active = yes
    direction = out
    path = builtin_syslog
    type = builtin
    args = LOG_LOCAL7       #default value as per scripts
    format = string
    Corresponding entry in rsyslog.conf:
    Local7.* @@<RemoteServerIP:Port>

About this task

Command syntax:
apsyslog <operation> --server <RemoteServerIP:port> --nodes <all | e1n1,e2n1> --mode <append|overwrite>
The following operations are available:
apsyslog enable --server <RemoteServerIP:port> --nodes <all | e1n1,e2n1>
Enables the feature on the selected control nodes.
apsyslog show --nodes <all | e1n1,e2n1>
Shows the list of configured forwarding rules for the selected control nodes.
apsyslog unset --fwdRule <facility.priority> --nodes <all | e1n1,e2n1>
Deletes the existing forwarding rules on the selected nodes.
apsyslog set --diskSpace <2g> --nodes <all | e1n1,e2n1>
Sets the disk space limit on the selected control nodes.
apsyslog set --retryCount <5> --nodes <all | e1n1,e2n1>
Sets the retry count if remote logging server is unreachable.
apsyslog disable -nodes <all | e1n1,e2n1>
Restores the rsyslog and syslogconfig file on the enabled control nodes.
Optional arguments:
-h, --help
Shows this help message and exits.
--server <RemoteServerIP:Port>
Remote server logging details.
--fwdRule <facility.priority>
Specify the unique forwarding rule that you want to define for the nodes. Each forwarding rule consists of a pair of the following parameters:
Facility
The facility is used to specify what type of program is generating the message. The Syslog daemon can then be configured to handle messages from different sources differently. Examples:
auth/authpriv, cron, daemon, kern, ocal0 – local7, lpr, mail, news, syslog, user, uucp
Priority
The priority, or level, of a message is intended to determine the importance of a message. Examples:
emerg, alert, crit, err, warning, notice, info, debug
For example: auth.alert , cron.err.
--nodes <all |e1n1,e2n1>
List of control nodes to be configured. Use comma (,) to separate the nodes.
--diskSpace <1g>
Disk space limit for queue, default 1g
--retryCount <n>
A number of retries if the remote server logging host is unreachable. Default value is 1.
--mode <append|overwrite>
Specifies whether the newly configured rule is to be appended or overwritten. The default value is append.
  • In the append mode, the utility adds the new rule to the existing forwarding rules.
  • In the overwrite mode, the utility overwrites the existing forwarding rules with the new rule.

Procedure

  • To configure the feature, enable the control nodes to forward messages to remote logging server by running the following command from any of the nodes:
    apsyslog enable --server <RemoteServerIP:port> --nodes <all | e1n1,e2n1>

    After enabling, you can perform other operations (set | unset| show| disable) on the enabled nodes.

    Note:

    As part of the enabling operation, the utility configures a forwarding rule for audit log facility on all listed control nodes by default.

  • On the enabled nodes, display the list of configured forwarding rules:
    apsyslog show --nodes <all | e1n1,e2n1>
  • To set a new rule on the enabled node, run the following command. You must use a unique forwarding rule that is not yet set or existing on the specified nodes.
    apsyslog set --fwdRule <facility.priority>  --nodes <all | e1n1,e2n1> --mode <append |overwrite>
    For example, for audit log facility, you only need to use local7 as a forwarding rule. Sample command for setting audit forwarding message:
    apsyslog set –fwdRule local7 –nodes < all | e1n1,e2n1>
  • To unset the forwarding rule, run the following command. You must use a forwarding rule that is already set or existing on the specified nodes. To check the configured forwarding rule, you can use the show operation.
    apsyslog unset --fwdRule <facility.priority> --nodes <all | e1n1,e2n1>
  • To restore the nodes to the default logging settings (restore the original rsyslog and syslogconfig files), use the following command.
    apsyslog disable -nodes <all | e1n1,e2n1>
    After the disable operation, if you want to configure any forwarding rule on the selected nodes, you must enable them again.