Configuring platform system log forwarding

You can configure forwarding of local syslog events in RFC5424 format from your IBM Cloud Private Cloud Foundry platform to a remote syslog endpoint.

Platform log forwarding in Cloud Foundry Enterprise Environment

As part of the Cloud Foundry Enterprise Environment fix pack, by default, platform logs are automatically forwarded to IBM Cloud Private logging. The logging function is provided by the logging Helm release of the ibm-icplogging Elastic Stack Helm chart. Modify these parameters if you want to forward logs to other destinations or if you are using a different release of ibm-icplogging with custom configuration.

Logging can be configured during an installation or upgrade of Cloud Foundry Enterprise Environment. For more information, see Connecting to Elastic Stack in IBM Cloud Private.

Platform log forwarding in IBM Cloud Private Cloud Foundry

The cfp-ext-syslog-forwarder extension enables this functionality, and it supports a number of different configuration options, including secure communications using TLS and mutual-certificate based authentication. If you want to forward syslog events to the built-in ElasticStack in IBM Cloud Private, the ibm-cflogging Helm chart can automatically configure this extension during installation of the chart. See Connecting to Elasticstack in IBM Cloud Private for more information.

To send syslog events to a remote syslog endpoint of your choice, enable the cfp-ext-syslog-forwarder extension. You can enable extensions by using a CLI or user interface. To use the CLI, prepare your configuration file according to Configuration Values. Next, follow the instructions for Running the extension, skipping the registration step since this is an embedded extension included with the product.

If you prefer to use the user interface, the cfp-ext-syslog-forwarder offers guided editing of the configuration values. Select a configuration type of Insecure, Server TLS, or Mutual TLS. The user interface displays the required and optional configuration values for the selected scenario. The user interface provides descriptions, sample values, and validation of the configuration values. For information about extensions, see Managing extensions and Configurations.

Configuration values for IBM Cloud Private Cloud Foundry

Provide the following required configuration values to configure syslog forwarding.

• syslog_address
  IP address or domain of the server to receive syslogs
• syslog_port
  port on which the syslog server is listening

These optional configuration values are also available.

• configuration_name Configuration name for UI-assisted entry of the configuration values. Valid values are insecure, server_tls, or mutual_tls.
• syslog_transport
  Default: tcp
  Transport for syslog forwarding. Valid values are tcp, udp, or relp.
• syslog_fallback_servers:
  A list of fallback servers to use should the main syslog server be unavailable. Each list item has three keys (address, port, and transport) that define the fallback server. This is supported only when transport for primary and fallback servers is specified as tcp or relp.
• syslog_custom_rule
  Custom rules for rsyslog are written in RainerScript. For example:
  if ($msg contains "DEBUG") then stop
• syslog_tls_enabled
  Default: false
  Forwards syslogs over a secure connection (syslog_transport must be tcp when TLS is enabled).
• syslog_permitted_peer
  Host name of the syslog server to be verified when using TLS (wildcard * permitted).
• syslog_ca_cert
  Certificate Authority to trust when TLS is enabled, if server certificate is self-signed or signed by a CA that is not available in the default certificate store.
• syslog_cert
  Client certificate for rsyslog; when both client certificate and client key are provided, mutual TLS is enabled.
• syslog_key
  Client key (without passphrase) for rsyslog; when both client certificate and client key are provided, mutual TLS is enabled.

Example configuration for IBM Cloud Private Cloud Foundry

The configuration values must be specified as children of a uiconfig key as in the following example.

uiconfig:
  configuration_name: mutual_tls
  syslog_address: log1.logstash.example.com
  syslog_port: 5000
  syslog_transport: tcp
  syslog_fallback_servers:
    - address: log2.logstash.example.com
      port: 5001
      transport: tcp
    - address: log3.logstash.example.com
      port: 5001
      transport: tcp
  syslog_tls_enabled: true
  syslog_permitted_peer: *.logstash.example.com
  syslog_ca_cert: |
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
  syslog_cert: |
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
  syslog_key: |
    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----