Forwarding logs to a remote server

Learn how to configure sending system log events from Integrated Analytics System to a remote log server with the apsyslog utility.

apsyslog changes the configuration file on the rsyslog server and all the connected nodes. As a result, all configured messages are passed to rsyslogd and, then, the required messages are redirected to the log servers.
Note: Ports that do not use SSL/TLS connections will not support encrypted communication.

Before you begin

  • The feature can only be configured on the nodes which have the external IP configured.
  • You must enable the remote logging server to accept the forwarding messages from nodes.
  • You must enable the nodes before configuring any forwarding rule.
  • For audit log redirection, the utility configures the file /etc/audisp/plugins.d/syslog.conf and defines the audit forwarding rule in rsyslog.conf.
    The valid audit log facility options are LOG_LOCAL0 through 7. In file /etc/audisp/plugins.d/syslog.conf:
    active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_LOCAL7       #default value as per scripts
format = string
    Corresponding entry in rsyslog.conf:
    Local7.* @@<ServerIP:Port>

About this task

Command syntax:
apsyslog <operation> --server <server:ip> --nodes <all | node0101,node0102> --mode <append|overwrite>
The following operations are available:
apsyslog enable --server <server:ip> --nodes <all | node0101,node0102>
Enables the feature on the selected nodes.
apsyslog show --nodes <all | node0101,node0102>
Shows the list of configured forwarding rules for the selected nodes.
apsyslog unset --fwdrule <facility.priority> --nodes <all | node0101,node0102>
Deletes the existing forwarding rules on the selected nodes.
apsyslog set --diskSpace <2g> --nodes <all | node0101,node0102>
Sets the disk space limit on the selected nodes.
apsyslog set --retryCount <5> --nodes <all | node0101,node0102>
Sets the retry count if remote logging server is unreachable.
apsyslog disable -nodes <all | node0101,node0102>
Restores the rsyslog and syslogconfig file on the enabled nodes.
Optional arguments:
-h, --help
Shows this help message and exits.
--server <RemoteServerIP:Port>
Remote server logging details.
--fwdRule <facility.priority>
Facility and priority of log.
--nodes <all |node0101,node0102>
List of nodes to be configured. Use comma (,) to separate the nodes.
--diskSpace <1g>
Disk space limit for queue, default 1g
--retryCount <n>
A number of retries if the remote server logging host is unreachable. Default value is 1.
--mode <append|overwrite>
Specifies whether the newly configured rule is to be appended or overwritten. The default value is append. In append mode, the utility adds the new rule to the existing forwarding rule. In overwrite mode, the utility overwrites the existing forwarding rule with the new rule.

Procedure

  • To configure the feature, enable the nodes to forward messages to remote logging server by running the following command from any of the nodes: 
    apsyslog enable --server <server:ip> --nodes <all | node0101,node0102>

    After enabling, you can perform other operations (set | unset| show| disable) on the enabled nodes.

    Note:

    As part of the enabling operation, the utility configures a forwarding rule for audit log facility on all listed nodes by default.

  • On the enabled nodes, display the list of configured forwarding rules: 
    apsyslog show --nodes <all | node0101,node0102>
  • To set a new rule on the enabled node, run the following command. You must use a new forwarding rule that is not set or existing on the specified nodes. 
    apsyslog set --fwdRule <facility.priority>  --nodes <all | node0102,node0103> --mode <append |overwrite>
    For example, for audit log facility, you only need to use local7 as a forwarding rule. Sample command for setting audit forwarding message:
    apsyslog set –fwdRule local7 –nodes < all | node0101,node0102>
  • To unset the forwarding rule, run the following command. You must use a forwarding rule that is already set or existing on the specified nodes. To check the configured forwarding rule, you can use the show operation. 
    apsyslog unset --fwdrule <facility.priority> --nodes <all | node0101,node0102>
  • To restore the nodes to the default logging settings (restore the original rsyslog and syslogconfig files), use the following command. 
    apsyslog disable -nodes <all | node0101,node0102>
    After the disable operation, if you want to configure any forwarding rule on the selected nodes, you must enable them again.