Parameters for remote syslog agents

You can define the following parameters for remote syslog agents:

error_retry

If a message sent to a remote syslog service fails, the system tries again. Before trying again, the system waits for the error_retry timeout in seconds. If the next attempt fails, the agent saves the current event and future events in the local cache file until the remote service is available again.

The default value is 2 seconds.

flush_interval

Events can sit in memory for a long time if there is only a small amount of logging activity.

The flush_interval parameter limits the time a process waits to fill a consolidation buffer.

The default value is 20 seconds. You cannot use a flush interval of 0 seconds. If you specify a value of 0, the agent flushes the buffer every 600 seconds.

hi_water

Processing of the event queue is scheduled regularly at the configured flush interval. It is also triggered asynchronously when the queue size reaches a high water mark on the event queue.

Use the hi_water parameter to define this high water mark. The default value is two-thirds of the maximum configured queue size. If the maximum queue size is zero, the high water mark is set to a default of 100.

The transaction rates and the values of these options determine the maximum amount of memory that the agent uses for logging events to file.

If the event queue high water mark is set to 1, WebSEAL relays every queued event to the log agent as soon as possible. This setting is not optimal. A setting of 1 ensures that events get to disk as fast as possible, but this configuration adversely impacts overall performance.

log_id

The log_id parameter defines the name of the application that the syslog agent includes in the messages sent to the remote syslog server. This field is mandatory.

max_event_len

The max_event_len parameter specifies the maximum length of an event that the syslog agent transmits to the remote syslog server.

If the event text is longer than the configured length, the agent truncates the message to the maximum event length. If the maximum event length is zero, the agent does not truncate the event text.

If you are using clear text communication to transmit the event, set the max_event_len parameter to a value less than the maximum transmission unit (MTU). That is, use a value less than the MTU for the network path to the server to avoid fragmentation of the event.

port

Configure the port parameter to specify the port that the remote syslog server listens on for remote logging requests.

The default port value is 514 for clear text communication and 6514 for SSL communication.

queue_size

There is a delay between placing events on the queue and their removal by the file log agent. The queue_size parameter specifies the maximum size of the queue. Consider that a new event is ready to be placed on the queue. If the queue reaches the maximum size, the requesting thread is blocked until space is available in the queue.

This process causes the performance of the event propagation thread to slow down to the speed of the file logging thread.

You must use the queue_size parameter to limit the central event propagation queue size. If not, memory usage by the log agent can grow without bounds.

[aznapi-configuration]
logcfg = audit.azn:rsyslog
...
queue_size=number_events,
...

The default value is 0. Specifying a value of 0 indicates that there is no limit to the growth of the unprocessed event queue. In this case, the speed of the logging thread does not constrain the event propagation thread. The unrecorded event queue can grow to an unmanageable size if:

• You are using the default value.
• Events are being generated faster than they can be recorded to file.

rebind_retry

If the remote syslog server is unavailable, the log agent attempts to rebind to this server at this frequency in number of seconds.

rebind_retry=number_seconds

The default rebind_retry timeout value is 300 seconds.

server

The remote logging services are offered by the remote syslog server. The server parameter nominates the host to which the agent is bound for event recording.

server=hostname

ssl_keyfile

The name of the GSKit key database file that contains the CA certificate. The logging agent uses the CA certificate to establish a secure connection with the remote syslog server over SSL.

The path of this file is relative to the config file. You do not need to manually specify a path.

If you do not configure this value, the logging agent uses clear text that is not encrypted to communicate with the remote syslog server.

ssl_label

The name of the certificate that the logging agent presents to the remote syslog server to establish a secure connection.

If you do not configure this field, the agent uses the default certificate from the key database.

ssl_stashfile

The name of the GSKit stash file that contains the password for the ssl-keyfile database. This field is mandatory if you specify a value for the ssl-keyfile field.

The path of this file isp relative to the config file. You do not need to manually specify a path.

ssl_protocols

A colon separated list of SSL protocols to be enabled. Valid protocols include: sslv3, tlsv10, tlsv11, and tlsv12.

Note: This entry will be ignored if the NSA suite-b SSL compliance support has been enabled.

severity

An integer in the range 0 to 7 inclusive as defined in RFC 5424, The Syslog Protocol.

facility

An integer in the range 0 to 23 inclusive as defined in RFC 5424, The Syslog Protocol.