Sending events to a remote syslog server

Edit online

You can configure Verify Identity Access to send event records to a remote syslog server.

Before you begin

Before you begin this task, review the information in Configuring remote syslog agents.

Procedure

  1. Edit the appropriate server configuration file. Each server provides its own stanza entry values in its configuration file.
  2. Locate the stanza that contains the logcfg entries.
  3. Specify that the category is to send event records to a remote server by using the format category:rsyslog.

    For example, a category that audits authorization events (audit):

    logcfg=audit:rsyslog
  4. Specify the frequency for flushing log file buffers: 
    flush_interval={0|number_seconds}

    The flush_interval parameter limits the time a process waits to fill a consolidation buffer.

    By default, the flush interval value is 20 seconds. You cannot use a flush interval of 0 seconds. If you specify a value of 0, the agent flushes the buffer every 600 seconds.

  5. Specify the maximum number of events to queue: 
    queue_size={0|number_events}
    By default, the queue size is 0. A zero queue size means that the agent does not limit the growth of the unprocessed event queue. The requesting thread is blocked until space is available in the queue if:
    • The maximum value for number_events is specified.
    • The maximum value for number_events is reached.
    • A new event is ready to be placed on the queue.
  6. Specify the event queue high water mark: 
    hi_water={0|1|number}

    By default, the event queue high water mark value is a number that represents two-thirds of the maximum configured queue size.

    If the maximum queue size is 0, the high water mark is set to a default of 100. The transaction rates and the values of these options determine the maximum amount of memory that the agent uses for logging events to file.

    If the event queue high water mark is set to 1, WebSEAL relays every queued event to the log agent as soon as possible. This setting is not optimal.

  7. Specify the time to wait whenever a send to a remote service fails and an error occurs: 
    error_retry=seconds

    By default, the error_retry timeout is 2 seconds.

  8. Specify the cache file location: 
    path=fully_qualified_path

    The default cache file name is ./log_id.cache. For example: rsyslog.cache

    Note: The directory portion of this path must exist. If the log file does not exist, the agent creates the file.
  9. Specify the time between attempts to rebind (sign on): 
    rebind_retry=number_seconds

    By default, the rebind_retry timeout value is 300 seconds.

  10. Specify the host name of the remote syslog server: 
    server=hostname
  11. Specify the remote server port number: 
    port=rsyslog_port

    The default port number is 514 for clear text communication and 6514 for SSL communication.

  12. Specify the application name that the syslog agent includes in the messages sent to the remote server: 
    log_id=name
  13. Specify the maximum length of an event that the agent transmits to the remote syslog server. If the event text is longer than this configured value, the agent truncates the message to the maximum event length. If the maximum event length is 0, the agent does not truncate the event text. 
    max_event_len=length
    Note: If you are using clear text communication to transmit the event, set the max_event_len parameter to a value less than the maximum transmission unit (MTU). Use a value less than the MTU for the network path to the server to avoid fragmentation of the event.
  14. Optional: If you require SSL communication with the remote server, you must specify the SSL keyfile: 
    ssl_keyfile=key_file
  15. Optional: If you are using SSL communication, you can use ssl_label to specify the certificate name:
    Note: If you do not configure a value for this field, the agent uses the default certificate from the key database.
    ssl_label=my_label
  16. Optional: If you require SSL communication with the remote server, you must specify the SSL stash file: 
    ssl_stashfile=stash_file

Example

This example sends event records to the remote timelord server: 
[aznapi-configuration]
logcfg = audit:rsyslog error_retry=2,path=rsyslog.cache,
rebind_retry=600,server=timelord,port=514,log_id=webseal-instance