Defining logcfg entries
When we define the logcfg entry in a configuration file, use the following general format (on a single line) to specify audit event logging:logcfg = category:{stdout|stderr|file|remote}[[parameter[=value]], [parameter[=value]]], ..., [parameter[=value]]]
To enable the recording of audit events, associate an event category with a log agent (file or remote) or associate an event category with a console destination (stdout or stderr). When we define the parameters for any logcfg entry, be aware of the following conditions:
- Parameters can be specified in any sequence
- Parameter names are not case-sensitive
- Parameter names can be shortened to any unambiguous name
- Parameters differ by log agent
- Parameters are optional
Events for a category are inclusive of all subcomponents in the hierarchy. That is, a foo.bar.fred event is captured when the foo.bar category is defined.
We can attach multiple log agents to the same category. For example, the following configuration:
- Captures authorization audit events (category audit.azn) and uses a file agent to copy these events to the audit.azn file.
- Uses a pipe agent to relay these same events to the analyse.exe program.
[ivacld] logcfg = audit.azn:file path=audit.azn
- Parameters for the logcfg entry
The available parameters for the logcfg stanza entry differ by log agent.- Configure the event pool
- Sending events to the console
- Configure file log agents
- Configure remote log agents
- Configure remote syslog agents
Use the logcfg entry to configure the remote syslog agent to send events to a remote syslog server for recording.
Parent topic: Audit event logging