Parameters for remote syslog agents
We can define the following parameters for remote syslog agents:
- error_retry
If a message sent to a remote syslog service fails, the system tries again. Before trying again, the system waits for the error_retry timeout in seconds. If the next attempt fails, the agent saves the current event and future events in the local cache file until the remote service is available again.
Default is 2 seconds.
- flush_interval
Events can sit in memory for a long time if there is only a small amount of logging activity.
The flush_interval parameter limits the time a process waits to fill a consolidation buffer.
The default value is 20 seconds. We cannot use a flush interval of 0 seconds. If we specify a value of 0, the agent flushes the buffer every 600 seconds.
- hi_water
Processing of the event queue is scheduled regularly at the configured flush interval. It is also triggered asynchronously when the queue size reaches a high water mark on the event queue.
Use the hi_water parameter to define this high water mark. Default is two-thirds of the maximum configured queue size. If the maximum queue size is zero, the high water mark is set to a default of 100.
The transaction rates and the values of these options determine the maximum amount of memory the agent uses for logging events to file.
If the event queue high water mark is set to 1, WebSEAL relays every queued event to the log agent as soon as possible. This setting is not optimal. A setting of 1 ensures that events get to disk as fast as possible, but this configuration adversely impacts overall performance.
- log_id
The log_id parameter defines the name of the application the syslog agent includes in the messages sent to the remote syslog server. This field is mandatory.
- max_event_len
The max_event_len parameter specifies the maximum length of an event the syslog agent transmits to the remote syslog server.
If the event text is longer than the configured length, the agent truncates the message to the maximum event length. If the maximum event length is zero, the agent does not truncate the event text.
If we are using clear text communication to transmit the event, set the max_event_len parameter to a value less than the maximum transmission unit (MTU). That is, use a value less than the MTU for the network path to the server to avoid fragmentation of the event.
- port
Configure the port parameter to specify the port the remote syslog server listens on for remote logging requests.
The default port value is 514 for clear text communication and 6514 for SSL communication.
- queue_size
There is a delay between placing events on the queue and their removal by the file log agent. The queue_size parameter specifies the maximum size of the queue. Consider that a new event is ready to be placed on the queue. If the queue reaches the maximum size, the requesting thread is blocked until space is available in the queue.
This process causes the performance of the event propagation thread to slow down to the speed of the file logging thread.
You must use the queue_size parameter to limit the central event propagation queue size. If not, memory usage by the log agent can grow without bounds.
[aznapi-configuration] logcfg = audit.azn:rsyslog ... queue_size=number_events, ...Default is 0. Specifying a value of 0 indicates there is no limit to the growth of the unprocessed event queue. In this case, the speed of the logging thread does not constrain the event propagation thread. The unrecorded event queue can grow to an unmanageable size if:
- You are using the default value.
- Events are being generated faster than they can be recorded to file.
- rebind_retry
- If the remote syslog server is unavailable, the log agent attempts to rebind to this server at this frequency in number of seconds.
rebind_retry=number_seconds
The default rebind_retry timeout value is 300 seconds.
server The remote logging services are offered by the remote syslog server. The server parameter nominates the host to which the agent is bound for event recording. server=hostname
ssl_keyfile The name of the GSKit key database file containing the CA certificate. The logging agent uses the CA certificate to establish a secure connection with the remote syslog server over SSL.
The path of this file is relative to the config file. We do not need to manually specify a path.
If we do not configure this value, the logging agent uses clear text that is not encrypted to communicate with the remote syslog server.
ssl_label The name of the certificate the logging agent presents to the remote syslog server to establish a secure connection.
If we do not configure this field, the agent uses the default certificate from the key database.
ssl_stashfile The name of the GSKit stash file containing the password for the ssl-keyfile database. This field is mandatory if we specify a value for the ssl-keyfile field.
The path of this file isp relative to the config file. We do not need to manually specify a path.
ssl_protocols A colon separated list of SSL protocols to be enabled. Valid protocols include: sslv3, tlsv10, tlsv11, and tlsv12. This entry will be ignored if the NSA suite-b SSL compliance support has been enabled. severity An integer in the range 0 to 7 inclusive as defined in RFC 5424, The Syslog Protocol. facility An integer in the range 0 to 23 inclusive as defined in RFC 5424, The Syslog Protocol.
Parent topic: Configure remote syslog agents