Sending events to a remote syslog server
You can configure IBM Security Verify Access to send event records to a remote syslog server.
Before you begin this task, review the information in Configure remote syslog agents.
Steps
- Edit the appropriate server configuration file. Each server provides its own stanza entry values in its configuration file.
- Locate the stanza containing the logcfg entries.
- Specify the category is to send event records to a remote server using the format category:rsyslog.
For example, a category that audits authorization events (audit):
logcfg=audit:rsyslog
- Specify the frequency for flushing log file buffers:
flush_interval={0|number_seconds}
The flush_interval parameter limits the time a process waits to fill a consolidation buffer.
By default, the flush interval value is 20 seconds. We cannot use a flush interval of 0 seconds. If we specify a value of 0, the agent flushes the buffer every 600 seconds.
- Specify the maximum number of events to queue:
queue_size={0|number_events}By default, the queue size is 0. A zero queue size means the agent does not limit the growth of the unprocessed event queue. The requesting thread is blocked until space is available in the queue if:
- The maximum value for number_events is specified.
- The maximum value for number_events is reached.
- A new event is ready to be placed on the queue.
- Specify the event queue high water mark:
hi_water={0|1|number}
By default, the event queue high water mark value is a number representing two-thirds of the maximum configured queue size.
If the maximum queue size is 0, the high water mark is set to a default of 100. The transaction rates and the values of these options determine the maximum amount of memory the agent uses for logging events to file.
If the event queue high water mark is set to 1, WebSEAL relays every queued event to the log agent as soon as possible. This setting is not optimal.
- Time to wait whenever a send to a remote service fails and an error occurs:
error_retry=seconds
By default, the error_retry timeout is 2 seconds.
- Specify the cache file location:
path=fully_qualified_path
The default cache file name is ./log_id.cache. For example: rsyslog.cache The directory portion of this path must exist. If the log file does not exist, the agent creates the file.
- Specify the time between attempts to rebind (sign on):
rebind_retry=number_seconds
By default, the rebind_retry timeout value is 300 seconds.
- Specify the host name of the remote syslog server:
server=hostname
- Remote server port number:
port=rsyslog_port
The default port number is 514 for clear text communication and 6514 for SSL communication.
- Application name the syslog agent includes in the messages sent to the remote server:
log_id=name
- Specify the maximum length of an event the agent transmits to the remote syslog server. If the event text is longer than this configured value, the agent truncates the message to the maximum event length. If the maximum event length is 0, the agent does not truncate the event text.
max_event_len=lengthIf we are using clear text communication to transmit the event, set the max_event_len parameter to a value less than the maximum transmission unit (MTU). Use a value less than the MTU for the network path to the server to avoid fragmentation of the event.- Optional: If we require SSL communication with the remote server, specify the SSL keyfile:
ssl_keyfile=key_file
- Optional: If we are using SSL communication, we can use ssl_label to specify the certificate name: If we do not configure a value for this field, the agent uses the default certificate from the key database.
ssl_label=my_label
- Optional: If we require SSL communication with the remote server, specify the SSL stash file:
ssl_stashfile=stash_file
Example
This example sends event records to the remote timelord server:[aznapi-configuration] logcfg = audit:rsyslog error_retry=2,path=rsyslog.cache, rebind_retry=600,server=timelord,port=514,log_id=webseal-instance
Parent topic: Configure remote syslog agents