How to Configure and Verify Log Forwarding on vApp
search cancel

How to Configure and Verify Log Forwarding on vApp


Article ID: 138132


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


How to configure syslog/log forwarding on vApp?

Do I need to deploy Central Log service on vApp for log forwarding?

How to verify if log forwarding works?


Release : 14.2, 14.3, 14.4



vApp comes with rsyslog, if you run the following command as 'config' user you will see the version of rsyslog

rsyslogd -version

config@hostname VAPP-14.3.0 (xx.xx.xx.xx):~ > rsyslogd -version

rsyslogd 5.8.10, compiled with:

        FEATURE_REGEXP:                         Yes

        FEATURE_LARGEFILE:                      No

        GSSAPI Kerberos 5 support:              Yes

        FEATURE_DEBUG (debug build, slow code): No

        32bit Atomic operations supported:      Yes

        64bit Atomic operations supported:      Yes

        Runtime Instrumentation (slow code):    No

To configure log forwarding, as 'config' user you can do the configuration in /etc/rsyslog.d/rsyslog-custom.conf file. The /etc/rsyslog.conf loads the contents of /etc/rsyslog.d/rsyslog-custom.conf. For example if I configure below line in /etc/rsyslog.d/rsyslog-custom.conf file

*.* @@

vApp will forward all syslog data to syslog server that listens on tcp/514.

Restart rsyslog after you save configuration in /etc/rsyslog.d/rsyslog-custom.conf

service rsyslog restart

Please refer to below documentation for more details

Monitoring with Log Forwarding (

You don't need to deploy Central Log service on vApp for log forwarding. However, without Central Log service Identity Manager, Identity Governance, Identity Portal, JCS services won't write logs to syslog, so you cannot forward these application logs. Once you have Central Log service these applications write logs to syslog and all application logs (from the entire cluster) will merge into single log file, i.e. /opt/CA/VirtualAppliance/centralLogs/vapp_central.log. You only need to deploy Central Log service on one vApp node to have this merged application log.

Central Log service will run rsyslog as syslog server that listens on udp/514.

So, ideally if you want to forward vApp log to an external monitoring system, you should configure Log Forwarding on the vApp node where you have Central Log service runs.

To test and verify the log forwarding you can stand a Linux box with rsyslog installed. On this Linux box you can configure rsyslog to be the syslog server that will receive forwarded log from vApp. For example, on this Linux box, modify /etc/rsyslog.conf by uncommenting the following 2 lines

$ModLoad imtcp

$InputTCPServerRun 514

And add the following 2 lines at the bottom

$template TmplAuth, "/var/log/%HOSTNAME%.log"

*.* ?TmplAuth

And then restart rsyslog.

On the vApp (preferably on the vApp where Central Log service is running), modify /etc/rsyslog.d/rsyslog-custom.conf adding the following line at the bottom

*.* @@ is the IP address of the configured Linux syslog server above. Double '@' character is used to specified TCP connection.

And then I restarted rsyslog

   service rsyslog restart

On the Linux syslog server box you can verify that /var/log/<vApp node's hostname>.log will be generated and contains all the forwarded log.