How to configure syslog/log forwarding on vApp?
Do I need to deploy Central Log service on vApp for log forwarding?
How to verify if log forwarding works?
Release : 14.2, 14.3, 14.4
Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)
vApp comes with rsyslog, if you run the following command as 'config' user you will see the version of rsyslog
config@hostname VAPP-14.3.0 (xx.xx.xx.xx):~ > rsyslogd -version
rsyslogd 5.8.10, compiled with:
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
To configure log forwarding, as 'config' user you can do the configuration in /etc/rsyslog.d/rsyslog-custom.conf file. The /etc/rsyslog.conf loads the contents of /etc/rsyslog.d/rsyslog-custom.conf. For example if I configure below line in /etc/rsyslog.d/rsyslog-custom.conf file
vApp will forward all syslog data to 10.10.10.10 syslog server that listens on tcp/514.
Restart rsyslog after you save configuration in /etc/rsyslog.d/rsyslog-custom.conf
service rsyslog restart
Please refer to below documentation for more details
Monitoring with Log Forwarding (http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-suite/14-3/virtual-appliance/monitoring-virtual-appliance.html#concept.dita_623d8fec621bc878635f3ca9102edc2337ff98c7_MonitoringwithLogForwarding)
You don't need to deploy Central Log service on vApp for log forwarding. However, without Central Log service Identity Manager, Identity Governance, Identity Portal, JCS services won't write logs to syslog, so you cannot forward these application logs. Once you have Central Log service these applications write logs to syslog and all application logs (from the entire cluster) will merge into single log file, i.e. /opt/CA/VirtualAppliance/centralLogs/vapp_central.log. You only need to deploy Central Log service on one vApp node to have this merged application log.
Central Log service will run rsyslog as syslog server that listens on udp/514.
So, ideally if you want to forward vApp log to an external monitoring system, you should configure Log Forwarding on the vApp node where you have Central Log service runs.
To test and verify the log forwarding you can stand a Linux box with rsyslog installed. On this Linux box you can configure rsyslog to be the syslog server that will receive forwarded log from vApp. For example, on this Linux box, modify /etc/rsyslog.conf by uncommenting the following 2 lines
And add the following 2 lines at the bottom
$template TmplAuth, "/var/log/%HOSTNAME%.log"
And then restart rsyslog.
On the vApp (preferably on the vApp where Central Log service is running), modify /etc/rsyslog.d/rsyslog-custom.conf adding the following line at the bottom
10.10.10.10 is the IP address of the configured Linux syslog server above. Double '@' character is used to specified TCP connection.
And then I restarted rsyslog
service rsyslog restart
On the Linux syslog server box you can verify that /var/log/<vApp node's hostname>.log will be generated and contains all the forwarded log.