Sending Access Logs to a Syslog server

book

Article ID: 166529

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The purpose of this article is to provide the steps required to record and send Access Log entries to a Syslog server.

Resolution

It is possible to configure the ProxySG so that events that are written to an Access Log are additionally sent to a syslog server. This can be useful as the syslog server will be able to display the log entries in real-time (see also Display ProxySG access logs in real time using command line from workstation).

Note that this will only work if the syslog server supports receiving events via TCP (UDP will not work).

  1. Define an Access Log file configured to your requirements (called ‘MyLog’ here)

     
  2. For this Access Log, configure the Upload Client as type “Custom Client” and ‘Save the log file as:’ a 'text file'


     
  3. (Optional) To reduce the transmission time for log uploads, in the 'Send partial buffer after' field, enter a value as low as 5. 
     
  4. Point the Custom Client to your syslog server specifying its appropriate TCP port number.


     
  5. For the log’s upload schedule, specify to upload continuously.


     
  6. Next, load Visual Policy Manager. In a Web Access Layer, set the Action to 'Modify Access Logging'.


     
  7. In the Access Logging object, enable logging to your new access log.


     
  8. Make sure that the log is being written by going to Statistics > Access Logging > Select "MyLog" > Start Tail


Whilst it is possible to transfer access-logs using syslog tcp port and custom client, it is not something we would recommend. FTP continuous is a much better option than syslog for reliability, and the time delay is only an issue when there is very little traffic going through the box. In more detail, there is a buffer that fills with log entries and is flushed when it is full or a timeout happens.

Note: The "Custom client" option in ProxySG is more of a TCP Raw log dump. It will running over a TCP port 514. The format of the log remain as you have set in the format section of log. When it comes to log parsing, we will need to check on the Log analyzer on its capacity to consume the Access-Log (which is normally on ELFF standard). You will have to check on the log parsing tool to see whether it does have the capacity to show "Accesslogs" or does it limit only to "Event Logs"

Note: When a box is busy the full-flush will be happening many times per second.

When we say to configure FTP continuous we mean you should set the access-log to use ftp client and then set the upload type to continuous. You will also need to modify the wait between connection attempts from 60 to 5 seconds. To accomplish this type in the following commands from CLI:

en
conf t
access-log
edit log <name of log file>
connect-wait-time 5

You could change the "rotate the log file to something smaller but do not set it smaller than "hourly 0 3" (three minutes). 

To set the "rotate the log file" setting to 1 hour, type the following CLI commands:

en
conf t
access-log
edit log <name of log file>
continuous rotate-remote hourly 1 0)

Attachments