Sending Access Logs to a Syslog server
search cancel

Sending Access Logs to a Syslog server

book

Article ID: 166529

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The purpose of this article is to provide the steps required to record and send Access Log entries to a Syslog server.

Resolution

It is possible to configure the Edge SWG (Proxy SG) so that events that are written to an Access Log are additionally sent to a syslog server. This can be useful as the syslog server will be able to display the log entries in real-time (see also Display ProxySG access logs in real time using command line from workstation).

Note that this will only work if the syslog server supports receiving events via TCP (UDP will not work).

  1. Define an Access Log file configured to your requirements (called ‘MyLog’ here)
    It needs to create the file, just specify the Log name, click Apply, and Save before the next steps.




     
  2. While creating the log, configure the Upload Client as type “Custom Client” and ‘Save the log file as:’ a 'text file'


     
  3. (Optional) To reduce the transmission time for log uploads, in the 'Send partial buffer after' field, enter a value as low as 5. 
     
  4. Point the Custom Client to your syslog server specifying its appropriate TCP port number. Optionally, specify the alternate server IP/port and whether to use SSL encryption or not:


     
  5. For the log’s upload schedule, specify to upload continuously.


     
  6. Next, load Visual Policy Manager. Add a new Web Access Layer, add a rule and set the Action to 'Modify Access Logging'. Note: Just adding a rule on an existing WebAccess Layer may cause issues, especially if you have Default Deny policy.


     
  7. In the Access Logging object, enable logging to your new access log.


     
  8. Make sure that the log is being written by going to Reports > Access Logging > Select "MyLog" > Show Log Tail


Though it is possible to transfer access-logs using syslog tcp port and custom client, it is not recommended. FTP continuous is a much better option than syslog for reliability, and the time delay is only an issue when there is very little traffic going through the box. In more detail, there is a buffer that fills with log entries and is flushed when it is full or a timeout happens.

Note: The "Custom client" option in Edge SWG (Proxy SG) is more of a TCP Raw log dump. It will running over a TCP port 514. The format of the log remain as you have set in the format section of log. When it comes to log parsing, we will need to check on the Log analyzer on its capacity to consume the Access-Log (which is normally on ELFF standard). You will have to check on the log parsing tool to see whether it does have the capacity to show "Accesslogs" or does it limit only to "Event Logs"

Note: When a box is busy the full-flush will be happening many times per second.

When we say to configure FTP continuous we mean you should set the access-log to use ftp client and then set the upload type to continuous. You will also need to modify the wait between connection attempts from 60 to 5 seconds. To accomplish this type in the following commands from CLI:

en
conf t
access-log
edit log <name of log file>
connect-wait-time 5

You could change the "rotate the log file to something smaller but do not set it smaller than "hourly 0 3" (three minutes). 

To set the "rotate the log file" setting to 1 hour, type the following CLI commands:

en
conf t
access-log
edit log <name of log file>
continuous-upload rotate-remote hourly 1 0