Adapt the rsyslog.conf system file for sending access log data
Adapt the rsyslog.conf system file to ensure that access log data is successfully sent to a syslog server.
NOTE: Work with the File Editor on the user interface of Web Gateway to adapt the system file. If you use commands from a system console, your changes will be overwritten by future updates.
Task
- Select Configuration | File Editor.
- On the files tree, select rsyslog.conf.
The file content appears on the configuration pane. - Edit the file to adapt it for sending access log data.
- Look for the following line:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
The line is part of a section on rules.
# Include config files in /etc/rsyslog.d $IncludeConfig /etc/rsyslog.d/*.conf ####RULES#### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages
- Replace mail with daemon in this line and insert a - (dash) before the path information.
*.info;daemon.none;authpriv.none;cron.none -/var/log/messages
This modification prevents the syslog daemon from sending data to the var/log/messages partition on the disk of the Web Gateway appliance system.
NOTE: The info before daemon specifies the severity level of the data.
You can now direct the data to the intended destination.
- To send data to a syslog server under the UDP protocol, insert:
daemon.info @x.x.x.x:514
For x.x.x.x, substitute the IP address of the syslog server.
To send data to a syslog server under TCP, insert:
daemon.info @@x.x.x.x:<port number>
You can send data to more than one syslog server. For every server, insert a line as shown in this substep.
When you send data, the messages that carry the data are entered in a default queue when the target server is not available and processed when it is up again. If you send data to more than one server, we strongly recommend setting up a queue for each of them.
Data messages are processed sequentially in a syslog queue. So, if sending data to a syslog server takes more time than usual, data messages to other servers following in the queue would be delayed if there was only one queue.
- Set up a queue for each server that you send data to.
A queue is set up by creating a rule that forwards data to the queue. The rsyslogconf system file includes a default forwarding rule in a code block at its end.
To create a forwarding rule, copy and modify the code block, then append it to the end of the file.
- In the code block, activate this line and replace the spool file prefix, for example, with fwdRule2.
#$ActionQueueFileName fwdRule1
- In this line, type the name or IP address and port of the syslog server that the data should be sent to.
*.* @@remote-host:514
Activate other lines of the code block as needed.
# ### begin forwarding rule ### # The statements between begin ... and ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional *.* @@remote-host:514 # ### end of the forwarding rule ###
- Click Save Changes.