How to Configure WG to send access Log Data over Syslog to CSR
Version
Web Gateway
Skyhigh Content Security Reporter
Description
Is important to correctly configure Web Gateway when sending access log information to Content Security Reporter over Syslog. Without proper configuration, the performance of Web Gateway can be severely affected.
How to Configure
To configure WG to send Access Log data to the Syslog:
- Navigate to Policy > Rule Sets > Log Handler.
- Expand the appropriate Log Handler and find the logging rule that you want to use to log to Syslog. The default Log Handler is named Access.log and the rule in this Log Handler is named Write access.log.
- Select the rule and select Edit.
- On the Events section of the rule, select Add > Event.
- Select Syslog (Number, String) and then select Parameters.
- For the parameter 1. Level (Number), enter the number 6 for the value. This value indicates an "Informational" level message.
- For parameter 2. Message (String), click Use Property and select User-Defined.logLine.
- Select OK, then OK again. In the Events section of the rule, you now see Syslog (6, User-Defined.logLine).
- Select Finish.
Now that the access log data is being recorded to Syslog, modify the rsyslog.conf file for best performance and also to send access log data using Syslog:
- Navigate to Configuration > File Editor.
- Expand the name of the appropriate Appliance and select rsyslog.conf.
- Search the following line:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
Add daemon.!=info to the line and put a - in front of /var/log/messages so that the line is:
*.info;daemon.!=info;mail.none;authpriv.none;cron.none -/var/log/messages
These changes are needed to not write the access log information to Syslog on the disk and also for best performance.
- To send access log data over Syslog to a remote location, add a new line near the bottom of the file to send the info messages to a particular host or IP address.
In the following example, replace 10.10.94.30 with the wanted IP address to send access log data using UDP over port 514. (UDP is the default protocol and port 514 is the default port in Content Security Reporter.) Or, you can use a host name instead of an IP address.
daemon.info @10.10.94.30
If your log source on Content Security Reporter is configured to use TCP, use two @ symbols to specify TCP instead. Note the addition of :610, which sends over port 610:
daemon.info @@10.10.94.30:610
To confirm that Web Gateway is sending Syslog data, you can use tcpdump. The following command confirms the transmission of Syslog data over port 514:
tcpdump -Xnni any port 514