Skip to main content
Skyhigh Security

How to Configure WG to send access Log Data over Syslog to CSR

Version

Web Gateway

Skyhigh Content Security Reporter

Description

Is important to correctly configure Web Gateway when sending access log information to Content Security Reporter over Syslog. Without proper configuration, the performance of Web Gateway can be severely affected.

How to Configure

To configure WG to send Access Log data to the Syslog:

  1. Navigate to Policy > Rule Sets > Log Handler.
  2. Expand the appropriate Log Handler and find the logging rule that you want to use to log to Syslog. The default Log Handler is named Access.log and the rule in this Log Handler is named Write access.log.
  3. Select the rule and select Edit.
  4. On the Events section of the rule, select  Add > Event
  5. Select Syslog (Number, String) and then select Parameters
  6. For the parameter 1. Level (Number), enter the number 6 for the value. This value indicates an "Informational" level message.
  7. For parameter 2. Message (String), click Use Property and select User-Defined.logLine.
  8. Select OK, then OK again. In the Events section of the rule, you now see Syslog (6, User-Defined.logLine)
  9. Select Finish.

Now that the access log data is being recorded to Syslog, modify the rsyslog.conf file for best performance and also to send access log data using Syslog:

  1. Navigate to Configuration > File Editor.
  2. Expand the name of the appropriate Appliance and select rsyslog.conf.
  3. Search the following line:

*.info;mail.none;authpriv.none;cron.none /var/log/messages

Add daemon.!=info to the line and put a - in front of /var/log/messages so that the line is:

*.info;daemon.!=info;mail.none;authpriv.none;cron.none -/var/log/messages

These changes are needed to not write the access log information to Syslog on the disk and also for best performance.

  1. To send access log data over Syslog to a remote location, add a new line near the bottom of the file to send the info messages to a particular host or IP address.

In the following example, replace 10.10.94.30 with the wanted IP address to send access log data using UDP over port 514. (UDP is the default protocol and port 514 is the default port in Content Security Reporter.) Or, you can use a host name instead of an IP address.

daemon.info @10.10.94.30

If your log source on Content Security Reporter is configured to use TCP, use two @ symbols to specify TCP instead. Note the addition of :610, which sends over port 610:

daemon.info @@10.10.94.30:610

To confirm that Web Gateway is sending Syslog data, you can use tcpdump. The following command confirms the transmission of Syslog data over port 514:

tcpdump -Xnni any port 514

  • Was this article helpful?