The purpose of this article is to provide the steps required to record and send Access Log entries to a Syslog server.
It is possible to configure the ProxySG so that events that are written to an Access Log are additionally sent to a syslog server. This can be useful as the syslog server will be able to display the log entries in real-time (see also 000009021).
Note that this will only work if the syslog server supports receiving events via TCP (UDP will not work).
Define an Access Log file configured to your requirements (called ‘MyLog’ here)
For this Access Log, configure the Upload Client as type “Custom Client” and ‘Save the log file as:’ a 'text file'
(Optional) To reduce the transmission time for log uploads, in the 'Send partial buffer after' field, enter a value as low as 5.
Point the Custom Client to your syslog server specifying its appropriate TCP port number.
For the log’s upload schedule, specify to upload continuously.
Next, load Visual Policy Manager. In a Web Access Layer, set the Action to 'Modify Access Logging'.
In the Access Logging object, enable logging to your new access log.
Make sure that the log is being written by going to Statistics > Access Logging > Select "MyLog" > Start Tail
Whilst it is possible to transfer access-logs using syslog tcp port and custom client, it is not something we would recommend. FTP continuous is a much better option than syslog for reliability, and the time delay is only an issue when there is very little traffic going through the box. In more detail, there is a buffer that fills with log entries and is flushed when it is full or a timeout happens.
Note: When a box is busy the full-flush will be happening many times per second.
When we say to configure FTP continuous we mean you should set the access-log to use ftp client and then set the upload type to continuous. You will also need to modify the wait between connection attempts from 60 to 5 seconds. To accomplish this type in the following commands from CLI:
en conf t access-log edit log <name of log file> connect-wait-time 5
You could change the "rotate the log file to something smaller but do not set it smaller than "hourly 0 3" (three minutes).
To set the "rotate the log file" setting to 1 hour, type the following CLI commands:
en conf t access-log edit log <name of log file> continuous rotate-remote hourly 1 0)
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe