Adapt the rsyslog.conf system file for sending access log data

Last updated
Save as PDF

Adapt the rsyslog.conf system file to ensure that access log data is successfully sent to a syslog server.

NOTE: Work with the File Editor on the user interface of Web Gateway to adapt the system file. If you use commands from a system console, your changes will be overwritten by future updates.

Task

Select Configuration | File Editor.
On the files tree, select rsyslog.conf.
The file content appears on the configuration pane.
Edit the file to adapt it for sending access log data.
1. Look for the following line:

*.info;mail.none;authpriv.none;cron.none                                          /var/log/messages

The line is part of a section on rules.

# Include config files in /etc/rsyslog.d
$IncludeConfig /etc/rsyslog.d/*.conf

####RULES####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*
/dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                                          /var/log/messages

Replace mail with daemon in this line and insert a - (dash) before the path information.

*.info;daemon.none;authpriv.none;cron.none                                       -/var/log/messages

This modification prevents the syslog daemon from sending data to the var/log/messages partition on the disk of the Web Gateway appliance system.

NOTE: The info before daemon specifies the severity level of the data.

You can now direct the data to the intended destination.

To send data to a syslog server under the UDP protocol, insert:

daemon.info @x.x.x.x:514

For x.x.x.x, substitute the IP address of the syslog server.

To send data to a syslog server under TCP, insert:

daemon.info @@x.x.x.x:<port number>

You can send data to more than one syslog server. For every server, insert a line as shown in this substep.

When you send data, the messages that carry the data are entered in a default queue when the target server is not available and processed when it is up again. If you send data to more than one server, we strongly recommend setting up a queue for each of them.

Data messages are processed sequentially in a syslog queue. So, if sending data to a syslog server takes more time than usual, data messages to other servers following in the queue would be delayed if there was only one queue.

Set up a queue for each server that you send data to.
A queue is set up by creating a rule that forwards data to the queue. The rsyslogconf system file includes a default forwarding rule in a code block at its end.
To create a forwarding rule, copy and modify the code block, then append it to the end of the file.

In the code block, activate this line and replace the spool file prefix, for example, with fwdRule2.

#$ActionQueueFileName fwdRule1

In this line, type the name or IP address and port of the syslog server that the data should be sent to.

*.* @@remote-host:514

Activate other lines of the code block as needed.

# ### begin forwarding rule ###
# The statements between begin ... and ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @@remote-host:514
# ### end of the forwarding rule ###

Click Save Changes.