22.2 Important Points to Consider When Using Syslog

The syslog server configurations are automatically synced with Identity Server and Access Gateway when you select syslog for auditing.

To configure syslog, see Setting Up Logging Server and Console Events. For more information, see Syslog Configuration White Paper.

22.2.1 Limitations of Syslog

  • On Identity Server and ESP, events are cached to a local file during a local audit failure. The file location is as follows:


  • The log forwarding of cached logs is not supported for Identity Server and ESP events.

  • The failover mechanism communication does not work in Access Gateway.

IMPORTANT:By default, syslog agents are configured without SSL communication with the remote audit server. You can manually configure SSL communication between a local syslog agent and the remote syslog audit server. For more information, see Enabling SSL Communication.

22.2.2 Caching Audit Events

By default, the local syslog agents do not cache or queue the audit events when the remote syslog audit server is unreachable. This results in the loss of audit events. It is recommended to enable caching for audit events in the local syslog agent. You can use the queuing feature of rsylsog for caching audit events.

A sample configuration for caching audit events is as follows:

$WorkDirectory /rsyslog/work 
$ActionQueueType LinkedList 
$ActionQueueFileName example_fwd 
$ActionResumeRetryCount -1 
$ActionQueueSaveOnShutdown on

You need to create the /rsyslog/work directory manually. Add this sample configuration into the nam.conf file. For information about how to modify a file, see Modifying Configurations.

Make the changes on each component: Administration Console, Identity Server, and Access Gateway.

22.2.3 Debugging Syslog

When messages are not being sent or received, add the following macros in /etc/rsyslog.conf to debug rsyslog:

  • $DebugLevel <level> #1,2,3 can be used

  • $DebugFile <debug log file path>

To access debug logs, navigate to the file path mentioned in $DebugFile. Debug logs are also available in /var/log/messages.