22.2.2 Caching Audit Events

By default, the local syslog agents do not cache or queue the audit events when the remote syslog audit server is unreachable. This results in the loss of audit events. It is recommended to enable caching for audit events in the local syslog agent. You can use the queuing feature of rsylsog for caching audit events.

A sample configuration for caching audit events is as follows:

$WorkDirectory /rsyslog/work 
$ActionQueueType LinkedList 
$ActionQueueFileName example_fwd 
$ActionResumeRetryCount -1 
$ActionQueueSaveOnShutdown on

You need to create the /rsyslog/work directory manually. Add this sample configuration into the nam.conf file. For information about how to modify a file, see Modifying Configurations.

Make the changes on each component: Administration Console, Identity Server, and Access Gateway.