21.3.1 Auditing using UDP

Perform the following steps on Administration Console, Identity Server, and Access Gateway to enable sending audit events to the remote syslog sever by using UDP:

  1. Set the remote syslog server's IP address and port. See Setting Up Logging Server and Console Events.

    The nam.conf file gets automatically updated with the corresponding configuration.

  2. Edit the Auditlogging.cfg file and set both SERVERIP and SERVERPORT macros as empty.

    For information about how to modify a file, see Modifying Configurations.

    Sample Auditlogging.cfg file:

    LOGDEST=syslog
    FORMAT=JSON
    SERVERIP=
    SERVERPORT=
  3. Configure UDP.

    rsyslog provides various options and macros for the syslog agent (client) to send logs to a remote server by using UDP or TLS over TCP.

    1. To load the required module for rsyslog, edit nam.conf and namMultiTarget.conf and add the following entry:

      $ModLoad imudp

      For information about how to modify a file, see Modifying Configurations.

    2. In nam.conf and namMultiTarget.conf, add a single @ character before the remote host to send messages over UDP.

      A sample nam.conf:

      #$ModLoad imtcp # load TCP listener
      $InputTCPServerRun 1290
      $template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
      $ModLoad imudp
      local0.* @164.100.150.10:1468;ForwardFormat

      Here, audit logs are being forwarded to the remote server 164.100.150.10 and port 1468 using UDP.