KB Article | Forcepoint Support

Notes & Warnings

Note: By using the "debug" priority, you can avoid logging transactions to the /var/log/messages file, which records every message with a higher priority by default.

Additional Search Terms:  v7.7, SIEM, QRadar, Splunk, Security Information Event Management, syslog, syslogging

Problem Description

How do you send information being logged to the local filesystem to an external syslog server?

Resolution

You can send data from existing facilities to an external syslog server by simply editing rsyslog.conf. To create a new facility, use the logger application.

Note:  If using Red Hat 5 or equivilent (including appliances prior to version 7.7), the configuration file to edit is /etc/syslog. All other steps remain the same.

To send data from existing facilities to an external syslog server:
  1. First, confirm that transaction logging is enabled and is in the Netscape Extended format. For example, if logging is enabled for extended.log, you should see the size of extended.log increase in a production environment as proxy traffic is logged.
     
  2. Next, modify /etc/rsyslog.conf (or /etc/syslog):
    1. For versions 8.1 and later, add these lines:
      # WCG Transaction Logging
      action(type="omfwd"
      Target="192.168.2.11"
      Port="10514"
      Protocol="tcp"
      )

       
    2. For versions 8.0 and earlier, add these lines. Use one or more <tab> characters to separate the logging facility from the destination address in rsyslog.conf.
      # WCG Transaction Logging
      local<unused_facility_number>.*                        @<IP_Address_of_Syslog_server
       
  3. Turn off rate-limiting for rsyslog. Modern Linux distributions come with 'rsyslog', which is a replacement for 'syslogd' or 'sysklogd'. Starting with version 5.7.1 of rsyslog, a feature known as rate-limiting was added to the utility. If a given process ID (PID) were to send more than 200 messages to /var/log/messages in a 5 second interval (the default setting in rsyslog), it will start to drop messages and place the following warning inside of /var/log/messages:
     

    Feb 5 13:07:52 plugh rsyslogd-2177: imuxsock begins to drop messages from pid 12105 due to rate-limiting
     

    The solution is to simply turn off rate-limiting for rsyslog. To do this, add the following line to /etc/rsyslog.conf:
     
    ​$SystemLogRateLimitInterval 0
     
  4. Restart the syslog service so that the changes take effect:
    # service rsyslog restart
     
  5. Now that you've told syslog where to send messages marked with the local facility number of your choice, you must send the log data to syslog with that facility ID. Use 'tail' to send the data to the "logger" command. Note The & is needed at the end of the logger commands as it may break WshunterDomAgent.
     
    tail -F <full_path_to_log_file> | logger -p <chosen_facility_number>.<priority> &
     
    For exampletail -F /opt/WCG/logs/extended.log | logger -p local5.debug &

    Note: Use the capitalized "-F" switch in tail commands. This allows it to deal with transaction log rollover.
     
  6. To launch on startup, place the above line in the /etc/rc.local file so it will launch on each startup.
     
  7. To enable syslogging offbox immediately (without a reboot), the following command can be used:
    nohup tail -F /opt/WCG/logs/extended.log | logger -p local5.debug &
    $SystemLogRateLimitInterval 0
Note: This works for other system logs as well

Additional examples: 
  • nohup tail -F /opt/WCG/logs/extended2.log | logger -p local5.debug &
  • nohup tail -F /var/log/messages | logger -p local5.debug &
  • nohup tail -F /var/log/hunter/user.log | logger -p local5.debug &

Article Feedback



Thank you for the feedback and comments.

Want 24/7 Tech Support?

Learn more