Managing the Syslog-Based Access Log Publishers
The PingDirectory server supports access logging using the syslog protocol that is part of the Berkeley Software Distribution (BSD) operating systems.
Syslog provides a flexible, simple means to generate, store, and transfer log messages that’s supported on most UNIX and Linux operating systems.
The quasi-standard syslog message format cannot exceed 1 KB and has three important parts:
- PRI
-
Specifies the message priority based on its facility and severity. The message facility is a numeric identifier that specifies the type of log messages, such as kernel messages and mail system messages. The severity is a numeric identifier that specifies the severity level of the operation that is being reported. Together, the facility and the severity determine the priority of the log message indicated by angled brackets and 1-3 digit priority number. For example,
<0>
,<13>
, and<103>
are valid representations of the PRI. - Timestamp and host name
-
The timestamp displays the current date and time of the log. The host name or IP address displays the source of the log.
- Message
-
Displays the actual log message.
You can configure syslog to handle log messages using log priorities that are based on the message’s facility and severity. This feature allows users to configure the logging system so that messages with high severities are sent to a centralized repository while lower severity messages are stored locally on a server.
Because the numeric values of the severity and facility are operating system-dependent, the central repository must only include syslog messages from compatible OS types. Otherwise, the meaning of the PRI field is ambiguous. |
Before you begin
You must identify the host name and port to which you want to connect.
Because the Syslog Protocol uses user datagram protocol (UDP) packets, you should use localhost
and use some additional logging tools, such as syslog-ng
. UDP is an unreliable and unsecure means to transfer data packets between hosts.
Logging with syslog
The PingDirectory server can write log messages using the syslog protocol for both access and error logs.
This allows messages to be aggregated at the system level and potentially forwarded to a centralized system. The messages are written to syslog as they are generated, so attackers do not have a chance to alter these log messages.
If you want to use syslog-based logging, configure the server to log to a syslog server running on the local server over the loopback interface. The local syslog server can then forward the messages to a remote server over a secure connection.
Logging over TCP for improved reliability is supported.
UDP-based communication is in the clear, so a network observer can see all of the log messages. You should only use syslog to log to a local syslog server and have it forward messages to a remote server in a secure manner. TLS encryption for TCP-based communication is optionally supported, so you can safely configure the server to log directly to a remote syslog server.
UDP does not provide any feedback about whether messages are successfully delivered, but TCP does provide this feedback. When using TCP-based logging, you can optionally specify information about multiple syslog servers. If the primary syslog server becomes unavailable, the logger can fail over to an alternative syslog server.
Logging access and error log messages can be logged as JSON objects or in legacy space-delimited text format.
In addition to access and error logging over syslog, loggers that can write JSON-formatted audit and HTTP operation log messages are also provided.
Default access log severity level
All messages are logged at the syslog severity level of 6, which are Informational: informational
messages.
This value is not standard across different types of UNIX or Linux systems. For more information, consult your operating system. |
syslog-facility properties
Syslog Facility Properties
When using syslog, specify a facility for the access log messages. As an advanced property, you can select a number that corresponds to the facility you want to use. The default value for the syslog-facility
property is 1
for user-level messages.
These values are not standard across different types of UNIX or Linux systems. Consult your particular operating system documentation for properties specific to that system. |
Facility | Description |
---|---|
|
kernel messages |
|
user-level messages (default) |
|
mail system |
|
system daemons |
|
security/authorization messages |
|
messages generated internally by syslogd |
|
line printer subsystem |
|
network news subsystem |
|
UUCP subsystem |
|
clock daemon |
|
security/authorization messages |
|
FTP daemon |
|
NTP subsystem |
|
log audit |
|
log alert |
|
clock daemon |
|
local use 0 |
|
local use 1 |
|
local use 2 |
|
local use 3 |
|
local use 4 |
|
local use 5 |
|
local use 6 |
|
local use 7 |
queue-size property
The queue-size
property determines the maximum number of log records that can be stored in the asynchronous queue.
The default queue size set is 10000, which means that the server continuously flushes messages from the queue to the log. The server does not wait for the queue to fill up before flushing to the log. Lowering this value impacts performance.
Configuring a Syslog-Based Access Log Publisher
About this task
You can configure a Syslog-based Access Log Publisher using the dsconfig
tool. We recommend that you use syslog locally on localhost and use syslog-ng
to send the syslog messages to remote syslog servers.
Because syslog implementations differ by vendor, please review your particular vendor’s syslog configuration.
Steps
-
Use
dsconfig
to create a log publisher of type syslog-based-access.If you are using the
dsconfig
tool in interactive mode, the menu item for Syslog Facility is an advanced property, which can be exposed by typinga
(for "show advanced properties") on the Syslog-Based Access Log Publisher menu.Example:
$ bin/dsconfig create-log-publisher \ --publisher-name "syslog-access" \ --type syslog-based-access \ --set syslog-facility:4 \ --set enabled:true