It is important to correctly configure Web Gateway when sending access log information to Content Security Reporter over syslog. Without proper configuration, the performance of Web Gateway can be severely affected.
To configure Web Gateway to send, access log data to the syslog:
- Go to Policy, Rule Sets, Log Handler.
- Expand the appropriate Log Handler and find the logging rule that you want to use to log to syslog. The default Log Handler is named Access.log and the rule in this Log Handler is named Write access.log.
- Select the rule and click Edit.
- On the Events section of the rule, click Add, Event.
- Select Syslog (Number, String) and then click Parameters.
- For the parameter 1. Level (Number), enter the number 6 for the value. This value indicates an "Informational" level message.
- For parameter 2. Message (String), click Use Property and select User-Defined.logLine.
- Click OK, then click OK again. In the Events section of the rule, you now see Syslog (6, User-Defined.logLine).
- Click Finish.
Now that the access log data is being recorded to syslog, modify the
rsyslog.conf file for best performance and also to send access log data using syslog:
- Go to Configuration, File Editor.
- Expand the name of the appropriate Appliance and select rsyslog.conf.
- Find the following line:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
Add daemon.!=info to the line and put a - in front of /var/log/messages so that the line is:
*.info;daemon.!=info;mail.none;authpriv.none;cron.none -/var/log/messages
These changes are needed to not write the access log information to syslog on the disk and also for best performance.
- To send access log data over syslog to a remote location, add a new line near the bottom of the file to send the info messages to a particular host or IP address.
In the following example, replace 10.10.94.30 with the wanted IP address to send access log data using UDP over port 514. (UDP is the default protocol and port 514 is the default port in Content Security Reporter.) Or, you can use a host name instead of an IP address.
If your log source on Content Security Reporter is configured to use TCP, use two @ symbols to specify TCP instead. Note the addition of
:610, which sends over port 610:
daemon.info @@10.10.94.30:610
To confirm that Web Gateway is sending syslog data, you can use
tcpdump. The following command confirms the transmission of syslog data over port 514:
tcpdump -Xnni any port 514
