Forwarding Logs to an External System

Syslog Forwarding is a log transport tool that you can use to forward system, command, and event logs to an external monitoring system. You can configure log forwarding per event broker service in the PubSub+ Cloud Console. Syslog Forwarding supports both UDP and TCP protocols, but it is limited to unencrypted communication. Therefore, insecure log traffic must be acceptable for your use case. Syslog Forwarding allows you to:

  • configure and forward system, command, and event logs to an external target server of your choice; for this reason, the host and port of the target server must be reachable from the cloud hosts for the event broker service

  • manage and monitor your event broker service logs using a monitoring system that you maintain and service

  • host the log monitoring system anywhere that permits you to manage and monitor event broker service logs easily

Syslog Forwarding can only be used to forward logs to up to three target servers—it does not generate any alerts or notifications. You must configure an external monitoring system to set up notifications. For example, your external log monitoring system could be hosted in an AWS or Splunk instance, where you can set up the syslog event collection, processing, and alerting. For information about using SysLog Forwarding, see the following sections:

Considerations for SysLog Forwarding

The following are considerations when using SysLog Forwarding that you should be aware of:

  • Your user must be assigned the Administrator or Cluster Manager Editor role for the account.

  • External target servers are required where the event broker service logs are forwarded.

  • You can have up to three target servers to which to forward syslogs.

  • The hostname or IP address, and port of the target server must be reachable from the cloud hosts for the event broker service.

  • Syslog Forwarding is limited to insecure syslog communication protocols; therefore, plain-text log traffic should be acceptable for your use case.

  • After Syslog Forwarding is configured, you can set up the syslog event alerts you want in your external monitoring system. For information about syslog events, see the Event Reference guide. For best practices for monitoring using syslogs, see Monitoring Using Syslog.

  • As a complement to SysLog Forwarding or even as an alternative for a secure and easier way to receive insights and notifications about your event broker services, consider using PubSub+ Insights. Insights is a monitoring service accessible from the PubSub+ Cloud. Insights provides a single entry point to see historical and real-time metrics for monitoring to allow you to better manage your event broker services.

Enabling SysLog Forwarding and Adding Target Servers

To enable Syslog Forwarding, you must add a target server. You can add up to three target servers as required. Complete the following steps to enable or additional servers:

  1. In the PubSub+ Cloud Console, select Cluster Manager from the navigation bar, then click the card of the event broker service for which you want to enable Syslog Forwarding or for which you want to add a server.

  2. On the page for your service, select the Manage tab, and click Advanced Options. If Syslog Forwarding hasn't been previously configured, an Inactive status is displayed.

  3. On the Syslog Forwarding tile, click Add to add a target server to forward logs to. If there's an existing Syslog target server specified, simply click Add to add another.

  4. In the Add Syslog Forwarding Destination tile, fill the following fields:

    • Forwarding Destination Name: The name of the user-configured syslog server destination.

    • Logs to Forward: Selection of log facilities you can forward to the target syslog server:

      • Event: All system, VPN, and client level events generated by the event broker service.

      • System: Important system-level events generated by the event broker service.

      • Command: All commands from the CLI and SEMP, are sent to the event broker service.

    • Host Name/IP Address: The target syslog server's hostname or IP address.

    • Port Number:Target syslog server's port number.

    • Protocol Type: Transport mode used for forwarding the logs to the target syslog server. UDP and TCP are supported. UDP is selected by default.

  5. Click the Activate destination button to complete the configuration.

  6. (Optional) Repeat steps 3 to 5 to add another target server.

Modifying SysLog Forwarding

To modifying a pre-existing target server, complete the following steps:

  1. In the PubSub+ Cloud Console, select Cluster Manager from the navigation bar, then click the card for the service you want to configure.

  2. On the page for your service, select the Manage tab and click Advanced Options

  3. On the Syslog Forwarding tile, click Edit beside the target syslog server that you want to modify.

  4. On the Edit Syslog Forwarding tile, make the changes you want and then click Update.

Deleting SysLog Forwarding

You can delete a target syslog server. If you delete the last entry, Syslog Forwarding becomes inactive. To delete a pre-existing target server, complete the following steps:

  1. In the PubSub+ Cloud Console, select Cluster Manager from the navigation bar, and then click the card of the service from which you want to remove SysLog Forwarding.

  2. On the page for your service, select the Manage tab and click Advanced Options.

  3. On the Syslog Forwarding tile, click Delete beside the target syslog server to delete.

  4. In the Deactivate Syslog Forwarding dialog, click Deactivate to delete the target syslog server.