Forwarding Logs to an External System

Syslog forwarding enables you to forward system, command, and event logs to an external monitoring system. You configure syslog forwarding per event broker service in Cluster Manager. Syslog forwarding supports UDP, TCP, and TLS protocols but does not support HTTP proxies. TLS is the recommended protocol for encrypted communication. UDP and TCP do not provide encryption and should be used only when insecure log traffic is acceptable for your use case. Syslog forwarding allows you to:

  • configure and forward system, command, and event logs to an external target server of your choice. The host and port of the target server must be reachable from the cloud hosts for the event broker service.

  • manage and monitor your event broker service logs using a monitoring system that you maintain and service.

  • host the log monitoring system anywhere that permits you to manage and monitor event broker service logs.

Syslog forwarding can forward logs to a maximum of three target servers. You must configure an external monitoring system to set up notifications; Mission Control does not generate alerts or notifications. For example, you could host your external log monitoring on an AWS or Splunk instance, where you can set up the syslog event collection, processing, and alerting. For information about using syslog forwarding, see:

Considerations for Using Syslog Forwarding

You should be aware of the following considerations when using syslog forwarding:

  • You must have Administrator or Mission Control Manager access for the account.

  • You require external target servers to forward the event broker service logs to.

  • You can forward the event broker service logs to up to three target servers.

  • The hostname or IP address and port of the target server must be reachable from the cloud hosts for the event broker service.

  • If you use TLS as the protocol for forward logs, you must verify that the port you select and the target syslog server both support TLS and add any required server certificates to PubSub+ Cloud as a domain certificate authority (CA). For more information, see Adding Domain CA Certificates .

  • Syslog forwarding does not support HTTP proxies.

  • After you configure syslog forwarding, you can set up the syslog event alerts you want in your external monitoring system. For information about syslog events, see the Event Reference guide. For best practices for monitoring using syslogs, see Monitoring Using Syslog.

  • As a complement to syslog forwarding or as an alternative for a secure and easier way to receive insights and notifications about your event broker services, consider using PubSub+ Insights. Insights is a monitoring service accessible from PubSub+ Cloud. Insights provides a single entry point to see historical and real-time metrics to allow you to better monitor and manage your event broker services.

Enabling Syslog Forwarding and Adding Target Servers

To enable syslog forwarding you add a target server that the logs are forwarded to. You can add up to three target servers. To enable syslog forwarding or specify additional target servers, perform these steps:

  1. Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging In to the PubSub+ Cloud Console.
  2. On the navigation bar, select Cluster Manager .
  3. Select the event broker service that you want to update. If the event broker service is not listed, make sure you have the right environment selected. For more information, see Selecting and Changing Environments.
  4. Select the Manage tab and then click Advanced Options. The Syslog Forwarding tile shows the status as Inactive if you haven't already configured syslog forwarding .

  5. On the Syslog Forwarding tile, click Add to specify a target server to forward the logs to.
  6. In the Add Syslog Forwarding Destination dialog, set the appropriate options:

    • Forwarding Destination Name: The name of the target syslog server.

    • Logs to Forward: Select the logs to forward to the target syslog server:

      • Event: all system, VPN, and client level events generated by the event broker service

      • System: important system-level events generated by the event broker service

      • Command: all commands from the CLI and SEMP sent to the event broker service

    • Host Name/IP Address: The target syslog server's hostname or IP address.

    • Port Number:The target syslog server's port number. If you select TLS as transport protocol, the port must support TLS encryption.

    • Protocol Type: The transport mode used for forwarding the logs to the target syslog server. Syslog forwarding supports UDP, TCP, and TLS. UDP is the default.

  7. Click Activate destination to complete the configuration.
  8. (Optional) Repeat steps 5 and 6 to add another target server.

Modifying Syslog Forwarding

To modifying an existing target server, perform the following steps:

  1. On the page for your event broker service, select the Manage tab and click Advanced Options
  2. On the Syslog Forwarding tile, click Edit next to the target syslog server that you want to modify.

  3. Update the target server as required and click Update.

Disabling Syslog Forwarding

You can remove a target syslog server. If you remove all target servers, syslog forwarding becomes inactive. To remove a target server, perform these steps:

  1. On the page for your event broker service, select the Manage tab and click Advanced Options
  2. On the Syslog Forwarding tile, click Delete next to the target syslog server that you want to remove.

  3. Click Deactivate to remove the target syslog server.