Forwarding Logs to an External System

Syslog Forwarding is a log transport tool that you can use to forward system, command, and event logs to an external monitoring system. You can configure log forwarding per event broker service in the PubSub+ Cloud Console. Syslog Forwarding supports UDP, TCP, and TLS protocols, but uses unencrypted communication, and does not support HTTP proxies. Therefore, insecure log traffic must be acceptable for your use case. Syslog Forwarding allows you to:

configure and forward system, command, and event logs to an external target server of your choice; for this reason, the host and port of the target server must be reachable from the cloud hosts for the event broker service
manage and monitor your event broker service logs using a monitoring system that you maintain and service
host the log monitoring system anywhere that permits you to manage and monitor event broker service logs easily

Syslog Forwarding can only forward logs to a maximum of three target servers—it does not generate any alerts or notifications. You must configure an external monitoring system to set up notifications. For example, you could host your external log monitoring on an AWS or Splunk instance, where you can set up the syslog event collection, processing, and alerting. For information about using SysLog Forwarding, see the following sections:

Considerations for Syslog Forwarding
Enabling Syslog Forwarding and Adding Target Servers
Modifying Syslog Forwarding
Deleting Syslog Forwarding

Considerations for Syslog Forwarding

Be aware of the following are considerations when using Syslog Forwarding:

You must have Administrator or Mission Control Manager access for the account.
You require external target servers to forward the event broker service logs to.
You can have up to three target servers to which to forward syslogs.
The hostname or IP address, and port of the target server must be reachable from the cloud hosts for the event broker service.
Syslog Forwarding does not support HTTP proxies.
After you configure Syslog Forwarding, you can set up the syslog event alerts you want in your external monitoring system. For information about syslog events, see the Event Reference guide. For best practices for monitoring using syslogs, see Monitoring Using Syslog.
As a complement to Syslog Forwarding or even as an alternative for a secure and easier way to receive insights and notifications about your event broker services, consider using PubSub+ Insights. Insights is a monitoring service accessible from the PubSub+ Cloud. Insights provides a single entry point to see historical and real-time metrics for monitoring to allow you to better manage your event broker services.

Enabling Syslog Forwarding and Adding Target Servers

To enable Syslog Forwarding, you must add a target server. You can add up to three target servers as required. Complete the following steps to enable or additional servers:

Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging into the PubSub+ Cloud Console.
Select Cluster Manager on the navigation bar.
Select the event broker service for which you want to enable Syslog Forwarding, or that you want to add a server to.
On the page for your service, select the Manage tab, and click Advanced Options. The Syslog Forwarding tile shows the status as Inactive if you haven't previously configured Syslog Forwarding.
On the Syslog Forwarding tile, click Add to add a target server to forward the logs to. If there's an existing Syslog target server specified, click Add to add another.
In the Add Syslog Forwarding Destination tile, fill the following fields:
- Forwarding Destination Name: The name of the user-configured syslog server destination.
- Logs to Forward: Selection of log facilities you can forward to the target syslog server:
  - Event: All system, VPN, and client level events generated by the event broker service.
  - System: Important system-level events generated by the event broker service.
  - Command: All commands from the CLI and SEMP, are sent to the event broker service.
- Host Name/IP Address: The target syslog server's hostname or IP address.
- Port Number:Target syslog server's port number.
- Protocol Type: Transport mode used for forwarding the logs to the target syslog server. Syslog forwarding supports UDP, TCP, and TLS, with UDP being the default.
Click Activate destination to complete the configuration.
(Optional) Repeat steps 3 to 5 to add another target server.

Modifying Syslog Forwarding

To modifying a pre-existing target server, complete the following steps:

Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging into the PubSub+ Cloud Console.
Select Cluster Manager on the navigation bar.
Select the event broker service you want to configure.
On the page for your service, select the Manage tab and click Advanced Options
On the Edit Syslog Forwarding tile, make the changes you want and then click Update.

Deleting Syslog Forwarding

You can delete a target syslog server. If you delete the last entry, Syslog Forwarding becomes inactive. To delete a pre-existing target server, complete the following steps:

Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging into the PubSub+ Cloud Console.
Select Cluster Manager on the navigation bar.
Select the event broker service from which you want to remove Syslog Forwarding.
On the page for your service, select the Manage tab and click Advanced Options.
On the Syslog Forwarding tile, click Delete beside the target syslog server to delete.
In the Deactivate Syslog Forwarding dialog, click Deactivate to delete the target syslog server.

Provide feedback