3/3/16, 12:41 PM

How to write Access Logs to a SYSLOG server

<< Back to Knowledge Search

Solution
Overview
How do I write Access Log entries to a SYSLOG server?

Cause

Resolution
It is possible to configure the ProxySG so that events that are written to an Access Log are additionally sent to a SYSLOG server. This can be useful as the SYSLOG server
will be able to display the log entries in real-time (see also 000009021).

Note that this will only work if the SYSLOG server supports receiving events via TCP (UDP will not work).

1. Define an Access Log file configured to your requirements (called MyLog here).

2. For this Access Log, configure the Upload Client as type Custom Client and Save the log file as: a 'text file'.

3. (Optional) To reduce the transmission time for log uploads, in the 'Send partial buffer after' field, enter a value as low as 5.

4. Point the Custom Client to your SYSLOG server, specifying its appropriate TCP port number.

https://bluecoat.my.salesforce.com/kA35000000004Uu?srPos=0&srKp=ka3&lang=en_US# Page 1 of 4
 3/3/16, 12:41 PM

5. For the logs upload schedule, specify to upload continuously.

6. Next, load Visual Policy Manager. In a Web Access Layer, set the Action to 'Modify Access Logging'.

https://bluecoat.my.salesforce.com/kA35000000004Uu?srPos=0&srKp=ka3&lang=en_US# Page 2 of 4
 3/3/16, 12:41 PM

7. In the Access Logging object, enable logging to your new access log.

Workaround

Additional
Information Whilst it is possible to transfer access-logs using syslog tcp port and custom client, it is not something we would recommend. FTP continuous is a much
better option than syslog for reliability, and the time delay is only an issue when there is very little traffic going through the box. In more detail, there is a buffer
that fills with log entries and is flushed when it is full or a timeout happens.

Note: When a box is busy the full-flush will be happening many times per second.

When we say to configure FTP continuous we mean you should set the access-log to use ftp client and then set the upload type to continuous. You will also
need to modify the wait between connection attempts from 60 to 5 seconds. To accomplish this type in the following commands from cli:

en
conf t
access-log
edit log <name of log file>
connect-wait-time 5

You could change the "rotate the log file to something smaller but do not set it smaller than "hourly 0 3" (three minutes).

To set the "rotate the log file" setting to 1 hour type the following cli commands:

en
conf t
access-log
edit log <name of log file>

https://bluecoat.my.salesforce.com/kA35000000004Uu?srPos=0&srKp=ka3&lang=en_US# Page 3 of 4
 3/3/16, 12:41 PM

continuous rotate-remote hourly 1 0)

Partner
Information

Internal
Notes

Bug
Number

InQuira Doc KB4294

Id

Attachment

Article Feedback

Rate This Article (Average Rating: No Rating) Version 2 Hide Properties

First 10/1/2014 5:58 AM Article Audience Article Number 000011524

Published Summary How do I write Access Log entries to a SYSLOG server?
Product ProxySG
Last Modified 12/10/2015 4:26 AM
Topic Access Logging, Log
Last Published 12/10/2015 4:26 AM
Processing
Channels
Internal
App, Customer, Partner, Public
Knowledge Base

Was this helpful? Yes No

Comments:

Submit Feedback

https://bluecoat.my.salesforce.com/kA35000000004Uu?srPos=0&srKp=ka3&lang=en_US# Page 4 of 4