How to Audit to a Remote Syslog

The is designed to send audits to the internal database by default. For improved performance, you can redirect auditing activity to a centralized syslog server and stop writing to the local database. This change reduces the amount of disk usage and replication traffic. It also provides centralized viewing capability for your Operations team.
gateway83
The
API Gateway
is designed to send audits to the internal database by default. For improved performance, you can redirect auditing activity to a centralized syslog server and stop writing to the local database. This change reduces the amount of disk usage and replication traffic. It also provides centralized viewing capability for your Operations team.
It is not currently possible to write to remote syslogs with milliseconds in the time stamp.
Prerequisite:
This topic assumes familiarity with syslogs and audit sinks.
Auditing to Syslog
Auditing to Syslog
Workflow:
Step 1: Disable Auditing to the Local Database
  1. Click
    Manage Audit Sink
    .
  2. Clear the
    Save audit records to Gateway database
    check box.
  3. Select the
    Output audit records via audit sink policy
    check box.
  4. Click
    Configure
    . The Configure External Audit Store Wizard is displayed.
Step 2: Create a Custom Audit Sink Policy
  1. In Step 1 of the Configure External Audit Store Wizard, select
    Create Custom Audit Sink and Lookup Policy
    .
  2. Click
    Finish
    . This creates an
    Internal Audit Sink Policy
    in the services palette of the Policy Manager.
Step 3: Edit the Audit Sink Policy
  1. Double-click
    Internal Audit Sink Policy
    to load it into the policy window.
  2. Disable all the assertions in the template policy. Disabled assertions have a red 'X' over their icons.
  3. Add a Continue Processing Assertion at the end. Your policy window should look like the following:
    Disabled assertions in Audit Sink Policy.png
  4. Click
    Save and Activate
    in the policy tool bar. This activates the policy. Audits are no longer written to the local database.
Step 4: Create a New Log Sink
In this final step, you create a new log sink to route audit and logging traffic to a centralized syslog server.
  1. Click
    Create
    . The Log Sink Properties are displayed.
  2. In the
    Base Settings
    tab, enter the following:
    • Name:
      Enter a name, with no spaces (for example, "Operations").
    • Enabled:
      Select this check box.
    • Type:
      Select
      Syslog
      .
  3. Click
    Add
    .
  4. Configure the
    Add Filters
    dialog as follows:
    • Filter Type:
      Category
    • Filter Details:
      Select
      Audits
      and
      Gateway Log
      (hold down the Ctrl key to select both).
  5. Click
    Add
    to close the dialog.
  6. In the
    Syslog Settings
    tab, do the following:
    1. Click
      Add
      and enter the
      Syslog host and port
      . For example:
      Syslog host and port.png
      The default port for syslog is
      514
      . This should work in most instances, but check with your Infrastructure or Operations team if unsure.
    2. Complete the
      Format
      ,
      Character Set
      , and
      Timezone
      settings as appropriate. For more information, see "Configuring the [Syslog Settings] tab" in Log Sink Properties.
    3. If you have SSL enabled (Protocol=SSL), select the
      Use Client Authentication
      check box as necessary and then select the
      Keystore
      .
Your Gateway is now configured to audit to an external syslog only.