Section - Syslog Forwarding
Syslog Forwarding

Destination Host

Specifies the hostname (IPv4 only) or IP address of the remote loghost, which will receive the Airlock Gateway messages specified in "Logged Information" below. This is useful for centralized log management and monitoring system.

By default, the messages are sent to port 514 (6514 when using SSL) of the loghost. An alternative port can be specified with a colon after the IP address or hostname (e.g. 192.168.1.10:10514).

Log Format

Specifies the format of the messages that are sent to the loghost. Valid options to choose from are Raw (No processing, so some messages are plain text, others JSON), CEF (for SIEM systems) or JSON.

CEF format is only available for request summaries and blocked requests.

Transport

Specifies the type of transport used for remote logging. Valid options to choose from are UDP (classic syslog), TCP (syslog-ng and other newer syslogs) or SSL.

For details on using SSL with client certificates please see the article on Techzone.

Logged information

Specifies which information should be logged using syslog.

  • System Errors: System related events and system errors are sent to the configured loghosts.
  • Request Summaries: The summary line of each request handled by Airlock Gateway is sent to the loghosts specified above.
  • Blocked Requests: Blocked request information is sent to the configured loghosts.
  • Events: Events related to web requests are sent to the configured loghosts.
  • Specific Messages: Specifies a PCRE regular expression to apply against the text body of log messages. Headers are not considered. All matching messages are sent to the configured loghosts. The following characters must be escaped with a preceding backslash if they are to be included as normal characters:
    "()[].*?+^$|\.
    Example:
    \"log_id\":\"WR-SG-(?:BACK-50[02]|REJECT-[0-9]+|SESS-004)\"

A weak filter will cause lots of messages to be forwarded and affect performance. Choose the filter as strict as possible.