Section – Syslog Forwarding

Specifies the hostname (IPv4 only) or IP address of the remote log host, which will receive the Airlock Gateway messages specified in Log Level section. This is useful for centralized log management and monitoring system.

Specifies the destination port, i.e. 514 (default value) or 6514 for SSL. An alternative port can be specified.

Specifies the format of the messages that are sent to the log host. Valid options to choose from are Raw (No processing, so some messages are plain text, others JSON), CEF (for SIEM systems), or JSON.

CEF format is only available for request summaries and blocked requests.

Specifies the type of transport used for remote logging. Valid options to choose from are UDP (classic syslog), TCP (syslog-ng and other newer syslogs) or SSL.

For details on using SSL with client certificates, see Syslog forwarding with SSL.

Specifies which information should be logged using syslog.

• System Errors: System related events and system errors are sent to the configured loghosts.
• Request Summaries: The summary line of each request handled by Airlock Gateway is sent to the loghosts specified above.
• Blocked Requests: Blocked request information is sent to the configured loghosts.
• Events: Events related to web requests are sent to the configured loghosts.
• Specific Messages: Specifies a PCRE regular expression to apply against the text body of log messages. Headers are not considered. All matching messages are sent to the configured loghosts. The following characters must be escaped with a preceding backslash if they are to be included as normal characters:
  "()[].*?+^$|\.
  Example:
  \"log_id\":\"WR-SG-(?:BACK-50[02]|REJECT-[0-9]+|SESS-004)\"

A weak filter will cause lots of messages to be forwarded and affect performance. Choose the filter as strict as possible.

• Syslog forwarding with SSL