Export logs to remote logging server
java log4j appenders. Starting from version SSMC 3.7 onwards, exporting application and audit logs is supported from both the application layer and from the appliance using the
rsyslog facility, which is available in the appliance.
By default, the
rsyslog facility writes logs to the local file system only. The logging follows the standard syslog facility rules to serialize logs under various
/var/log/.* log files.
The remote logging feature in SSMC uses the
omfwd module of
rsyslog to forward the
syslog events to the configured remote logging server. This module can stream log events through UDP or TCP/TLS transport protocols.
To enable log exports in SSMC:
Set the various configuration parameters in
/ssmc/conf/config_security.shExecute
config_security.shscript, which configures the values and starts the export service.
If you choose to set up secure transport using TLS/TCP, generate the machine certificates as stated in https://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_machine.html. Secure the certificate PEM files with not more than 600 file permissions (ssmcadmin as the owner).
The following table describes the various
rsyslog related properties in
security_config.properties, which must be configured before executing the
config_security.sh script:
| Property | Description | Required? |
ssmc.rsyslog.server.host
| IPV4/IPv6 address or FQDN of a single remote logging server.
When
| Yes |
ssmc.rsyslog.server.port
| Port number of the remote logging server. The default port number is 514 for UDP and 6514 for TCP/TLS. | Yes |
ssmc.rsyslog.server.protocol
| TCP or UDP | Yes |
ssmc.rsyslog.server.tls-enabled
| 1 for enabled; 0 for disabled | Yes, if protocol is TCP; ignored otherwise. |
ssmc.rsyslog.cert.caroot
| Path to the CA root certificate, which signs the appliance certificate (both the connected peers; SSMC host and remote logging server). | Yes, if protocol=TCP and TLS enabled=1; ignored otherwise. |
ssmc.rsyslog.cert.clientcert | Path to SSMC host client certificate generated for remote syslog connection for secure transports. The certificate must be a valid PEM encoded x.509 certificate, which identifies the client (SSMC).
| Yes, if protocol=TCP and TLS enabled=1; ignored otherwise. |
| ssmc.rsyslog.cert.clientkey | Path to SSMC host private key. Must be a valid PEM encoded
x.509 format.
| Yes, if protocol=TCP and TLS enabled=1; ignored otherwise. |
| ssmc.rsyslog.server.authMode | Specifies the authentication mode with the remote logging server:
| Yes, if protocol=TCP and TLS enabled=1; ignored otherwise. |
| ssmc.rsyslog.server.permittedPeers | Specifies the value to compare with fingerprint authentication (SHA1) or name authentication (hostname, which must match the CN of the server certificate).
For example:
| Yes, if protocol=TCP and TLS enabled=1 and
authMode is
x509/fingerprint or
x509/name; ignored otherwise.
|
ssmc.rsyslog.server.device
| Specifies the network Ethernet device name, through which the remote logging server connection is made. ESXi: Device name is
ens160 (or
ens192 for the second NIC). Hyper-V: Device name is
eth0 (or
eth1, for second NIC).
| Yes |
| ssmc.rsyslog.queue.maxdiskspace | Specifies the buffer queue file size on disk in GB. Valid values are 1 through 50, both inclusive. Hewlett Packard Enterprise recommends setting the value to 10 GB to save the at least a week's worth of logs, during any temporary outage of the remote logging server. | Yes |
ssmc.rsyslog.smtp.alert
| Set to true, if you want notification whenever remote logging server connection goes down. Otherwise, set to false. | Yes |
ssmc.rsyslog.smtp.server
| IPV4/IPv6 address of the SMTP server. When
| Yes, if alert property is set to true. |
ssmc.rsyslog.smtp.port
| Port number of the SMTP server. | Yes, if alert property is set to true. |
ssmc.rsyslog.smtp.recipient
| Comma-separated list of email addresses to whom the alert notification must be sent. For example:
ssmc.rsyslog.smtp.recipient="ca@domain.com","isso@domain.com | Yes, if alert property is set to true. |
ssmc.rsyslog.smtp.notify-interval
| Time in seconds between sending alerts, if the outage persists. | Yes, if alert property is set to true. |
ssmc.rsyslog.smtp.mailFrom
| From email address to use for the alert notifications. | Yes, if alert property is set to true. |
Enable or disable export of SSMC logs
To complete the configuration and enable exporting of SSMC logs, excute the following command:
sudo /ssmc/bin/config_security.sh -o remote_syslog_appliance -a set -f
To stop and disable log exports anytime, execute the following command:
sudo /ssmc/bin/config_security.sh -o remote_syslog_appliance -a reset -f
Facilities and log levels of exported logs
For all system log files such as
syslog,
auth.log,
messages,
user.log,
cron.log,
kern.log and
mail.log the standard facilities and details will be preserved during the export to remote logging server.
| Facility | Log level | Tag | Description |
local5
| debug | HTTP_ACCESS
| SSMC HTTP access logs (
/opt/hpe/ssmc/ssmcbase/data/logs/HTTP*.log)
|
local7 | info
| SSMC | SSMC web application transaction logs (
/opt/hpe/ssmc/ssmcbase/data/logs/ssmc.log)
|
local7 | info
| APPLIANCE
| SSMC appliance transaction logs (
/var/log/appliance.log)
|
local6
| info | SYSAUDIT | SSMC appliance session audit logs ( /var/log/audit/audit.log)
|
local6 | info
| SSMCAUDIT
| SSMC application auth and audit logs ( /opt/hpe/ssmc/ssmcbase/data/logs/audit.log)
|