Configure log forwarders

Access Gateway supports log forwarders (for example, Graylog).

Available since Access Gateway version 2020.04.4

Before you begin

You need the following:

  • A syslog server configured to receive syslog events.
  • Connection information for the remote logging consumer. For example:
    ParameterExample

    Fully qualified IP address or DNS resolvable name of logger

    192.168.1.1

    my.graylog.server

    Logger protocol

    TCP or UDP

    Logger listen port

    5514

    The port used to communicate between Access Gateway and the logging server must be open.

    Access Gateway validates the logging server connection.

Define a log forwarder receiver

The following example demonstrates how to configure Graylog as a log forwarder receiver. To configure a different type of system to receive forwarded logs, see that system's documentation.

To create a log forwarder in Graylog:

  1. Sign in to the Graylog console as admin.
  2. Select System > Inputs.
  3. Search for Syslog UDP in the Select Input dropdown list.
  4. Click Launch new input.
  5. Select the Global checkbox.
  6. Enter a name for the forwarder in the Title field.

  7. Enter a port number to use for communication between Access Gateway and the logging server in the Port field. To avoid operating system restrictions when configuring syslog input receivers, use port 2048 or above. The port must be accessible from the Access Gateway admin instance.

  8. Click Save.
  9. Return to the Access Gateway Admin UI console

Add a log forwarder

To add a remote logger:

  1. Go to your Access Gateway instance.
  2. Select Backups and Logs and Backups.
  3. Select Log Forwarder.
  4. Click (+) > Syslog remote.
  5. Enter the following:

    Field

    Value

    Name

    The name of the forwarder.

    Feed

    One of:

    • AUDIT
    • ACCESS
    • MONITOR

    See Feed examples for details of each feed.

    Protocol

    Select UDP or TCP. This protocol must match that of the log listener.

    Host

    The DNS resolvable hostname or IP address of the remote Syslog listener.

    Port

    The port of the remote syslog listener.

  6. Click Validate Forwarder. Access Gateway attempts to validate the remote logger connection information. If required, correct any input errors. On successful validation, the Validate Forwarder button changes to Forwarder Validated.
  7. Click Okay.
  8. The log forwarder definition appears in the list of log forwarders. Its initial status is Testing, which changes to Valid when it passes testing.

Test log forwarders

To test log forwarding, you need the following:

  • A configured log receiver. Follow the steps outlined in the Define a log forwarder receiver section
  • A log forwarder defined in your Access Gateway node. Access loggers are the simplest to test, as they generate events based on sign in to the Access Gateway Admin UI console
  • Be able to generate one or more events.

To test a log forwarder:

  1. Configure a system logger in your log server.
  2. Configure a log forwarder in Access Gateway, preferably an access logger.
  3. Ensure your system logger is started and ready to receive events
  4. Sign out and then back into the Access Gateway Admin Console.
  5. Examine the log server. Multiple events should be generated resembling:

Feed examples

Type Description
AUDIT Audit log events include log entries representing user authentication.

See Access Gateway audit log for details and examples of audit events.

Sample events:

2020-06-24T10:05:56.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE - - INFO SYSTEM_STARTUP [] Startup complete, system ready.2020-06-24T04:00:01.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="MyIDP" DOMAIN="someorg.oktapreview.com" TYPE="IDP_OKTA" RESULT="PASS" REASON="VALID"] Success confirming IDP status with: someorg.oktapreview.com.

ACCESS Access log events include log entries representing user authorization and application accesses. For example, a particular user accessed a particular application from a given IP address. See Access Gateway Access log for details and examples of access events.

Sample event:

2020-06-24T09:41:08.000-05:00 example.myaccessgateway.com auth header.myexample.com 10.0.0.110 - - "GET /assets/images/image.png HTTP/2.0" 200 1229 "https://gw-admin.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" "-" 0.029 0.028 .
MONITOR Monitor log events include log entries representing application configuration (add, delete, modify), Certificate configuration and Auth Module Configuration. See Access Gateway monitor log

Sample event:

2020-06-25T07:00:02.119-05:00 example.myaccessgateway.com OAG_MONITOR MONITOR DISK_USAGE INFO DISK_USAGE [FILESYSTEM="/dev/mapper/centos-root" MOUNT="/" USAGE="12%"] Mount / is 12% full