Perform the following steps on Administration Console, Identity Server, and Access Gateway to enable sending audit events to the remote syslog sever by using UDP:
Set the remote syslog server's IP address and port. See Setting Up Logging Server and Console Events.
The nam.conf file gets automatically updated with the corresponding configuration.
Edit the Auditlogging.cfg file and set both SERVERIP and SERVERPORT macros as empty.
For information about how to modify a file, see Modifying Configurations.
Sample Auditlogging.cfg file:
LOGDEST=syslog FORMAT=JSON SERVERIP= SERVERPORT=
Configure UDP.
rsyslog provides various options and macros for the syslog agent (client) to send logs to a remote server by using UDP or TLS over TCP.
To load the required module for rsyslog, edit nam.conf and namMultiTarget.conf and add the following entry:
$ModLoad imudp
For information about how to modify a file, see Modifying Configurations.
In nam.conf and namMultiTarget.conf, add a single @ character before the remote host to send messages over UDP.
A sample nam.conf:
#$ModLoad imtcp # load TCP listener
$InputTCPServerRun 1290
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
$ModLoad imudp
local0.* @164.100.150.10:1468;ForwardFormat
Here, audit logs are being forwarded to the remote server 164.100.150.10 and port 1468 using UDP.