Syslog auditing and your cloud

Syslog is a widely used standard for message logging. You can use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. Devices such as printers and routers and message receivers across many platforms rely on the RFC 5424 syslog standard to enable consolidation of logging data from different types of systems in a central repository.

Retrieving audit events with Syslog

To programmatically support the retrieval of audit events from the management node, the API Connect management node emits audit events as syslog messages. This allows a syslog collector to accept the messages and write them to an external datastore for further processing and/or archiving. The implementation supports both UDP and TCP-based transports, and you can protect the audit event data with SSL encryption. Note that audit events continue to be recorded in the analytics engine as well and are available to view on the Notification tab in the API Connect user interfaces.

The message format conforms to the syslog specification detailed in RFC 5424. It contains the following elements:

  • Priority – Value will always be 110 to indicate a facility of 13 (audit) and a severity of 6 (informational).
  • Version – The syslog specification version. Always set to a value of 1.
  • Timestamp – Specifies when the event took place in ISO8859-1 format. The time is accurate to a millisecond and indicates the completion of the activity being logged.
  • Hostname – Hostname or IP address of the management node.
  • App Name – This will always be “ibmapimanagement”.
  • Proceed – Contains the dash character ('-') to indicate a nil value.
  • MsgId – Contains up to 32 characters of the provider or developer organization name for messages that originate from a provider or developer organization, and contains the constant string cmc for messages that originate from the Cloud Manager. Any spaces in the organization name are replaced by the underscore character ("_"). If the origin cannot be determined, the value of the MsgId is the dash character ('-') to indicate a nil value.
  • Structured Data – The structured data field is not used and the value is always the dash character ('-') to indicate a nil value.
  • Message Text – Describes the event that took place and includes information relevant to the event, for example. API name, user name, etc.
The following example shows a message representing the creation of an API:
<110>1 2017-10-21T10:44:20.529Z apimsampledev.ibm.com ibmapimanagement - macsshack - API myDemoApi version 1.0.0 was created from a Swagger document by username@example.com.

The syslog configuration is performed in the Settings page of the Cloud Manager. To configure a connection to a syslog collector, select the type of connection (UDP or TCP) and enter the hostname or IP address of the syslog collector. The default ports are 514 for UDP and 601 for TCP. Optionally, you can specify a port other than the default port if necessary.

Only one syslog collector can be specified per cluster. All management nodes on the cluster connect to the same syslog collector.

The connection to the syslog collector is dynamic. To change the syslog collector, simply change the hostname or IP address of the collector, then save the settings. You can also switch between a UDP transport and a TCP transport dynamically using the same mechanism.

If syslog messages are not being received in the collector after configuration is complete, the logs for the servers can be downloaded and file /var/log/cmc.out examined for messages related to the connection state. The file indicates a successful connection and contains messages for connection failures. These messages can be used to validate that the connection was successful or to further diagnose issues for unsuccessful connections.

For details on configuring IBM® API Connect to log Syslog auditing messages, see Syslog configuration.