Configuring platform system log forwarding

An embedded extension included with IBM® Cloud Private Cloud Foundry allows you to configure forwarding of local syslog events in RFC5424 format from your IBM Cloud Private Cloud Foundry platform to a remote syslog endpoint.

The cfp-ext-syslog-forwarder extension enables this functionality, and it supports a number of different configuration options, including secure communications using TLS and mutual-certificate based authentication. If you want to forward syslog events to the built-in ElasticStack in IBM Cloud Private, the ibm-cflogging Helm chart can automatically configure this extension during installation of the chart. See Connecting to Elasticstack in IBM Cloud Private for more information.

To send syslog events to a remote syslog endpoint of your choice, enable the cfp-ext-syslog-forwarder extension. You can enable extensions by using a CLI or user interface. To use the CLI, prepare your configuration file according to Configuration Values. Next, follow the instructions for Running the extension, skipping the registration step since this is an embedded extension included with the product.

If you prefer to use the user interface, the cfp-ext-syslog-forwarder offers guided editing of the configuration values. Select a configuration type of Insecure, Server TLS, or Mutual TLS. The user interface displays the required and optional configuration values for the selected scenario. The user interface provides descriptions, sample values, and validation of the configuration values. For information about extensions, see Managing extensions and Configurations.

Configuration Values

Provide the following required configuration values to configure syslog forwarding.

syslog_address
IP address or domain of the server to receive syslogs
syslog_port
port on which the syslog server is listening

These optional configuration values are also available.

configuration_name Configuration name for UI-assisted entry of the configuration values. Valid values are insecure, server_tls, or mutual_tls.
syslog_transport
Default: tcp
Transport for syslog forwarding. Valid values are tcp, udp, or relp.
syslog_fallback_servers:
A list of fallback servers to use should the main syslog server be unavailable. Each list item has three keys (address, port, and transport) that define the fallback server. This is supported only when transport for primary and fallback servers is specified as tcp or relp.
syslog_custom_rule
Custom rules for rsyslog are written in RainerScript. For example:
if ($msg contains "DEBUG") then stop
syslog_tls_enabled
Default: false
Forwards syslogs over a secure connection (syslog_transport must be tcp when TLS is enabled).
syslog_permitted_peer
Host name of the syslog server to be verified when using TLS (wildcard * permitted).
syslog_ca_cert
Certificate Authority to trust when TLS is enabled, if server certificate is self-signed or signed by a CA that is not available in the default certificate store.
syslog_cert
Client certificate for rsyslog; when both client certificate and client key are provided, mutual TLS is enabled.
syslog_key
Client key (without passphrase) for rsyslog; when both client certificate and client key are provided, mutual TLS is enabled.

Example Configuration

The configuration values must be specified as children of a uiconfig key as in the following example.

uiconfig:
  configuration_name: mutual_tls
  syslog_address: log1.logstash.example.com
  syslog_port: 5000
  syslog_transport: tcp
  syslog_fallback_servers:
    - address: log2.logstash.example.com
      port: 5001
      transport: tcp
    - address: log3.logstash.example.com
      port: 5001
      transport: tcp
  syslog_tls_enabled: true
  syslog_permitted_peer: *.logstash.example.com
  syslog_ca_cert: |
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
  syslog_cert: |
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
  syslog_key: |
    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----