Perform the following steps on Administration Console, Identity Server, and Access Gateway to enable sending audit events to the remote syslog sever by using UDP:
Set the remote syslog server's IP address and port. See Section 21.1, Setting Up Logging Server and Console Events.
The /etc/rsyslog.d/nam.conf file gets automatically updated with the corresponding configuration.
Edit the /etc/Auditlogging.cfg file and set both SERVERIP and SERVERPORT macros as empty.
Sample Auditlogging.cfg file:
LOGDEST=syslog FORMAT=JSON SERVERIP= SERVERPORT=
Configure UDP.
rsyslog provides various options and macros for the syslog agent (client) to send logs to a remote server by using UDP or TLS over TCP.
To load the required module for rsyslog, edit nam.conf and add the following entry:
$ModLoad imudp
In nam.conf, add a single @ character before the remote host to send messages over UDP.
A sample nam.conf:
$ModLoad imtcp # load TCP listener
$InputTCPServerRun 1290
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
$ModLoad imudp
local0.* @164.100.150.10:1468;ForwardFormat
Here, audit logs are being forwarded to the remote server 164.100.150.10 and port 1468 using UDP.
Restart the syslog service.
SLES 11 SP4: rcrsyslog restart
SLES 12 SP4: rcsyslog restart OR systemctl restart rsyslog
RHEL 6.9: service rsyslog restart
RHEL 7.6: systemctl restart rsyslog.service
Run the following commands to restart services:
Administration Console: /etc/init.d/novell-ac restart
Access Gateway: /etc/init.d/novell-mag restart
Identity Server: /etc/init.d/novell-idp restart