KB Article #181601

SERVER LOGS: Redirecting SecureTransport logs to a SysLog server in Log4j2

Problem

This is a continuation of KB71783 for SecureTransport version 5.5-20201218 and above.


In the December 2020 update for ST 5.5, the LOG4J version was updated to LOG4J2 which introduced some syntax changes. Following this, using the previous SyslogAppender class from the LOG4J configuration may result in the following error message while starting the Secure Transport services:


ERROR Error processing element SyslogAppender ([Appenders: null]): CLASS_NOT_FOUND


The article will provide information on how to send log records generated by SecureTransport to a Syslog server in LOG4J2.


Resolution

This article assumes that you have the Syslog server up and running.


To find out what is needed from the Syslog server, and for additional information about the LOG4J files and their usage, you may refer to KB71783.


In order to send log messages to Syslog using LOG4J2, additional changes must be made in the respective log4j2.xml files. Since the SyslogAppender class does not work the same way in LOG4J2 configurations as it was in LOG4J, it can be replaced by SocketAppender that can use PatternLayout to have the same format as in the SyslogAppender class.


The SocketAppender is an OutputStreamAppender that writes its output to a remote destination specified by a host and a port. The data can be sent over either TCP or UDP and can be sent in any format.


Configuring ST for Syslog in LOG4J2

If you have an existing configuration for Syslog in LOG4J, remove or comment out the SyslogAppender class from the respective log4j files (step 1 in KB71783).


Add the new SocketAppender class that will replace the previous SyslogAppender.


<Socket name="SysLog" host="SyslogHostnameOrIP" port="SyslogPort" protocol="UDP"> 
    <PatternLayout> 
        <pattern>${hostName} java %d{yyyy-MM-dd HH:mm:ss,SSS}{GMT} %p %t %c %M - %m%n</pattern> 
    </PatternLayout> 
</Socket>


Where you replace:


SyslogHostnameOrIP with the The host or IP where the Syslog runs.

SyslogPort with the the port on which the Syslog server listens.


This also assumes that UDP protocol is used for the outputs. It is also possible to use TCP.


If you had existing configuration in LOG4J, existing loggers need to be updated as well. For LOG4J, this was the example logger config:


<logger name="com.tumbleweed" additivity="false">
    <level value="info" />
    <appender-ref ref="ServerLog" />
    <appender-ref ref="SysLog" />
</logger>


For LG4J2 the logger needs a little different syntax:


<Logger name="com.tumbleweed" additivity="false" level="info">
    <AppenderRef ref="ServerLog" />
    <AppenderRef ref="SysLog" />
</Logger>


If this is a new LOG4J2 configuration, you need to update each of the existing default ST loggers, which send the records to the "ServerLog" appender, and add the following line:


<AppenderRef ref="SysLog"/>


below the "ServerLog" line inside the logger block. For example, the default logger


<Logger additivity="false" level="INFO" name="com.tumbleweed">
    <AppenderRef ref="ServerLog"/>
</Logger>


should become:


<Logger additivity="false" level="INFO" name="com.tumbleweed">
    <AppenderRef ref="ServerLog"/>
    <AppenderRef ref="SysLog"/>
</Logger>


Restart the ST services.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.