Cybersecurity
DevOps Cloud
IT Operations Cloud
Every time an issue/bug is reported at a customer's place on a staging or production environment, the numero uno question asked from any developer or supporting guy is the application log. In Access Gateway(AG), managing logs is done using Advanced options. From the AG documentation severity of logs are configured using option:
LogLevel <loglevel>
Possible loglevel values are emerg, alert, crit, error, warn, notice, info or debug
The most favored loglevel for most of the developers is "debug", but the recommended or default loglevel is "warn" for the obvious reason of negative impact on application performance. AG's logging in debug mode not only increases the size of the log files quickly, in a highly loaded system, it can also lead to request or connection timeout and can slow down the response time.
The biggest drawback of setting AG's advanced option is the automatic restart of the AG process/services.
This cool solution will allow the user to change the severity level of logs on the fly, without restarting AG. This will help developers to debug an intermittent issue by enabling the debug level of logs only when needed without restarting Access Gateway process/services and avoid adverse impact of setting debug log level all the time. It would also help in the situation where the issue disappears as soon as services are restarted.
On an SLES/RHEL environment, Access Gateway sends logs to syslog. This cool solution takes help of syslogs's filter mechanism. Depending on which syslog (syslog-ng or rsyslog) is being used, the steps will differ. Access Gateway on SLES-11 uses syslog-ng whereas on SLES-12 & RHEL it is rsyslog.
First and foremost, make sure the AG advance option for logging is set to:
LogLevel debug
vim /etc/syslog-ng/syslog-ng.conf
#log { source(src); filter(f_user); destination(agsmessages); flags(final); };
#MAG
filter f_user { facility(user); };
destination agsmessages { file("/var/log/novell-apache2/error_log"); };
#log { source(src); filter(f_user); destination(agsmessages); flags(final); };
#cool-solution-start
filter f_user_defined { level(warn, error, crit, alert, emerg) and facility(user); };
log { source(src); filter(f_user_defined); destination(agsmessages); flags(final); };
#cool-solution-end
filter f_local6 { facility(local6); };
destination httpheaders { file("/var/log/novell-apache2/httpheaders"); };
log { source(src); filter(f_local6); destination(httpheaders); flags(final); };
filter f_local5 { facility(local5); };
destination soapmessages{ file("/var/log/novell-apache2/soapmessages"); };
log { source(src); filter(f_local5); destination(soapmessages); flags(final); };
#
# Enable this and adopt IP to send log messages to a log server.
filter f_user_defined { level(notice, warn, error, crit, alert, emerg) and facility(user) };
filter f_user_defined { level(info, notice, warn, error, crit, alert, emerg) and facility(user) };
filter f_user_defined { level(debug, info, notice, warn, error, crit, alert, emerg) and facility(user) };
filter f_user_defined { level(crit, alert, emerg) and facility(user) };
service syslog restart
Another useful filter that could help to block redundant logs based on string matching is:
filter f_user_defined { level(debug, info, notice, warn, error, crit, alert, emerg) and facility(user) and not match('CFilter'); };
This filter does not allow logs containing 'CFilter' string.
vim /etc/rsyslog.d/nam.conf
local0.* @@164.99.162.16:1290;ForwardFormat
& ~
#user.* -/var/log/novell-apache2/error_log
#& ~
local6.* -/var/log/novell-apache2/httpheaders
vim /etc/rsyslog.conf
if $syslogfacility-text == 'user' then /var/log/novell-apache2/error_log
if (\
($syslogfacility-text == 'user') and \
($syslogseverity <= 4) \
) \
then /var/log/novell-apache2/error_log
emerg |
0 |
alert |
1 |
crit |
2 |
error |
3 |
warn |
4 |
notice |
5 |
info |
6 |
debug |
7 |
service syslog restart
Similar to syslog-ng, to block logs based on string matching, the following example can be taken for reference. To block logs having string "a.com:8181/IDPUpdate" use:
if (($syslogfacility-text == 'user') and ($syslogseverity <= 4) and not ($msg contains 'a.com:8181/IDPUpdate')) then /var/log/novell-apache2/error_log
Please note that searching logs for string would have some impact on performance. More filter options can be found at the syslog documentation. Please remember to restart syslog service every time its configuration is changed.
The syslog configuration guide describes many more rich sets of filter options. Please refer to the official documentation for more detailed info.