vCloud director audit to syslog (loginsight)
In this article, I am going to guide you how to send audit logs from vCloud director to syslog in my case loginsight.
vCloud director shows audit for last 30 days but log data remains in database for 90 days.
Exporting logs to a syslog server is recommended for multiple reasons:
• Database logs are not retained after 90 days, while logs transmitted through syslog can be retained as long as desired.
• It allows audit logs from all cells to be viewed together in a central location at the same time.
If you did not set up a syslog destination for logging at initial install time, you can configure it later by going to the Primary cell, editing the $VCLOUD_HOME/etc/global.properties file, and restarting the Primary cell in version 10.4
SSH to the the Primary cell (log in as root)
run vi $VCLOUD_HOME/etc/global.properties
and add Syslog host IP/FQDN in the audit.syslog.host
Remember Drain and shutdown the all cells in the cluster and change the failover mode for the database before rebooting.
Save the changes and reboot the cell.
The appropriate ports (514/UDP) must also be open from the vCloud Director to the syslog server.
I hope this article has been informative. thank you for reading.