Logging with Syslog
You can send logs to an IBM Log Analysis instance via Syslog. TCP and TCP+TLS are both supported.
As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.
To use a custom port to send logs via UDP, you can open an IBM support ticket. For information about opening an IBM support ticket, or about support levels and ticket severities, see Creating support cases.
To configure syslog, you may need to enable a port to send logs via syslog to your logging instance. If you are using (a) the classic syslog protocol, (b) a custom port in syslog-ng
, or (c) a custom port in rsyslog
, there
is no authentication available and anyone with knowledge of the endpoint can submit logs to your instance. As a result, depending on your environment, your use of the classic syslog protocol or custom port configurations with syslog-ng
or rsyslog
may present a significant security risk. Use these configurations at your organization's own risk. Validate with your compliance and security teams whether this security risk is acceptable to your organization.
Before you begin
Use a user ID that is a member or an owner of an IBM Cloud account. To get an IBM Cloud user ID, go to: Registration.
Your IBMID must have assigned IAM policies for each of the following resources. For example, to work in the US-south region and in the default resource group, you need the following permissions:
Resource | Scope of the access policy | Role | Region | Information |
---|---|---|---|---|
Resource group Default | Resource group | Viewer | us-south | This policy is required to allow the user to see service instances in the Default resource group. |
IBM Log Analysis service | Resource group | Editor | us-south | This policy is required to allow the user to provision and administer the IBM Log Analysis service in the Default resource group. |
Provision an IBM Log Analysis instance
To provision a service instance of IBM Log Analysis through the IBM Cloud console, see Provisioning an instance.
Provision a syslog port in the logging instance
-
You launch the web UI within the context of an IBM Log Analysis instance, from the IBM Cloud UI.
-
Provision a port. From the logging web UI, complete the following steps:
-
Open the log sources panel on the logging web UI. Select the Install instructions icon:
-
Select Via Syslog > Syslog.
-
Follow the provided instructions.
A syslog URL for TCP streams and a URL for UDP streams is provisioned for the instance.
-
Configure syslog.conf
Add the following entry to your /etc/syslog.conf
file:
-
For TCP ingestion, add the following line:
*.* @syslog-a.us-south.logging.cloud.ibm.com:<PORT>
-
For UDP ingestion, add the following line:
*.* @syslog-u.us-south.logging.cloud.ibm.com:<PORT>