Checking Execution Logs

You can see the current console logs of the syslog writer container by using the logs command in a Quickstart terminal:

sudo docker logs -f systog-writer

All execution logs are saved in cisp_syslog_writer/data/logs/ folder on the host machine.

Re-Running Syslog Writer After Cleanup

If there was a failure during the initial interactive configuration, or if you wish to rerun or configure the Syslog Writer with a fresh account:

  1. Delete the earlier container:

    sudo docker rm -f syslog-writer

  1. Remove the local conf file in the cisp_syslog_writer/data folder:

    sudo rm data/config.ini    

  1. Run the container again using same run command from the cisp_syslog_writer folder:

    sudo docker run --name syslog-writer -it --log-driver json-file --log-opt max-size=10m --net=host -v `pwd`/data:/home/centrify-syslog-writer/data syslogwriter_image

Restarting a Stopped Syslog Writer Container

Use below command to start the container/syslog writer, if the container stops (due to the Docker daemon or machine restart, etc.)

sudo docker start syslog-writer

When syslog writer is restarted, it will start to fetch events beyond the last event fetch date, which is internally saved on the host machine, during previous run.

Stopping Syslog Writer Container

To stop the container/Syslog Writer:

sudo docker stop syslog-writer

Important Parameters in data/config.ini

  • rollback (in hours, default value: 24)

Only applies when syslog writer is started for first time. It is the number of hours before the current time for the syslog writer to start fetching events. By default, it will fetch for 24 hours (one day) before the current time in the UTC). If required, you can configure this in config.ini by creating a copy from the config.ini.default file, before firing the Docker run command.

  • batch_size (in minutes, default value: 10)

    The number of minutes to fetch data for when the time range is large. By default, it fetches data in batches of 10 minutes. When there is a larger time range such as 24 hours for the first time run, it fetches data in batches of 10-minute sizes.

  • frequency (in minutes, default value: 5)

The frequency (in minutes) for running the Syslog Writer application. By default, it runs every five minutes. During runtime, a change to this parameter will be reflected after the pending job run is triggered.

  • debug (under APP_LOGGER. This feature is disabled by default)

This is for enabling debug level logs. In case of a problem with the behavior of syslog writer, please set the value of this property to yes (debug = yes) and reproduce the problem. You can then share an archive of the data/logs folder with Centrify support for troubleshooting.

Important note about data load

For a data load of 50 events per second and a rollback of 24 hours, it will take approximately 6.5 hours to catch up with current events after starting Syslog Writer. To avoid this delay, you might want to consider using a smaller rollback value.

To edit the rollback value:

  1. Remove thedata/last_event_time.dat file if it exists.
  2. Edit thedata/config.ini file and set rollback=48

    Note:   The default rollback is set to 24.

  3. Run the command:
    sudo docker run --name syslog-writer -it --log-driver json-file --log-opt max-size=10m --net=host -v `pwd`/data:/home/centrify-syslog-writer/data syslogwriter_image
  4. Enter the required inputs:
    1. Tenant URL
    2. SIEM user
    3. Password
  5. Syslog Writer will start and fetch the logs for the last 48 hrs.