Syslog
To aggregate and stream your Org's audit log data to Syslog using the web console or the command line (RCTL).
Use the web console to configure your audit logs.
Prerequisites¶
- Customize the Values file (YAML). (See below for creating a values.yaml file).
- Create a namespace in your cluster.
Configure Workload¶
Note: Only one audit log workload is needed for an organization.
- In the web console, select Catalog.
- For Filter by Catalog, select default-rafay.
- Select rafay-syslog, then select Create Workload.
- Enter a name for the workload. Example: rafay-audit-logs.
- Select the namespace.
- Click Continue.
- On the Repository tab, for Values yaml:
- Create a values.yaml file. (See below for creating a values.yaml file)
- Click Upload Files.
- Select the values.yaml file.
- Click Open.
- Click Save and Go to Placement.
- Update the following for Placements:
- Select the appropriate Drift Action.
- Select Specified Clusters for the Placement Policy.
- Select the cluster from the cluster list.
- Click Save and go to Publish.
- Click Publish.
Use the Command Line Interface (RCTL) to automate reproducible workflows without having to use the web console.
Prerequisites¶
- Download RCTL
- Configure RCTL
- Customize the Values file (YAML). (See below for creating a values.yaml file).
- Create a namespace in your cluster.
Note: Set the correct project using RCTL.
Create a Repository¶
Create a repository.yaml file using the following example. Replace demo with the name of the project you are adding this repository to. Optionally, you can change helm-repo to another name; if you change the name, use that name for repository_ref in the workload.yaml file (see Create a Workload).
apiVersion: config.rafay.dev/v2
kind: Repository
metadata:
name: helm-repo
project: demo
spec:
repositoryType: HelmRepository
endpoint: https://rafaysystems.github.io/rafay-helm-charts/
credentialType: CredentialTypeNotSet
Run the create repository command and include the repository.yaml file.
./rctl create repository -f repository.yaml
Create a Workload¶
Create a workload.yaml file using the following example. Replace the names used in clusters, namespace, and project to match your environment where you want to publish the workload.
name: audit-logs
namespace: ns-name
type: Helm
project: demo
clusters: demo-cluster
repository_ref: helm-repo
repo_artifact_meta:
helm:
chartName: rafay-syslog
values: ./values.yaml
Run the create workload command and include the workload.yaml file.
./rctl create workload workload.yaml
Publish a Workload¶
Run the publish workload command. Replace workload-name with the name used in the workload.yaml file. Example: audit-logs.
./rctl publish workload workload-name
Values YAML File¶
Create a values.yaml file that contains your Syslog information. Use the example below and change the following:
Sure! Based on the YAML file you provided, here’s the updated description for each field so it matches the actual values and purpose in the YAML:
rafay_api_key
– Your Rafay API key. This is used to authenticate with the Rafay console. (Set in the YAML underconfig.rafay_api_key
)rafay_api_secret
– Your Rafay API secret. Used along with the API key for authentication. (Set in the YAML underconfig.rafay_api_secret
)host
– The Syslog server hostname where logs will be sent (e.g., rsyslog or syslog-ng). (Set in the YAML underconfig.host
)port
– The port on the Syslog server for log ingestion. Default is514
. (Set in the YAML underconfig.port
)ssl_verify
– Set toTrue
to enable SSL verification for secure connections to the Syslog server; set toFalse
to disable. (Set in the YAML underconfig.ssl_verify
)filter
– Defines how far back logs should be collected initially. Default is14d
(14 days). (Set in the YAML underconfig.filter
)interval
– Time interval for sending logs to the Syslog server. Default is1m
. (Set in the YAML underconfig.interval
)secret_name
- (Optional) Name of an existing Kubernetes secret containing your Rafay API key, secret, and Syslog key. Leave empty to create new secrets. (See below is an example of k8s secret)
# Default values for rafay syslog audit log integration.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
config:
## Rafay console URL
url: https://console.rafay.dev
## Rafay API Key
rafay_api_key: RAFAY_API_KEY
## Rafay API Secret
rafay_api_secret: RAFAY_API_SECRET
## Send Initial logs to syslog adog based on following value. Defaults to "14d" days
filter: 14d
## Time Interval to send logs to syslog
interval: 1m
## syslog Server Host
host: syslogserver.mycompany.com
## syslog Server Port
port: 514
## Set to False for insecure connection
ssl_verify: True
## Existning Secret Name or leave it empty
secret_name: ""
image:
repository: registry.rafay-edge.net/rafay-logs/rafay-syslog
pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
tag: 0.1
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:
rbac:
create: true
replicaCount: 1
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
deploymentAnnotations: {}
podAnnotations: {}
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
Creating a Syslog API Key¶
- In the console, select Settings > Organization Settings, then click API Keys under Access. Or select Integrations > APIs, then click API Keys have moved to the Organization Settings page.
- Click New Key. If an API key already exists, click the API key name, then Copy the key.
- Enter a name for the API key (example: Rafay-Logs), then click Create Key.
- Copy the API key and paste it for the
syslogkey
in the values.yaml file.
Example of k8s secret with API Key, Secret and Syslog API key.¶
apiVersion: v1
kind: Secret
data:
rafaykey: cmFmYXlrZXkK
rafaysecret: cmFmYXlzZWNyZXQK