Skip to content

Syslog

To aggregate and stream your Org's audit log data to Syslog using the web console or the command line (RCTL).

Use the web console to configure your audit logs.

Prerequisites

Configure Workload

Note: Only one audit log workload is needed for an organization.

  1. In the web console, select Catalog.
  2. For Filter by Catalog, select default-rafay. Repositories
  3. Select rafay-syslog, then select Create Workload. Create Workload
  4. Enter a name for the workload. Example: rafay-audit-logs.
  5. Select the namespace. New Repository
  6. Click Continue.
  7. On the Repository tab, for Values yaml:
  8. Click Save and Go to Placement.
  9. Update the following for Placements:
    • Select the appropriate Drift Action.
    • Select Specified Clusters for the Placement Policy.
    • Select the cluster from the cluster list.
    • Click Save and go to Publish.
  10. Click Publish.

Use the Command Line Interface (RCTL) to automate reproducible workflows without having to use the web console.

Prerequisites

Note: Set the correct project using RCTL.

Create a Repository

Create a repository.yaml file using the following example. Replace demo with the name of the project you are adding this repository to. Optionally, you can change helm-repo to another name; if you change the name, use that name for repository_ref in the workload.yaml file (see Create a Workload).

apiVersion: config.rafay.dev/v2
kind: Repository
metadata:
  name: helm-repo
  project: demo
spec:
  repositoryType: HelmRepository
  endpoint: https://rafaysystems.github.io/rafay-helm-charts/
  credentialType: CredentialTypeNotSet

Run the create repository command and include the repository.yaml file.

./rctl create repository -f repository.yaml

Create a Workload

Create a workload.yaml file using the following example. Replace the names used in clusters, namespace, and project to match your environment where you want to publish the workload.

name: audit-logs
namespace: ns-name
type: Helm
project: demo
clusters: demo-cluster
repository_ref: helm-repo
repo_artifact_meta:
  helm:
    chartName: rafay-syslog
values: ./values.yaml

Run the create workload command and include the workload.yaml file.

./rctl create workload workload.yaml

Publish a Workload

Run the publish workload command. Replace workload-name with the name used in the workload.yaml file. Example: audit-logs.

./rctl publish workload workload-name


Values YAML File

Create a values.yaml file that contains your Syslog information. Use the example below and change the following:

Sure! Based on the YAML file you provided, here’s the updated description for each field so it matches the actual values and purpose in the YAML:

  • rafay_api_key – Your Rafay API key. This is used to authenticate with the Rafay console. (Set in the YAML under config.rafay_api_key)
  • rafay_api_secret – Your Rafay API secret. Used along with the API key for authentication. (Set in the YAML under config.rafay_api_secret)
  • host – The Syslog server hostname where logs will be sent (e.g., rsyslog or syslog-ng). (Set in the YAML under config.host)
  • port – The port on the Syslog server for log ingestion. Default is 514. (Set in the YAML under config.port)
  • ssl_verify – Set to True to enable SSL verification for secure connections to the Syslog server; set to False to disable. (Set in the YAML under config.ssl_verify)
  • filter – Defines how far back logs should be collected initially. Default is 14d (14 days). (Set in the YAML under config.filter)
  • interval – Time interval for sending logs to the Syslog server. Default is 1m. (Set in the YAML under config.interval)
  • secret_name - (Optional) Name of an existing Kubernetes secret containing your Rafay API key, secret, and Syslog key. Leave empty to create new secrets. (See below is an example of k8s secret)
# Default values for rafay syslog audit log integration.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

config:
  ## Rafay console URL
  url: https://console.rafay.dev
  ## Rafay API Key
  rafay_api_key: RAFAY_API_KEY
  ## Rafay API Secret
  rafay_api_secret: RAFAY_API_SECRET
  ## Send Initial logs to syslog adog based on following value. Defaults to "14d" days
  filter: 14d
  ## Time Interval to send logs to syslog
  interval: 1m
  ## syslog Server Host
  host: syslogserver.mycompany.com
  ## syslog Server Port
  port: 514
  ## Set to False for insecure connection
  ssl_verify: True
  ## Existning Secret Name or leave it empty
  secret_name: ""
image:
  repository: registry.rafay-edge.net/rafay-logs/rafay-syslog
  pullPolicy: Always
  # Overrides the image tag whose default is the chart appVersion.
  tag: 0.1
serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name:
rbac:
  create: true
replicaCount: 1
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
deploymentAnnotations: {}
podAnnotations: {}
resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}

Creating a Syslog API Key

  1. In the console, select Settings > Organization Settings, then click API Keys under Access. Or select Integrations > APIs, then click API Keys have moved to the Organization Settings page.
  2. Click New Key. If an API key already exists, click the API key name, then Copy the key.
  3. Enter a name for the API key (example: Rafay-Logs), then click Create Key.
  4. Copy the API key and paste it for the syslogkey in the values.yaml file.

Example of k8s secret with API Key, Secret and Syslog API key.

apiVersion: v1
kind: Secret
data:
  rafaykey: cmFmYXlrZXkK
  rafaysecret: cmFmYXlzZWNyZXQK