Syslog Integration

Horizon is able to push its events (functional logs) to a syslog instance. This integration is pretty straightforward and can be implemented 2 ways :

Directly sending logs to your syslog server

1. Access the EverTrust Horizon server through SSH with an account with administrative privileges;

2. Using an editor like vi, open the horizon-logback.xml file located at /opt/horizon/etc/horizon-logback.xml ;

3. Edit the appender named "SYSLOG" to change the IP address for the syslogHost to redirect to your own syslog server. As an example, if your syslog server is on 192.168.1.2 and the Horizon logs must be processed by the LOCAL6 facility, the syslog appender should look like this :

<appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>192.168.1.2</syslogHost>
    <facility>LOCAL6</facility>
    <suffixPattern>%msg%n</suffixPattern>
</appender>

4. Still in the horizon-logback.xml file, update the syslog logger and ensure that the log level is set to "INFO":

<logger name="syslog" level="INFO">
    <appender-ref ref="SYSLOG"/>
</logger>

5. Save your modifications and restart the Horizon service :

$ systemctl restart horizon

The functional logs from Horizon should now be received by your remote syslog server :

horizon {"code": "SERVICE-STOP","details":[{"key":"horizonVersion","value":"2.3.4"},{"key":"message","value":"Service successfully stopped"}],"module":"service","node":"horizon","timestamp":1674054152149,"status":"success"}
horizon {"code": "SERVICE-START","details":[{"key":"horizonVersion","value":"2.3.4"},{"key":"message","value":"Service successfully started"}],"module":"service","node":"horizon","timestamp":1674054170567,"status":"success"}

Using the local syslog server for filtering and forwarding

Alternatively, you might want to use a local syslog instance to add grok filtering to your logs before forwarding them to your own syslog server. To do so, ensure that you have a syslog instance running (like rsyslog), then :

1. Access the EverTrust Horizon server through SSH with an account with administrative privileges;

2. With an editor like vi, edit the /etc/rsyslog.d/horizon.conf (or create it if it does not exist yet) to add this line :

local6.*                                                @REMOTE_SYSLOG_HOSTNAME

Don’t forget to replace the REMOTE_SYSLOG_HOSTNAME to the IP or DNS name of your remote syslog server. As an example, if your syslog server is on 192.168.1.2, the line should look like this :

local6.*                                                @192.168.1.2

Note that you must set up your syslog host to accept UDP traffic on a specific port (here, we are going to use the default port which is 514) and catch the local6 facility logs, however the configuration of your own syslog host is out of the scope of this document.

3. Edit the /etc/rsyslog.conf file to uncomment the module and input lines of the UDP section :

#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")

They should look like this after uncommenting :

module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

4. Restart your syslog service :

$ systemctl restart rsyslog

The functional logs from Horizon should now be received by your remote syslog server, and you can add filtering on the /etc/rsyslog.d/horizon.conf file before the logs actually get forwarded :

horizon {"code": "SERVICE-STOP","details":[{"key":"horizonVersion","value":"2.3.4"},{"key":"message","value":"Service successfully stopped"}],"module":"service","node":"horizon","timestamp":1674056069695,"status":"success"}
horizon {"code": "SERVICE-START","details":[{"key":"horizonVersion","value":"2.3.4"},{"key":"message","value":"Service successfully started"}],"module":"service","node":"horizon","timestamp":1674056087880,"status":"success"}