Log Streaming for Appian Cloud

Log Streaming is available only to customers enrolled in Premier Support. The functionality described below is not included in the base Appian platform.

Overview

Appian Cloud instances can be configured to stream supported logs, in real time, to a syslog receiver owned by customers. Once logs are stored in a central repository, customers can index, access, search, and correlate events using their existing Log Management and Security Information and Event Management (SIEM) tools.

This service operates on a push-based model, in which Appian Cloud instances are configured to send a stream of logs to the customer’s syslog receiver. Logs are forwarded in real-time as the messages are written in the Appian Cloud instance(s).

These logs can be further digested and aggregated by tools of your choice, such as Splunk, LogRhythm, and Elasticsearch-Logstash-Kibana (ELK) stack.

Benefits

Customers with this service enabled on their Appian Cloud instances can integrate the information contained in the logs for a consolidated view of their enterprise operations. Some benefits of this service include:

  • Simplified log management. Customers can easily consume their logs from a centralized location.
  • Faster diagnosis and troubleshooting of your enterprise applications. Customers benefit from increased visibility of debugging messages. For example, customers can expose these messages to Appian designers and System Administrators to quickly resolve application-level incidents as soon as they are generated.
  • Improved system visibility. Customers can assess the historic performance by aggregating system metrics over time. This allows customers to visualize, identify, and predict patterns in the demand of their enterprise applications.
  • Integrated security analytics. Customers can continuously monitor for login activity to their Appian Cloud instances. By integrating with other enterprise systems, customers can audit and correlate patterns in an unified platform.

Setup

Log Streaming supports the transmission of messages to either an on-premise syslog receiver or Sumo Logic Cloud Syslog Source.

On-premise Syslog Receiver

The figure below shows an example of the message flow between your Appian Cloud instances and an on-premise syslog receiver in the customer network.

images:Log_Streaming.png

For on-premise syslog receivers, logs transmission is performed over an IPsec VPN tunnel established to the customer network. As an additional security layer, syslog messages can be encrypted using a TLS certificate installed in the syslog receiver provided by the customer. TLS encryption is enabled by default but can be disabled upon customer request.

Sumo Logic Cloud Syslog Source

The figure below shows an example of the message flow between your Appian Cloud instance and a Sumo Logic Cloud Syslog Source.

sumo_logic.png

For Sumo Logic Cloud Syslog Source, logs transmission is performed over the Internet and traffic is encrypted with TLS using the trusted public CA provided by the customer’s Sumo Logic deployment.

Supported Logs

The table below contains the logs to be forwarded by each Appian Cloud instance with this feature enabled. For details about the contents and frequency of the log messages, refer to the Appian Logging documentation.

Log Filename Tag
Application Server tomcat-stdOut.log tomcat-logs:
Login Audit login-audit.csv login-audit:
System metrics system.csv system-metrics:
Authorization Audit 1 authz-audit.log authz-audit:
Forgot Password Requests 1 forgot_password_requests.csv forgot-password-requests:
Password Resets 1 password_resets.csv password-resets:
Records Usage 1 records_usage.csv records-usage:
Blocked Files 1 blocked_files.csv blocked-files:
Unscanned Files 1 unscanned_files.csv unscanned-files:

Syslog messages have the following format:

1
<PRI> <TIMESTAMP> <HOSTNAME> <TAG> <MESSAGE>
  • PRI: Specifies the priority of the syslog message (RFC5424)
  • TIMESTAMP: Date and time of the message. The value will be expressed in the timezone configured in the customer syslog receiver.
  • HOSTNAME: Appian Cloud instance name.
  • TAG: Message tag depending on the log file.
  • MESSAGE: Complete log message generated by the Appian component. Messages also contain timestamps expressed in Greenwich Mean Time Zone (GMT).

Prerequisite Checklist

Prerequisite Description Organizational Role
Premier Support Order Form This offering is available via Premier Support. Business relationship owner
Update to a current Appian version Appian Cloud site(s) with this feature enabled should be running a supported Appian version per the Support Policy for Prior Versions. Authorized Support Contact
Set up IPSec VPN Tunnel (Only required for on-premise syslog receivers) Customers are required to establish a VPN tunnel to their Appian Cloud instance. Refer to the Cloud VPN Integration documentation for detailed steps. Network Administrator / Authorized support contact
Set up syslog receiver Set up a syslog receiver either in Sumo Logic or on-premise. Note the following considerations:
  • For Sumo Logic receivers, customers configure a Cloud Syslog Source in their account (refer to the documentation for details).
  • For on-premise syslog receivers, customers will configure a syslog receiver accessible in the customer network private space.
  • The syslog receiver is required to listen for messages over TCP (UDP is not supported).
  • Syslog receivers must be configured with a trusted public CA certificate. Using TLS certificates signed by a private CA is not supported.
  • By default, syslog clients running in your Appian Cloud site will attempt to connect to the syslog receiver using TLS. This setting can be disabled only for on-premise syslog receivers upon customer request.
Server/Network Administrator

Steps

Once all prerequisites have been completed, customers can follow these steps to enable log streaming in their Appian Cloud instance(s):

  1. Open a Support Case requesting for enabling this service in your Appian Cloud instance(s). Provide the following details:
    1. Syslog receiver target
      • If the syslog receiver is on-premise, customer provides a private IP address or hostname that is part of the customer private network space.
      • For Sumo Logic, customer provides the endpoint hostname.
    2. Port
    3. Token (Sumo Logic only). Customer needs to provide the token that is generated during the setup process. The customer should provide this information to Support over the phone or in-person to be consistent with good security practices.
  2. Appian Premier Support will schedule a maintenance window and deploy the necessary configurations.
  3. After the maintenance window, your Appian Cloud instances will start forwarding logs to your syslog receiver.
  1. Logs are only available for Appian Cloud sites running 19.1 or above.  2 3 4 5 6

FEEDBACK