Log Streaming is available only to customers enrolled in Advanced or Enterprise Support. The functionality described below is not included in the base Appian platform.
Appian Cloud instances can be configured to stream supported logs, in real time, to a syslog receiver owned by customers. Once logs are stored in a central repository, customers can index, access, search, and correlate events using their existing Log Management and Security Information and Event Management (SIEM) tools.
This service operates on a push-based model, in which Appian Cloud instances are configured to send a stream of logs to the customer’s syslog receiver. Logs are forwarded in real-time as the messages are written in the Appian Cloud instance(s).
These logs can be further digested and aggregated by tools of your choice, such as Splunk, LogRhythm, and Elasticsearch-Logstash-Kibana (ELK) stack.
Customers with this service enabled on their Appian Cloud instances can integrate the information contained in the logs for a consolidated view of their enterprise operations. Some benefits of this service include:
Log Streaming supports the transmission of messages to either an on-premise syslog receiver or Sumo Logic Cloud Syslog Source.
The figure below shows an example of the message flow between your Appian Cloud instances and an on-premise syslog receiver in the customer network.
For on-premise syslog receivers, logs transmission is performed over an IPsec VPN tunnel established to the customer network. As an additional security layer, syslog messages can be encrypted using a TLS certificate installed in the syslog receiver provided by the customer. TLS encryption is enabled by default but can be disabled upon customer request.
The figure below shows an example of the message flow between your Appian Cloud instance and a Sumo Logic Cloud Syslog Source.
For Sumo Logic Cloud Syslog Source, logs transmission is performed over the Internet and traffic is encrypted with TLS using the trusted public CA provided by the customer’s Sumo Logic deployment.
The table below contains the logs to be forwarded by each Appian Cloud instance with this feature enabled. For details about the contents and frequency of the log messages, refer to the Appian Logging documentation.
Log | Filename | Tag |
---|---|---|
Application Server | tomcat-stdOut.log |
tomcat-logs: |
Cloud Database Audit | RDBMS-audit.log |
rdbms-audit: |
Login Audit | login-audit.csv |
login-audit: |
System metrics | system.csv |
system-metrics: |
Authorization Audit | authz-audit.log |
authz-audit: |
Forgot Password Requests | forgot_password_requests.csv |
forgot-password-requests: |
Password Resets | password_resets.csv |
password-resets: |
Records Usage | records_usage.csv |
records-usage: |
Blocked Files | blocked_files.csv |
blocked-files: |
Unscanned Files | unscanned_files.csv |
unscanned-files: |
Engine Summary | engine_summary.csv |
engine-summary: |
Web API Summary | web_api_summary.csv |
web-api-summary: |
Web API Details | web_api_details.csv |
web-api-details: |
Perf Monitor RDBMS | perf_monitor_rdbms.csv |
perf-monitor-rdbms: |
Perf Monitor RDBMS - Slow | perf_monitor_rdbms_slow.csv |
perf-monitor-rdbms-slow: |
It is only possible to stream the RDBMS audit logs in a single-node or standard 3-node Appian Cloud HA configuration. Customers with other topologies where Appian and the RDBMS are not running on the same server will be unable to stream this log.
Syslog messages have the following format:
1
<PRI> <TIMESTAMP> <HOSTNAME> <TAG> <MESSAGE>
PRI
: Specifies the priority of the syslog message (RFC5424)TIMESTAMP
: Date and time of the message. The value will be expressed in the timezone configured in the customer syslog receiver.HOSTNAME
: Appian Cloud instance name.TAG
: Message tag depending on the log file.MESSAGE
: Complete log message generated by the Appian component. Messages also contain timestamps expressed in Greenwich Mean Time Zone (GMT).Prerequisite | Description | Organizational Role |
---|---|---|
Advanced or Enterprise Support Order Form | This offering is available via Advanced or Enterprise Support . | Business relationship owner |
Update to a current Appian version | Appian Cloud site(s) with this feature enabled should be running a supported Appian version per the Support Policy for Prior Versions. | Authorized Support Contact |
Set up IPSec VPN Tunnel (Only required for on-premise syslog receivers) | Customers are required to establish a VPN tunnel to their Appian Cloud instance. Refer to the Cloud VPN Integration documentation for detailed steps. | Network Administrator / Authorized support contact |
Set up syslog receiver | Set up a syslog receiver either in Sumo Logic or on-premise. Note the following considerations:
|
Server/Network Administrator |
Once all prerequisites have been completed, customers can follow these steps to enable log streaming in their Appian Cloud instance(s):