Log Streaming for Appian Cloud

Log Streaming is available only to customers enrolled in Advanced or Enterprise Support. The functionality described below is not included in the base Appian platform.


Appian Cloud instances can be configured to stream supported logs, in real time, to a syslog receiver owned by customers. Once logs are stored in a central repository, customers can index, access, search, and correlate events using their existing Log Management and Security Information and Event Management (SIEM) tools.

This service operates on a push-based model, in which Appian Cloud instances are configured to send a stream of logs to the customer’s syslog receiver. Logs are forwarded in real-time as the messages are written in the Appian Cloud instance(s).

These logs can be further digested and aggregated by tools of your choice, such as Splunk, LogRhythm, and Elasticsearch-Logstash-Kibana (ELK) stack.


Customers with this service enabled on their Appian Cloud instances can integrate the information contained in the logs for a consolidated view of their enterprise operations. Some benefits of this service include:

  • Simplified log management. Customers can easily consume their logs from a centralized location.
  • Faster diagnosis and troubleshooting of your enterprise applications. Customers benefit from increased visibility of debugging messages. For example, customers can expose these messages to Appian designers and System Administrators to quickly resolve application-level incidents as soon as they are generated.
  • Improved system visibility. Customers can assess the historic performance by aggregating system metrics over time. This allows customers to visualize, identify, and predict patterns in the demand of their enterprise applications.
  • Integrated security analytics. Customers can continuously monitor for login activity to their Appian Cloud instances. By integrating with other enterprise systems, customers can audit and correlate patterns in an unified platform.


Log Streaming supports the transmission of messages to either an on-premise syslog receiver or Sumo Logic Cloud Syslog Source.

On-premise Syslog Receiver

The figure below shows an example of the message flow between your Appian Cloud instances and an on-premise syslog receiver in the customer network.


For on-premise syslog receivers, logs transmission is performed over an IPsec VPN tunnel established to the customer network. As an additional security layer, syslog messages can be encrypted using a TLS certificate installed in the syslog receiver provided by the customer. TLS encryption is enabled by default but can be disabled upon customer request.

Sumo Logic Cloud Syslog Source

The figure below shows an example of the message flow between your Appian Cloud instance and a Sumo Logic Cloud Syslog Source.


For Sumo Logic Cloud Syslog Source, logs transmission is performed over the Internet and traffic is encrypted with TLS using the trusted public CA provided by the customer’s Sumo Logic deployment.

Supported Logs

The table below contains the logs to be forwarded by each Appian Cloud instance with this feature enabled. For details about the contents and frequency of the log messages, refer to the Appian Logging documentation.

Log Filename Tag
Application Server tomcat-stdOut.log tomcat-logs:
Cloud Database Audit RDBMS-audit.log rdbms-audit:
Login Audit login-audit.csv login-audit:
System metrics system.csv system-metrics:
Authorization Audit authz-audit.log authz-audit:
Forgot Password Requests forgot_password_requests.csv forgot-password-requests:
Password Resets password_resets.csv password-resets:
Records Usage records_usage.csv records-usage:
Blocked Files blocked_files.csv blocked-files:
Unscanned Files unscanned_files.csv unscanned-files:
Engine Summary engine_summary.csv engine-summary:
Web API Summary web_api_summary.csv web-api-summary:
Web API Details web_api_details.csv web-api-details:
Perf Monitor RDBMS perf_monitor_rdbms.csv perf-monitor-rdbms:
Perf Monitor RDBMS - Slow perf_monitor_rdbms_slow.csv perf-monitor-rdbms-slow:

It is only possible to stream the RDBMS audit logs in a single-node or standard 3-node Appian Cloud HA configuration. Customers with other topologies where Appian and the RDBMS are not running on the same server will be unable to stream this log.

Syslog messages have the following format:

  • PRI: Specifies the priority of the syslog message (RFC5424)
  • TIMESTAMP: Date and time of the message. The value will be expressed in the timezone configured in the customer syslog receiver.
  • HOSTNAME: Appian Cloud instance name.
  • TAG: Message tag depending on the log file.
  • MESSAGE: Complete log message generated by the Appian component. Messages also contain timestamps expressed in Greenwich Mean Time Zone (GMT).

Prerequisite Checklist

Prerequisite Description Organizational Role
Advanced or Enterprise Support Order Form This offering is available via Advanced or Enterprise Support . Business relationship owner
Update to a current Appian version Appian Cloud site(s) with this feature enabled should be running a supported Appian version per the Support Policy for Prior Versions. Authorized Support Contact
Set up IPSec VPN Tunnel (Only required for on-premise syslog receivers) Customers are required to establish a VPN tunnel to their Appian Cloud instance. Refer to the Cloud VPN Integration documentation for detailed steps. Network Administrator / Authorized support contact
Set up syslog receiver Set up a syslog receiver either in Sumo Logic or on-premise. Note the following considerations:
  • For Sumo Logic receivers, customers configure a Cloud Syslog Source in their account (refer to the documentation for details).
  • For on-premise syslog receivers, customers will configure a syslog receiver accessible in the customer network private space.
  • The syslog receiver is required to listen for messages over TCP (UDP is not supported).
  • By default, the syslog clients running in your Appian Cloud site will attempt to connect to the the syslog receiver using TLS. Customers would need to enable TLS on their syslog receiver and install a valid certificate. Customers may use a trusted public CA certificate, certificate signed by their own CA, or a self-signed certificate.
  • Upon customer request, Appian can disable TLS encryption only for on-premise syslog receivers. This setting is not recommended as logs would travel in clear text in the customer network after the syslog traffic leaves their VPN device.
Server/Network Administrator


Once all prerequisites have been completed, customers can follow these steps to enable log streaming in their Appian Cloud instance(s):

  1. Open a Support Case requesting for enabling this service in your Appian Cloud instance(s). Provide the following details:
    1. Syslog receiver target
      • If the syslog receiver is on-premise, customer provides a private IP address or hostname that is part of the customer private network space.
      • For Sumo Logic, customer provides the endpoint hostname.
    2. Port
    3. Token (Sumo Logic only). Customer needs to provide the token that is generated during the setup process. The customer should provide this information to Support over the phone or in-person to be consistent with good security practices.
  2. Appian Support will schedule a maintenance window and deploy the necessary configurations.
  3. After the maintenance window, your Appian Cloud instances will start forwarding logs to your syslog receiver.
Open in Github Built: Fri, Mar 11, 2022 (04:59:07 PM)

On This Page