Access Logs and Syslog integration for the AirWatch Tunnel

Many enterprise networks today deploy various third party proxies (such as Bluecoat, Squid etc.) in their network for monitoring, traffic filtering, and in some cases for security audits. Often there is a need to keep track of which user accessed the network at any given point of time as well as what resource in the network they were trying to access. For this purpose, sometimes these proxies require user based authentication. This way, anytime a user gets network access, they will be authenticated against a proxy and the information will be logged into a syslog system that the customer might already have.

To assist in this process and reduce the expensive authentication user based flows, AirWatch Tunnel logs this information around client access (Username, App identifier, destination, Device ID) in a log file names "Access logs" and sends this file to the syslog server that is configured with AirWatch Tunnel. This way, the logs are immediately made available for the security services for parsing and auditing without having to ask the users to authenticate against third party proxies. 

Access Logs

AirWatch supports access logs and syslog integration for the AirWatch Tunnel Proxy (Legacy MAG) component and the Per App Tunneling component. Access logs are generated in the standard HTTP Apache logs format and directly transferred to the syslog host you defined. They are not stored locally on the AirWatch Tunnel server.

If you are using the relay-endpoint deployment model, the relay writes the access logs. If you are using the basic endpoint deployment model, the endpoint writes the access logs.

Important: You must enable access logs before you install any of the components. Any changes you make to the access logs configuration on the AirWatch Admin Console require re-installation of the AirWatch Tunnel server.

How to configure Access Logs in the AirWatch Console

Navigate to Groups & Settings > All Settings > System > Enterprise Integration > AirWatch Tunnel > Configuration and select the Advanced tab.

Enable this setting to tell AirWatch Tunnel Proxy component to write access logs to syslog for any of your own purposes. These logs are not stored locally. They are pushed to the syslog host over the port you define. Communication to the syslog server occurs over UDP, so ensure that UDP traffic is allowed over this port.

There is no correlation between this syslog integration and the integration accessed on Groups & Settings > All Settings > System > Enterprise Integration > Syslog.

Using a Linux Server to act as a Syslog Host

Most Linux servers by default have support for syslog. To enable a Linux server to act as syslog host, navigate to rsyslog.conf:

vi /etc/rsyslog.conf

Uncomment the features under UDP syslog reception:

# Provides UDP syslog reception

$ModLoad imudp

$UDPServerRun 514

To view the logs, enter the following command:

tail –f /var/log/messages | grep <rsyslog_dent>

Make sure UDP port 514 is open routing to the syslog server:

-A INPUT –p udp –m udp –dport 514 –j ACCEPT 


Have more questions? Submit a request


Article is closed for comments.