Airlock as a Service Knowledge Base

Log forwarding

Log forwarding allows you to stream logs in real time to an external endpoint. This enables integration with your own monitoring, analysis, and SIEM tools.

Currently, Airlock SaaS supports syslog over mTLS. Logs are forwarded using the RFC 3164 syslog protocol over a TLS-secured TCP connection with mutual authentication.


Forwarded log sources

The following log sources are forwarded:

  • Airlock IAM: structured logs from IAM application modules

  • Airlock Microgateway Engine: access logs


Enabling log forwarding

Configure the following fields in the Log forwarding section of the Configuration tab:

Field

Required


Endpoint URL

Yes

URL of the syslog endpoint. Format: tcp+tls://<host>:<port> (e.g., tcp+tls://syslog.example.com:6514)

Client certificate

Yes

X.509 client certificate in PEM format used for mTLS authentication

Private key

Yes

Private key corresponding to the client certificate, in PEM format

Server certificate

No

CA certificate in PEM format used to verify the server’s TLS certificate. If not provided, publicly trusted CAs are used.


Syslog message format

Each log entry is forwarded as an RFC 3164 syslog message. The syslog fields are populated as follows:

Syslog field

Content

Example

hostname

Tenant ID

7pvr7m

appname

Module and component, separated by /.Modules: loginapp, adminappComponents: airlock-iam, airlock-microgateway-engine

loginapp/airlock-iam

message

Log payload in JSON format

See example below.


Log body in JSON

{
"time": "2026-03-30T06:57:41.606+0000",
"log_id": "IAM-USERTRAIL",
"target_id": "fxvg3pw20ava",
"provided_id": "fxvg3pw20ava",
"message": "Successfully changed password upon mandatory change",
"host": "iam-loginapp-v1-7tqpq",
"program": "loginapp",
"priority": "info",
"instance": "auth",
"sess_id": "438282395745474485",
"req_id": "167c4685-ac0b-93af-86ac-9a0cc5ea526a",
"corr_id": "00-00eff822bf1e43d70adfb7730f81b238-2c02453d1852af99-01",
"configuration_context": "[DEFAULT]",
"environment": "[COMMON]"
}


Certificate rotation

To rotate the client certificate, replace the configured client certificate and private key, then save the configuration. The new certificate takes effect immediately and does not require downtime.


Disabling log forwarding

To disable log forwarding, click Reset in the Log forwarding section and save the configuration.

Notice

Resetting the configuration clears all configured values. This action cannot be undone.