I have a CSC SSM module, with current version 6.3.1172.3. The issue is csc is not sending all the logs to syslog server even though it is configured to send all logs , and i am using syslog facility as "Local3".
how should i configure CSC SSM module , so that it should send all logs to my syslog server, it should not keep anything in local.
Syslog server ip has been configured, and it is getting the logs of CSC , but not all. Syslog like spyware/Grayware and some more are not sent to syslog server. Because of this the memory is getting filled up. Will there be some thing to do with syslog facility option.
What i wanted is CSC must send all the logs to my syslog server, it should not keep any thing with itself.
I think everything works as expected. You will not get grayware logs unless something is blocked as grayware. The CSC will not log all pages you went, it will log everything that it blocked something for any reason.
Forexample if you go to eicar.com and try a "supposed to be" virus file, and the CSC blocks it, do you see a log for malicious software. Then it should be ok for grayware too if you have the Grayware checkbox checked under HTTP > Scanning.
Now if your CSC module memory is 100% that is something that needs to be investigated. I would suggest you to go to the latest pkg version of your CSC version.
The issue is not , whether CSC is generating proper logs as per the Thread, the issue is if CSC is generating any log for any type of thread,it should send those logs to syslog server, in other way it should not keep any thing with in.
But i can see some type of logs with in CSC, when i go to query tab under logs, because of that memory usage is getting high.
When you set the sysog server that doesn't mean the CSC will no longer keep syslogs locally. You cannot configure it to not keep syslogs locally. It will send logs to the server and also keep some locally.
You might be able to change the space they occupy using the root account by setting a variable, but you would need to work on it with TAC to avoid causing other issues.
I think it makes sense now, so if it does go ahead and mark this question as answered if it is.