How to add syslog in log4j2.properties file to get IIQ syslog in GoogleChronicle

sanofip · July 8, 2025, 11:39am

We are using IIQ 8.3p3 and wanted to get the IIQ syslogs in GoogleChronicle
I have added below details in log4j2.properties file but it is not displaying syslogs in chronicle.

appender.syslog1.type = Syslog
appender.syslog1.name = SyslogAppender2
appender.syslog1.host =
appender.syslog1.port =
appender.syslog1.protocol = TCP
appender.syslog1.newLine = true
appender.syslog1.format = RFC5424
appender.syslog1.appName = GoogleChronicle

saiprashanth88 · July 8, 2025, 12:26pm

Hi @sanofip
Check if you’ve added the syslog appender to the root logger in log4j2.properties and make sure to reloaded log4j2.properties file in Debug-Reload Logging Configuration, after updating.

sanofip · July 9, 2025, 12:44pm

Hi @saiprashanth88
Thanks for quick response,
I have added only above entries in log4j2.properties file.
Can you please let me know what entries should add in root logger?

saiprashanth88 · July 9, 2025, 3:45pm

Hi @sanofip
you’ll need to attach the syslog appender to the root logger which is like this

rootLogger.level=warn
rootLogger.appenderRefs=stdout,syslog
rootLogger.appenderRef.stdout.ref=stdout
rootLogger.appenderRef.syslog.ref=SyslogAppender2

sanofip · July 10, 2025, 3:43pm

Hi @saiprashanth88
I have updated above rootlogger but still not getting logs.

saiprashanth88 · July 10, 2025, 4:51pm

Reload or restart IIQ to apply changes:
After saving log4j2.properties, go to the IIQ Debug > Logging page and click Reload Logging Configuration. This forces IdentityIQ to re-read the Log4j2 config without restarting the JVM. Verify there are no errors on the Debug page and that the new settings are active. (Alternatively, restart the IIQ application server.)

Verify Chronicle forwarder and network:
Ensure your Google Chronicle forwarder is running and listening on the specified port. Check that the host and port in your appender match the forwarder’s settings. Also check network connectivity – for example, from the IIQ machine run telnet <CHRONICLE_IP> or nc -vz <CHRONICLE_IP> to ensure the port is reachable.
If there are firewalls or ACLs, open the port. Chronicle’s docs suggest that syslog traffic can be forwarded like @@forwarder_host:10514 (TCP) or @forwarder_host:10514 (UDP)

Google Chronicle expects logs in RFC5424 format via syslog (typically via the Forwarder agent). Check:

The forwarder config (on the server sending to Chronicle).
That it’s forwarding to Chronicle and not blocking your IIQ server.

sanofip · July 11, 2025, 2:49pm

Hi @saiprashanth88,
I have reloaded the logging page from the debug, I don’t see any errors. Chronicle forwarder configuration everything is good.

sanofip · July 11, 2025, 5:12pm

Hi @saiprashanth88,
This worked, I got result from the chronicle team today.

Thank you so much for your quick response.

saiprashanth88 · July 11, 2025, 5:30pm

That’s great to hear!

system · September 9, 2025, 5:30pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IdentityIQ log4j forward log to syslog server IIQ Discussion and Questions identityiq	4	80	February 27, 2026
Enable iiq logs in windows IIQ Discussion and Questions identityiq	11	1824	July 12, 2023
Enable IdentityIQ console trace in Log4j2 IIQ Community Knowledge Base identityiq	0	189	August 9, 2024
Debug logs not getting printed IIQ Discussion and Questions identityiq	10	86	March 23, 2026
Configure Rollingfile loggers in log4j2.properties IIQ Community Knowledge Base identityiq , provisioning , iiq-docs	0	346	August 5, 2024

How to add syslog in log4j2.properties file to get IIQ syslog in GoogleChronicle

Related topics