Exporting Audit Events to Syslogs
In Linux systems rsyslog utility is used to generate external logs and OpenIAM also uses it as an external tool. Rsyslog has a function of working over the network through port 514 using TCP/UDP protocols and this function is used to export OpenIAM audit events.
The user can configure rsyslog to listen to tcp and udp in port 514 and then OpenIAM sends audit logs to the listening port. Rsyslog gets OpenIAM logs on 514 port and adds it to system logs according rsyslog configuration.
Below, one can find detaled guidelines on how to set syslog and use it to export audit events from OpenIAM.
As a first step, user needs to use next properties:
The fields for properties are describe below.
Field | Description | Default Value |
---|---|---|
Actions | AuditLogs actions for add to syslog. | LOGIN, LOGOUT |
Enable syslog | Turns syslogs on/off. | Checked / Unchecked |
Export child rows to syslog | Allows exporting child rows of audit log. | On / Off |
Below one can see an option ofhaving a MODIFY_USER action, which can export to syslog without “Export child rows to syslog” checkbox. But for export PROVISION_MODIFY action – user needs to check checkbox.
Syslog facility | The syslog facility name. | LOCAL0 |
Host name | Host name of server where syslog is placed. | |
Identificator | Identifier in syslog | OpenIAM |
Information for export to syslog | Audit log information which will be added to syslog. |
Example of a string in system log file:
Jan 11 21:34:25 localhost OpenIAM: Action:[LOGIN] ClientIP:[127.0.0.1] Principal:[sysadmin] Result:[SUCCESS] Targets:[[3000:sysadmin]]
Port | Port of server where syslog is placed. | |
Syslog severity | Syslog Priorities | They have sSelectable values: (EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFORMATIONAL, DEBUG) |
Example of string in system log file :
Jan 11 21:34:25 localhost OpenIAM: Action: [LOGIN] ClientIP: [127.0.0.1] Principal: [sysadmin] Result:[SUCCESS] Targets: [[3000:sysadmin]]
Settings for Centos' syslog:
- To switch on syslog listener for rsyslog, uncomment:
/etc/rsyslog.conf
Provides UDP syslog reception
$ ModLoad imudp$ UDPServerRun 514
Provides TCP syslog reception
$ ModLoad imtcp$ InputTCPServerRun 514
- For each log facilities different log file can be used, for example:
/etc/rsyslog.confif $ syslogfacility-text == 'local1' then / var / log / local11
Othervise, user can set required output file for exact facility by adding rule to conf file:
/etc/rsyslog.conf →local0.* /var/log/openiam.log
- To redirect to other server:
- over UDP 514, user would add to /etc/rsyslog.conf a line like:
*.* @192.168.10.99
- over TCP 514, user would add to /etc/rsyslog.conf a line like:
*.* @@192.168.10.99
Syslog in Docker
- Detect docker server IP for containers.
- Set properties in env.sh.
host name:
export SYS_LOG_HOST=host.openiam
IP:
export DOCKER_HOST_IP=172.18.0.1
- Set file for logs from OpenIAM in rsyslog:
nano /etc/rsyslog.conf
- Start docker containers and check /etc/hosts:
- Enable system audit log in OpenIAM properties:
After about 5 minutes, the logs will be send to system logs.
- Check system logs on docker server: