Exporting Audit Events to Syslogs

In Linux systems rsyslog utility is used to generate external logs and OpenIAM also uses it as an external tool. Rsyslog has a function of working over the network through port 514 using TCP/UDP protocols and this function is used to export OpenIAM audit events.

The user can configure rsyslog to listen to tcp and udp in port 514 and then OpenIAM sends audit logs to the listening port. Rsyslog gets OpenIAM logs on 514 port and adds it to system logs according rsyslog configuration.

Below, one can find detaled guidelines on how to set syslog and use it to export audit events from OpenIAM.

As a first step, user needs to use next properties:

Syslog properties

The fields for properties are describe below.

FieldDescriptionDefault Value
ActionsAuditLogs actions for add to syslog.LOGIN, LOGOUT
Enable syslogTurns syslogs on/off.Checked / Unchecked
Export child rows to syslogAllows exporting child rows of audit log.On / Off

Below one can see an option ofhaving a MODIFY_USER action, which can export to syslog without “Export child rows to syslog” checkbox. But for export PROVISION_MODIFY action – user needs to check checkbox.

Modify user action

Syslog facilityThe syslog facility name.LOCAL0
Host nameHost name of server where syslog is placed.
IdentificatorIdentifier in syslogOpenIAM
Information for export to syslogAudit log information which will be added to syslog.

Example of a string in system log file:

Jan 11 21:34:25 localhost OpenIAM: Action:[LOGIN] ClientIP:[127.0.0.1] Principal:[sysadmin] Result:[SUCCESS] Targets:[[3000:sysadmin]]

PortPort of server where syslog is placed.
Syslog severitySyslog PrioritiesThey have sSelectable values: (EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFORMATIONAL, DEBUG)

Example of string in system log file :

Jan 11 21:34:25 localhost OpenIAM: Action: [LOGIN] ClientIP: [127.0.0.1] Principal: [sysadmin] Result:[SUCCESS] Targets: [[3000:sysadmin]]

Settings for Centos' syslog:

  1. To switch on syslog listener for rsyslog, uncomment:
/etc/rsyslog.conf

Provides UDP syslog reception

$ ModLoad imudp
$ UDPServerRun 514

Provides TCP syslog reception

$ ModLoad imtcp
$ InputTCPServerRun 514
  1. For each log facilities different log file can be used, for example:
/etc/rsyslog.conf
if $ syslogfacility-text == 'local1' then / var / log / local11

Othervise, user can set required output file for exact facility by adding rule to conf file:

/etc/rsyslog.conf
local0.* /var/log/openiam.log
  1. To redirect to other server:
  • over UDP 514, user would add to /etc/rsyslog.conf a line like:
*.* @192.168.10.99
  • over TCP 514, user would add to /etc/rsyslog.conf a line like:
*.* @@192.168.10.99

Syslog in Docker

  1. Detect docker server IP for containers.

Docker syslog

  1. Set properties in env.sh.

Properties

host name:

export SYS_LOG_HOST=host.openiam

IP:

export DOCKER_HOST_IP=172.18.0.1

Properties 2

  1. Set file for logs from OpenIAM in rsyslog:
nano /etc/rsyslog.conf

Setting a file for syslog

  1. Start docker containers and check /etc/hosts:

Starting docker containers

  1. Enable system audit log in OpenIAM properties:

Openain log properties

After about 5 minutes, the logs will be send to system logs.

  1. Check system logs on docker server:

Logs check on server