Syslog Configuration for Auditing



Similar documents
NetIQ Sentinel Quick Start Guide

OnCommand Performance Manager 1.1

SolarWinds Log & Event Manager

Setting Up SSL on IIS6 for MEGA Advisor

Rally Installation Guide

RSA Authentication Manager

Introducing ZENworks 11 SP4. Experience Added Value and Improved Capabilities. Article. Article Reprint. Endpoint Management

vrealize Infrastructure Navigator Installation and Configuration Guide

insync Installation Guide

VMware vcenter Log Insight Getting Started Guide

IBM Security QRadar Version (MR1) WinCollect User Guide

Secure Messaging Server Console... 2

RSA Event Source Configuration Guide. EMC Avamar

Reconfiguration of VMware vcenter Update Manager

IBM Security QRadar Version WinCollect User Guide V7.2.2

Installing and Configuring vcloud Connector

Installing and Configuring vcenter Multi-Hypervisor Manager

SSL VPN Server Guide Access Manager 3.1 SP5 January 2013

2 Downloading Access Manager 3.1 SP4 IR1

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

VMware Identity Manager Connector Installation and Configuration

F-SECURE MESSAGING SECURITY GATEWAY

VMware vcenter Log Insight Security Guide

EventTracker Windows syslog User Guide

Extreme Networks Security WinCollect User Guide

Introducing ZENworks 11 SP4

Integrating EJBCA and OpenSSO

What s New in Propalms VPN 3.5?

Installing and Configuring vcloud Connector

vsphere Upgrade Update 1 ESXi 6.0 vcenter Server 6.0 EN

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Administration Guide

LogLogic Trend Micro OfficeScan Log Configuration Guide

Reconfiguring VMware vsphere Update Manager

Installation Guide. McAfee VirusScan Enterprise for Linux Software

Management, Logging and Troubleshooting

Setup and configuration for Intelicode. SQL Server Express

How To - Implement Clientless Single Sign On Authentication with Active Directory

Release Notes for McAfee(R) VirusScan(R) Enterprise for Linux Version Copyright (C) 2014 McAfee, Inc. All Rights Reserved.

Syncplicity On-Premise Storage Connector

Dell System Update Version 1.0 Preview Guide

How to Configure an Initial Installation of the VMware ESXi Hypervisor

PRODUCT VERSION: LYNC SERVER 2010, LYNC SERVER 2013, WINDOWS SERVER 2008

Configuring Security Features of Session Recording

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Linux Squid Proxy Server

Avira Update Manager User Manual

IFS CLOUD UPLINK INSTALLATION GUIDE

VMware vrealize Log Insight Agent Administration Guide

FireEye App for Splunk Enterprise

Configuring Business Monitor for Event Consumption from WebSphere MQ

Setup Guide Access Manager 3.2 SP3

USER GUIDE. Snow Inventory Data Receiver Version 2.1 Release date Installation Configuration Document date

Configuring Spectralink IP-DECT Server 400/6500 and DECT Server 2500/8000 for Cisco Unified Call Manager

Installation & Upgrade Guide

ESET SHARED LOCAL CACHE

Getting Started with ESXi Embedded

Novell Sentinel Log Manager 1.2 Release Notes. 1 What s New. 1.1 Enhancements to Licenses. Novell. February 2011

SAM XFile. Trial Installation Guide Linux. Snell OD is in the process of being rebranded SAM XFile

SSL VPN Server Guide. Access Manager 3.2 SP2. June 2013

Overview... 1 Requirements Installing Roles and Features Creating SQL Server Database... 9 Setting Security Logins...

SAFED AGENT INSTALLATION AND CONFIGURATION GUIDE

The RT module VT6000 (VT6050 / VT6010) can be used to enhance the RT. performance of CANoe by distributing the real-time part of CANoe to a

Log Correlation Engine 4.6 Quick Start Guide. January 25, 2016 (Revision 2)

NetIQ Identity Manager Setup Guide

LT Auditor Windows Assessment SP1 Installation & Configuration Guide

Tivoli Endpoint Manager for Remote Control Version 8 Release 2. User s Guide

Introduction to Mobile Access Gateway Installation

Cisco SSL Encryption Utility

DameWare Server. Administrator Guide

Enterprise Manager. Version 6.2. Installation Guide

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

COMMANDS 1 Overview... 1 Default Commands... 2 Creating a Script from a Command Document Revision History... 10

vcenter Chargeback User s Guide vcenter Chargeback 1.0 EN

VMware Identity Manager Administration

How To Install Storegrid Server On Linux On A Microsoft Ubuntu 7.5 (Amd64) Or Ubuntu (Amd86) (Amd77) (Orchestra) (For Ubuntu) (Permanent) (Powerpoint

vsphere Upgrade vsphere 6.0 EN

DSView 4 Management Software Transition Technical Bulletin

Quick Note 052. Connecting to Digi Remote Manager SM Through Web Proxy

MultiSite Manager. Setup Guide

NetIQ Advanced Authentication Framework - Administrative Tools. Installation Guide. Version 5.1.0

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Reporting Guide for Novell Sentinel

Monitoring Clearswift Gateways with SCOM

Printing Options. Netgear FR114P Print Server Installation for Windows XP

VCCC Appliance VMware Server Installation Guide

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Novell Access Manager

McAfee SMC Installation Guide 5.7. Security Management Center

Server Installation Procedure - Load Balanced Environment

Using Webmin and Bind9 to Setup DNS Sever on Linux

NovaBACKUP xsp Version 15.0 Upgrade Guide

WhatsUp Gold v16.2 MSP Edition Deployment Guide This guide provides information about installing and configuring WhatsUp Gold MSP Edition to central

SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

EVENT LOG MANAGEMENT...

W H I T E P A P E R. Best Practices for Building Virtual Appliances

OnCommand Unified Manager 6.2

Novell Access Manager

Installing and Configuring vcenter Support Assistant

Transcription:

Access Manager Syslog Configuration for Auditing Access Manager 4.2

Contents... 1 1. Introduction... 3 2. How Access Manager auditing works with Syslog... 3 3. Linux: Configuring Access Manager and Syslog... 4 3.1 Linux Configuration Steps... 4 3.2 Advanced RSyslog Configuration... 7 3.2.1 Caching of Audit Events... 8 3.2.2 Configuring SSL Communication... 8 3.3 Troubleshooting... 10 4. Windows: Configuring Syslog... 11 4.1 Configuration Steps Overview... 11 4.2 Syslog Agents... 11 2

1. Introduction Access Manager 4.2 release supports Syslog as the audit channel for forwarding the audit messages to the remote audit server. The traditional NetIQ Platform Agent for auditing is discontinued in the 4.2 release and the customers are encouraged to move to Syslog for auditing. This whitepaper covers: How Access Manager auditing works with Syslog Configuring Syslog for Access Manager Auditing Advanced configurations like caching and SSL Troubleshooting 2. How Access Manager auditing works with Syslog Syslog Agent The Access Manager components can be configured to send the audit messages to syslog. A local syslog agent runs on each device to collect the audit messages and forward them to the centralized syslog server. On Linux, rsyslog is auto-configured as the local syslog agent and communicates with TCP port 1290. Windows does not include a syslog agent. However, many free and paid versions of the syslog client for Windows are available in the market. Administrators should procure one and install it manually on each system. Syslog Server The central auditing server can be Sentinel or any syslog server. The IP and port of this server can be configured on the Administration Console s Auditing UI. 3

Note: NAM Auditing over syslog is supported only on TCP. 3. Linux: Configuring Access Manager and Syslog 3.1 Linux Configuration Steps Perform the following steps to configure Access Manager auditing using syslog: 1. Install RSyslog on each Access Manager server. 2. Configure the centralized audit server Sentinel or third party syslog server. 3. Install or Upgrade Access Manager to 4.2. 4. Configure Access Manager auditing audit server type, IP and port. 5. Configure Syslog on the Administration Console System (cannot be done through UI) 6. Optional: Manually configure caching of messages and/or SSL for syslog (see Advanced RSyslog Configuration). Step 1: Install RSyslog This is a pre-requisite for the install/upgrade of Access Manager. Distributed Access Manager Setup (Non-Appliance) Trying to install/upgrade Access Manager 4.2 without RSyslog will result in the following error: Install the latest rsyslog package from the respective operating system s repository. SLES: zypper in rsyslog-module-gtls Redhat: Use the rpm ivh <rpm name> or the yum command to install the rsyslog module. NAM Appliance and MAG Appliance 4

The rsyslog rpm is available in the update channel in the pattern NetIQ-Access-Manager. The base operating system of the appliance has to be upgraded to SLES11 SP4 and the rsyslog rpm has to be installed before upgrading Access Manager to 4.2. 1. Upgrade the base operating system by following the instructions on the documentation site. 2. Install rsyslog using the command: zypper in -t pattern NetIQ-Access-Manager 3. Confirm that the rpm is available using the command: rpm -qa grep -i syslog Note: Repeat this step on each Access Manager component Administration Console, Identity Server and Access Gateway. Step 2: Install / Upgrade to Access Manager 4.2 Follow the usual steps to install or upgrade to Access Manager 4.2. Step 3: Configure the Centralized Audit Server If you are using Sentinel as the centralized audit server, an updated NAM collector that supports Syslog is available and can be downloaded from the site: https://www.netiq.com/support/sentinel/plugins/ If you plan to use any other Syslog as your centralized audit server, configure it and make sure that it is reachable. Note: To test this feature, the syslog agent running on the Administration Console can also be used as the centralized syslog server. All the audit events will be written to /var/log/nam_audits.log file. This is not recommended for production systems. Step 4: Configure Auditing Access Manager must be configured to use Syslog. 1. Login to the Administration Console. 2. On the dashboard, click Auditing. 5

3. In the Audit Messages Using field: o Select Syslog. o For Sentinel, select Send to Sentinel. o For all other syslog servers, select Send to Third Party. The audit messages are sent in JSON format to the configured Syslog server. 4. Server Listening Address: Specify the IP address or DNS name of the syslog server. When the configuration is saved, the local syslog agents running on each system are automatically updated to point to the configured IP of the remote syslog server. The only exception is that the syslog agent of the Administration Console cannot be modified using the UI for security reasons and hence must be manually updated (see next section). 5. Server Public NAT Address: If the auditing server is in the private network, then you have to enter the Public NAT IP Address of the auditing server using which devices can reach the auditing server. 6. Port: Specify the syslog server port: a. For Sentinel server, the default port is 1468. b. For third party syslog servers, specify the configured port of that server. 7. Save the changes. Step 5: Configuring the Administration Console for auditing with Syslog In the case of a standalone Administration Console (with no other Access manager components installed), the configuration changes done on the Auditing UI are not applied to the local files for security reasons. These files must manually updated by logging into the system. To configure the Administration Console for auditing with syslog, perform the following: Syslog Agent Configuration 6

1. Configure the local syslog agent to communicate with TCP port 1290 by adding the following in the /etc/rsyslog.d/nam.conf file: $InputTCPServerRun 1290 2. Configure the local agent to forward the Audit messages to the remote syslog server at 172.16.50.50 on port 1468. This can be done by adding the following to the nam.conf file: $template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n" local0.* @@172.16.50.50:1468;ForwardFormat Now, the /etc/rsyslog.d/nam.conf file should have: $InputTCPServerRun 1290 $template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n" local0.* @@172.16.50.50:1468;ForwardFormat Access Manager Auditing Configuration 3. Configure the auditing settings for Access Manager by editing the /etc/auditlogging.cfg file. LOGDEST=syslog # syslog or PA FORMAT=JSON # JSON or CSV SERVERIP=127.0.0.1 # Don t change. SERVERPORT=1290 # Don t change. LOGDEST: Set to syslog to send the audit messages to the local syslog agent. FORMAT: Set to CSV if using Sentinel. Set to JSON for all other remote syslog servers. SERVERIP: Use the default 127.0.0.1 to send the messages to the local syslog agent. SERVERPORT: Use the default 1290 on which the local syslog agent is communicating. 4. Restart the Administration Console using the command: /etc/init.d/novell-ac restart. 3.2 Advanced RSyslog Configuration RSyslog supports additional features that can be beneficial in a production environment. You have to configure them manually if required. 7

3.2.1 Caching of Audit Events RSyslog supports queuing to cache the audit events if the remote syslog server is not reachable. When the remote syslog server is reachable again, the queued events are then relayed to the server. This ensures that there is no loss of any audit events. The complete guide for the RSylog s Queues is available at http://www.rsyslog.com/doc/v8-stable/concepts/queues.html Add the following to /etc/rsyslog.d/nam.conf to cache in-memory: $WorkDirectory /rsyslog/work $ActionQueueType LinkedList # Default location for work (spool) files # Use asynchronous processing $ActionQueueFileName example_fwd # Set file name, also enables disk mode $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on # Infinite retries on insert failure # Save in-memory data if rsyslog shuts down. Note: 1. Making any changes on the Auditing UI will overwrite all manual changes done to the nam.conf file. 2. The changes must be manually done on each component Administration Console, Identity Server and Access Gateway. 3.2.2 Configuring SSL Communication We can configure the secure TLS channel auditing between the Access Manager component and the remote Audit server mechanism. The detail guides on the steps are available at: http://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_summary.html http://www.rsyslog.com/doc/v7-stable/tutorials/tls.html Configuration steps: 1. Generate the Certificate Authority (CA) Certificate Create a Private Key certtool --generate-privkey --outfile ca-key.pem Create the self-signed certificate 8

certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem 2. Generate the certificate for local syslog client ( private Key) Create a private key for syslog agent certtool --generate-privkey --outfile rslclient-key.pem --bits 2048 Generate a certificate request for the syslog client. certtool --generate-request --load-privkey rslclient-key.pem --outfile request.pem Generate the certificate and sign it with the CA private key. certtool --generate-certificate --load-request request.pem --outfile rslclientcert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem 3. Generate the certificate for Remote syslog Server ( private Key) Remove the previously generated request.pem. Create a private key for Syslog server. certtool --generate-privkey --outfile rslserver-key.pem --bits 2048 Generate a certificate request for the rsyslog Server certtool --generate-request --load-privkey rslserver-key.pem --outfile request.pem Generate the machine certificate and sign it with the CA private key. Copy certificates from CA to rsyslog server and rsyslog client. certtool --generate-certificate --load-request request.pem --outfile rslservercert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem 9

Configure the Syslog server for TLS. Sample nam.conf file entries for: # Increase the amount of open files rsyslog is allowed, which includes open tcp sockets # This is important if there are many clients. # http://www.rsyslog.com/doc/rsconf1_maxopenfiles.html $MaxOpenFiles 2048 # make gtls driver the default $DefaultNetstreamDriver gtls # certificate files generated on RHEL6 and stored in /root $DefaultNetstreamDriverCAFile /etc/pki/rsyslog/ca.pem $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/rslserver-cert.pem $DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/rslserver-key.pem Configure the syslog agent for TLS. Sample /etc/rsyslog.d/nam.conf for: # make gtls driver the default $DefaultNetstreamDriver gtls # certificate files $DefaultNetstreamDriverCAFile /etc/pki/rsyslog/ca.pem $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/rslclient-cert.pem $DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/rslclient-key.pem #### GLOBAL DIRECTIVES #### $ActionSendStreamDriverAuthMode x509/name $ActionSendStreamDriverMode 1 # run driver in TLS-only mode Note: 1. Making any changes on the Auditing UI will overwrite the manual changes done to the nam.conf file. 2. The changes must be manually done on each component Administration Console, Identity Server and Access Gateway. 3.3 Troubleshooting Audit events are not reaching the remote server. Check if the rsyslog package is installed properly in the NAM device 10

Check if the local TCP port 1290 is communicating with the local NAM device Check if the remote syslog server s IP address and port numbers provided in the Administration Console UI is reflecting in /etc/rsyslog.d/nam.conf Check if the remote audit server is reachable from the NAM devices Audit events are not parsed properly from the Sentinel server Check if in the Administration Console, the Send to Sentinel option is selected as the remote audit Server Ensure that you are using the latest NAM Collector for Sentinel available from https://www.netiq.com/support/sentinel/plugins/ Audit events are received in CSV format instead of JSON format in the remote non-sentinel syslog audit server Check if in the Administration Console Send to Third Party option is selected as the remote audit server. 4. Windows: Configuring Syslog 4.1 Configuration Steps Overview To configure Access Manager auditing using syslog, perform the following steps: 1. Configure the centralized audit server Sentinel or third party syslog server. 2. Install a Windows Syslog agent on each Access Manager server. Configure it to send messages to the centralized syslog server. 3. Install or Upgrade Access Manager to 4.2. 4. Configure Access Manager auditing audit server type, IP and port. See the section 4 of the Linux Configuration Steps. 5. Configure the nam.conf file on each Access Manager server to send messages to the local syslog agent. 4.2 Syslog Agents The Access Manager distribution does not include a syslog agent for Windows. However, many free and paid versions of the agents are available in the market. An Administrator can manually procure and install these agents on each Access Manager component Administration Console, Identity Server and Access Gateway. Check the NetIQ Cool Solutions page for an example configuration using Syslog-ng as an agent on Windows. 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information