Analytics Dashboard as Remote syslog server over TLS

7 months ago

Analytics Dashboard receives events from Access Manager components and using them for generating reports. By default these are being transferred in non-encrypted channel since we don't have in-built mechanism to do this with ELK stake which we use.. This solution provides a way to make the communication channel secure.


1. Steps to generate the certificate for TLS and basic configuration are same as documented here - Auditing using TLS over TCP

2. In Admin console UI Configure with <Analytics Server IP> and <port> e.g. 5822. Update the server

Analytics Server configuration:

Open /etc/rsyslog.conf file and add following entries at the end of the file.

$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/ssl/certs/server-cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/certs/server-key.pem

$ModLoad imtcp

$InputTCPServerStreamDriverMode 1
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerRun 5822
$InputTCPServerStreamDriverPermittedPeer <neeraj>

$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
local0.* @@;ForwardFormat
local0.* -/var/log/vneeraj_log;ForwardFormat  //This is optional for testing purpose.


$InputTCPServerRun 5822 -> this should match the Admin console Port

"InputTCPServerStreamDriverPermittedPeer"  is the name of client (IDP/AG) and should match the same.

local0.* @@;ForwardFormat [Analytics Server IP and Logstash port]
local0.* -/var/log/vneeraj_log;ForwardFormat [Local file to check the audit events, not recommended for production]


On Clients:

In "/etc/rsyslog.d/nam.conf" ensure, you have configure the certificate as mentioned in NetIQ access manager document (above) and port is set from the Admin console (5822 in this case).

Note: Ensure ca certificate are part of /etc/ssl/certs directory


To test:

On the analytics dashboard, validate the audit log over wireshark. Capture the trace and see they are encrypted from client to analytics dashboard server.


How To-Best Practice
Comment List
Related Discussions