Introduction:

This document explains the steps involved in configuring Access Manager for Multi-Target Auditing on Windows Server using Cygwin (Syslog Agent).

Cygwin is:

• A large collection of GNU and Open Source tools which provide functionality similar to a Linux distribution on Windows.
• A DLL (cygwin1.dll) which provides substantial POSIX API functionality.

The following link explained very much about configuring syslog on Linux.

https://www.netiq.com/documentation/access-manager-45/resources/NAM_Auditing_with_Syslog.pdf

Since there is no default syslog agent in windows, the administrator has to install and configure the local syslog agent on the individual NAM components and configure the NAM components manually to use the local syslog agent to forward the audit events to the remote audit server.

The following steps are involved in configuring the NAM Multi Target Auditing using syslog:

• Installing the syslog-ng along with Cygwin on the individual NAM Servers
• Configure the syslog-ng  to forward the audit message to the remote syslog audit server
• Enabling the NAM components to send the audit message to syslog audit server.

[1] Installing the syslog-ng along with Cygwin on the individual NAM Servers:

1. Download and install the Cygwin for Windows from: Cygwin official website
2. For 64 bit Windows servers, download the 64 bit Cygwin from: Cygwin-Installer-64bit
3. Run the setup.exe and select “Install from Internet”
4. Select the directory to install the Cygwin and the users who can access the Cygwin (All users)
5. Select the directory for local packages (optional to change)
6. Select your Internet Connection type                                                 
7. Select any site to download the packages from.
8.  In the “Select Packages” window, search the following packages and select the latest version

• Admin/syslog-ng
• Admin/cygrunsrv
• Editors/vim

9. Review and confirm the changes
10. Click Finish to complete the installation.
11. Now launch the Cygwin terminal with admin privilege by right clicking and selecting “Run as Administrator”
12. For the very first time, run the command /bin/syslog-ng-config from the Cygwin terminal. This will create the basic syslog-ng.conf file under /etc/syslog-ng/ and will install the syslog-ng as system services.

[2] Configure the syslog-ng to forward the audit message to the remote syslog audit server

Syslog-ng configuration has two section:

• Communicate to the local TCP port 1290
• Forward the audit/log message to the remote syslog audit server

1. To make the syslog-ng communicate to the local TCP port 1290

source s_local {

        system();

        internal();

        tcp(ip(127.0.0.1) port(1290));

};

2. To forward the audit message to two audit server (10.71.33.110-1468 and 10.71.33.111-1290).

destination server0 {

       tcp(164.99.185.201 port(1468));

};

destination server1 { 

       tcp(10.71.33.111 port(1290));

};

filter facility0 { facility(local0); };

filter facility1 { facility(local1); };

log {

 source(s_local); filter(facility0); destination(server0);

};

log {

 source(s_local); filter(facility0); destination(server1);

};

Finally, the syslog-ng file should look as below and Add the following entry in the /etc/syslog-ng/syslog-ng.conf file:

#############################################################################

# Default syslog-ng.conf file which collects all local logs into a

# single file called /var/log/messages.

# 

@version: 3.2

@include "scl.conf"

source s_local {

        system();

        internal();

        tcp(ip(127.0.0.1) port(1290));

};

destination server0 {

       tcp(164.99.185.201 port(1468));

};

destination server1 { 

       tcp(10.71.33.111 port(1290));

};

filter facility0 { facility(local0); };

filter facility1 { facility(local1); };

log {

 source(s_local); filter(facility0); destination(server0);

};

log {

 source(s_local); filter(facility0); destination(server1);

};

Now restart the syslog-ng by the command,

STOP: cygrunsrv -E syslog-ng

START: cygrunsrv -S syslog-ng

( For every changes in syslog-ng.conf file,  administrator has to stop and start the Cygwin syslog-ng services)

Testing the Syslog-ng configuration:

We can use the “logger” utility, which is available with the Cygwin installation to test the syslog-ng configuration.

Target1: 164.99.185.201 PORT: 1468

From NAM device, on the Cygwin console, send a logger message with facility local0

Administrator@nam-win2k16-idp ~

$ logger -p local0.info "Test Message from NAM local0"

SLES-NAM-AC:~ # tail -f /var/log/NAM_audits.log

<142>Dec 12 13:56:05 nam-win2k16-idp Administrator: Test Message from NAM local0

Target2: 10.71.33.110 PORT: 1290

From NAM device, on the Cygwin console, send a logger message with facility local1

Administrator@nam-win2k16-idp ~

$ logger -p local1.info "Test Message from NAM local1"

SLES-NAM-IDP:~ # tail -f /var/log/NAM_audits.log

<142>Dec 12 13:55:49 nam-win2k16-idp Administrator: Test Message from NAM local1

How to check the syslog connectivity?

[3] Enabling NAM components to send the Audit message to syslog audit server

After confirming the syslog-ng configuration, we must configure the Access Manager devices to send the Access Manager Audit message to be send to remote syslog audit server.

Enable auditing in AC:

In the Administration Console,

1. Select Syslog for Auditing.
2. Add two audit servers and then select desired audit formats and ports (Analytics dashboard and NetIQ sentinel only supports CSV format and both will use TCP port 1468 for syslog )
3. Select AC events

Then click Apply & OK and update the Access Manager's components(IDP and AG) if any.

Enable auditing in IDP:

In the Administration Console, select the required IDP events and update the servers.

Enable auditing in AG:

In the Administration Console, select the required AG events and update the servers.

Now the Access Manager components IDP and AG are ready to send the audit events to the remote syslog audit servers (164.99.185.201 and 10.71.33.110) via syslog-ng whenever an event is triggered from the server.

Following is an example of an audit event for single protected resource access as seen by the audit server:

Tartget1- Analytics Dashboard (164.99.185.201:1468):

Tartget2- Linux syslog server (10.71.33.111:1290):

NOTES: 

This cool solution explains a very basic local syslog agent configuration and does not explain audit event caching and SSL. It is strongly recommended to use these features in production for security and avoid event loss in case the remote audit server is not reachable. Please follow the syslog agent documentation to enable these additional features.