Application Delivery Management
Application Modernization & Connectivity
CyberRes
IT Operations Management
Introduction:
This document explains the steps involved in configuring Access Manager for Multi-Target Auditing on Windows Server using Cygwin (Syslog Agent).
Cygwin is:
The following link explained very much about configuring syslog on Linux.
https://www.netiq.com/documentation/access-manager-45/resources/NAM_Auditing_with_Syslog.pdf
Since there is no default syslog agent in windows, the administrator has to install and configure the local syslog agent on the individual NAM components and configure the NAM components manually to use the local syslog agent to forward the audit events to the remote audit server.
The following steps are involved in configuring the NAM Multi Target Auditing using syslog:
Syslog-ng configuration has two section:
source s_local {
system();
internal();
tcp(ip(127.0.0.1) port(1290));
};
destination server0 {
tcp(164.99.185.201 port(1468));
};
destination server1 {
tcp(10.71.33.111 port(1290));
};
filter facility0 { facility(local0); };
filter facility1 { facility(local1); };
log {
source(s_local); filter(facility0); destination(server0);
};
log {
source(s_local); filter(facility0); destination(server1);
};
Finally, the syslog-ng file should look as below and Add the following entry in the /etc/syslog-ng/syslog-ng.conf file:
#############################################################################
# Default syslog-ng.conf file which collects all local logs into a
# single file called /var/log/messages.
#
@version: 3.2
@include "scl.conf"
source s_local {
system();
internal();
tcp(ip(127.0.0.1) port(1290));
};
destination server0 {
tcp(164.99.185.201 port(1468));
};
destination server1 {
tcp(10.71.33.111 port(1290));
};
filter facility0 { facility(local0); };
filter facility1 { facility(local1); };
log {
source(s_local); filter(facility0); destination(server0);
};
log {
source(s_local); filter(facility0); destination(server1);
};
Now restart the syslog-ng by the command,
STOP: cygrunsrv -E syslog-ng
START: cygrunsrv -S syslog-ng
( For every changes in syslog-ng.conf file, administrator has to stop and start the Cygwin syslog-ng services)
We can use the “logger” utility, which is available with the Cygwin installation to test the syslog-ng configuration.
Target1: 164.99.185.201 PORT: 1468
From NAM device, on the Cygwin console, send a logger message with facility local0
Administrator@nam-win2k16-idp ~
$ logger -p local0.info "Test Message from NAM local0"
SLES-NAM-AC:~ # tail -f /var/log/NAM_audits.log
<142>Dec 12 13:56:05 nam-win2k16-idp Administrator: Test Message from NAM local0
Target2: 10.71.33.110 PORT: 1290
From NAM device, on the Cygwin console, send a logger message with facility local1
Administrator@nam-win2k16-idp ~
$ logger -p local1.info "Test Message from NAM local1"
SLES-NAM-IDP:~ # tail -f /var/log/NAM_audits.log
<142>Dec 12 13:55:49 nam-win2k16-idp Administrator: Test Message from NAM local1
How to check the syslog connectivity?
After confirming the syslog-ng configuration, we must configure the Access Manager devices to send the Access Manager Audit message to be send to remote syslog audit server.
Enable auditing in AC:
In the Administration Console,
Then click Apply & OK and update the Access Manager's components(IDP and AG) if any.
Enable auditing in IDP:
In the Administration Console, select the required IDP events and update the servers.
Enable auditing in AG:
In the Administration Console, select the required AG events and update the servers.
Now the Access Manager components IDP and AG are ready to send the audit events to the remote syslog audit servers (164.99.185.201 and 10.71.33.110) via syslog-ng whenever an event is triggered from the server.
Following is an example of an audit event for single protected resource access as seen by the audit server:
Tartget1- Analytics Dashboard (164.99.185.201:1468):
Tartget2- Linux syslog server (10.71.33.111:1290):
NOTES:
This cool solution explains a very basic local syslog agent configuration and does not explain audit event caching and SSL. It is strongly recommended to use these features in production for security and avoid event loss in case the remote audit server is not reachable. Please follow the syslog agent documentation to enable these additional features.