Access Manager - Syslog for Auditing on Windows using syslog-ng

Access Manager - Syslog for Auditing on Windows using syslog-ng

Introduction



This cool solution explains the steps involved in configuring Access Manager for Auditing using Syslog on Windows Server 2012 R2  using Cygwin - a Unix like environment and a command line interface for Microsoft Windows.

Need for Syslog for Auditing in Access Manager.



With NAM 4.2, the legacy Platform Agent (PA) for auditing is discontinued and a new and much widely used syslog is used to transport the audit messages to remote Audit server.

On most of the Linux based Access Manager Deployments - NAM components are auto configured to use the local syslog agent – rsyslog which is available along with most of the Linux operating systems.

The complete document is available at: https://www.netiq.com/documentation/access-manager-42/resources/NAM_Auditing_with_Syslog.pdf

On Windows, the administrator has to install and configure the local syslog agent on the individual NAM components and configure the NAM components manually to use the local syslog agent to forward the audit events to the remote audit server.

This cool solution explains the steps involved in configuring syslog-ng over Cygwin on Windows Server 2012 to enable auditing over syslog for NAM components.

 Similar approach can be used if you are trying any other Windows syslog agents.

 Access Manager Auditing through syslog - How it works?



Architecture



Syslog Agent


With Syslog enabled for auditing, all NAM component will write the Audit messages to the local syslog agent. A local syslog agent runs on each device to collect the audit messages and forward them to the centralized syslog server.

Syslog Server


The central auditing server can be Sentinel or any auditing server with syslog.

Note: NAM Auditing over syslog is supported only on TCP.


If Sentinel is used as the Audit server, a latest solution pack for sentinel must be installed.

 Usecase – In this cool solution we use a NAM 4.2 Linux Administration Console as the remote syslog audit server. However, you can use any syslog enabled audit server.  The NAM 4.2 Linux Administration Console is bundled and configured with syslog server by default.  We use Access Manager 4.2 IDP running on Windows Server 2012 R2 server as the NAM component to be audited.

Following are the steps involved in configuring the NAM Auditing using syslog:

[1] Installing the syslog-ng along with Cygwin on the individual NAM Servers

[2] Configure the syslog-ng  to forward the audit message to the remote syslog audit server

[3] Enabling the NAM components to send the audit message to syslog audit server.

[1] Installing the syslog-ng along with Cygwin on the individual NAM Servers:



[1] Download and install the Cygwin for Windows from: http://cygwin.com/

[2] For 64 bit Windows 2012 R2 servers, download the 64 bit Cygwin from: http://cygwin.com/setup-x86_64.exe

[3] Run the setup.exe and select “Install from Internet”

1

[4] Select the directory to install the Cygwin and the users who can access the Cygwin (All users)

2

[5] Select the directory for local packages (Default is fine)

3

[6] Select your Internet Connection type:-

4

[7] Select any site to download the packages from.

5

[8] In the “Select Packages” window, search “syslog” in the search box.  From the search results, expand the Admin section, and you will see syslog-ng.  Click “skip” until you see 3.2.5-2 (or whatever the latest supported version is).

6

[9] Similarly install the following Packages:

  1. Admin/cygrunsrv

  2. Editors/VIM

  3. Gnome/glib



7

8

9

[10] Click Finish to complete the installation.

10

[11] Now launch the Cygwin Shell with admin privilege by right clicking and selecting “Run as Administrator”

[12] For the first time, run the command /bin/syslog-ng-config from the shell. This will create the basic syslog-ng.conf file under /etc/syslog-ng/ and will install the syslog-ng as system services.

 [2] Configure the syslog-ng to forward the audit message to the remote syslog audit server



Syslog-ng has to be configured to:

  1. Communicate to the local TCP port 1290

  2. Forward the audit/log message to the remote syslog audit server



  1. To make the syslog-ng communicate to the local TCP port 1290, add the following entry in /etc/syslog-ng/syslog-ng.conf file:


source s_local {


       system();


       internal();


       tcp(ip(127.0.0.1) port(1290));


};




  1. To forward the audit message to the remote audit server (164.99.184.91 in this example which is also listening on TCP port 1290) , add the following entry in the /etc/syslog-ng/syslog-ng.conf file:


destination server {


       tcp(164.99.184.91 port(1290));


};


log {


 source(s_local);


 destination(server);


};


Finally, the syslog-ng file should look as:

#############################################################################


# Default syslog-ng.conf file which collects all local logs into a


# single file called /var/log/messages.


#


@version: 3.2


@include "scl.conf"


source s_local {


        system();


        internal();


        tcp(ip(127.0.0.1) port(1290));


};


destination server {


       tcp(164.99.184.91 port(1290));


};


log {


 source(s_local);


 destination(server);


};


Restart the syslog-ng by the command , cygrunsrv -S syslog-ng

Testing the Syslog-ng configuration


We can use the “logger” utility which is available with the Cygwin installation to test the syslog-ng configuration.

From NAM device, on the Cygwin console, send a logger message with facility local0 as:

Administrator@nam-win ~

$ logger -p local0.info "Test Message from NAM"

The logger message should reach the remote syslog audit server at the appropriate log file (/var/log/NAM_audits.log , in case of Linux Administration Console as syslog audit server)

[root@audit-server ~]# tailf /var/log/NAM_audits.log

<134>Jan 28 12:38:35 nam-win Administrator: Test Message from NAM

[3] Enabling NAM components to send the Audit message to syslog audit server



After confirming the syslog-ng configuration, we must configure the Access Manager device to send the Access Manager Audit message to be send to remote syslog audit server.

Perform the following steps:

  1. In the Administration Console, Select Syslog for Auditing.11


In the Administration Console Auditing section select, Audit Messages Using -> Syslog and Select Send to Third Party from the drop box.


NOTE: Server Listening Address and Port are disabled for configuration. It is manually configured as part of Configure the syslog-ng to forward the audit message to the remote syslog audit server configuration.


Apply the changes and update the servers.




  1. Select the Audit events from the Administration Console UI



12

Select the Access Manager events to be audited from the administration Console and apply the changes. In this example, we have selected NAM IDP for auditing, and the audit events can be selected for IDP in the Administration Console as:


Apply the changes after selecting the events and update the servers.



Now the Access Manager IDP is ready to send the audit events to the remote syslog audit server via syslog-ng whenever an event is triggered from the server.

Following is an example of an audit event in JSON format for a login failure as seen by the audit server:

[root@audit-server ~]# tailf /var/log/NAM_audits.log

<134>Jan 28 12:41:28 nam-win {"appName": "Novell Access Manager","timeStamp":"Thu, 28 Jan 2016 12:41:28 +0530","eventId":"002E000C","subTarget":"TestUser","stringValue1":"8BEDC83BBE9139A39943FC6296EB3001","stringValue2":"Unable to locate user name ","stringValue3":"Name/Password - Form","numericValue1":0,"numericValue2":0,"numericValue3":0,"message":"[Thu, 28 Jan 2016 12:41:28 +0530]  [Novell Access Manager\\\\nidp]: AMDEVICEID#FB6C42375B901FAD: AMAUTHID#8BEDC83BBE9139A39943FC6296EB3001: User session authentication failed. Authentication Contract Name: [Name/Password - Form] Authentication Method Name: [Name/Password - Form] Reason: [Unable to locate user name ] Client IP Address: [10.1.2.3]","target":"Name/Password - Form","data":"MTY0Ljk5LjEzNy42NA==","description":"NIDS: User session authentication failed","originator":"FB6C42375B901FAD","component":"nidp"}

NOTES:



  1. If NetIQ Sentinel is used as remote Audit server, you need to install the latest NAM Solution Pack for Sentinel. By default Sentinel will use TCP port 1468 for syslog and the same port has to be used in local syslog agent for remote server.



  1. This cool solution explains a very basic local syslog agent configuration and does not explain audit event caching and SSL. It is strongly recommended to use these features in production for security and avoid event loss in case the remote audit server is not reachable. Please follow the syslog agent documentation to enable these additional features.


Labels (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:06
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.