Configuring the Linux Syslog audit method
  • 07 Jan 2025
  • 2 Minutes à lire
  • Sombre
    Lumière
  • PDF

Configuring the Linux Syslog audit method

  • Sombre
    Lumière
  • PDF

The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article

For Linux systems, auditing data will be written to the system logger (syslog).

Syslog requires the audit messages to have the following attributes:

  • Priority
  • Facility
  • Time stamp
  • Source hostname
  • Source application name
  • Event payload

The values in the attributes on the audit message determine where the message is written to, and whether it appears in the syslog.

Table: Audit message types and syslog priority shows the mapping of audit message types to the respective syslog priorities. You can use the syslog priority to direct certain audit message types to any log file, pipe, or remote syslog service.

If syslog auditing is used, your organization will need to ensure that GDPR is met by encrypting the Linux syslog folder (also on remote machines, if remote logging is enabled).

For more information about GDPR, refer to the OneSpan Authentication Server General Data Protection Regulation Compliance Guide.

Table:  Audit message types and syslog priority
Message typeSyslog priority
SuccessLOG_NOTICE
FailLOG_NOTICE
InfoLOG_INFO
WarningLOG_WARNING
ErrorLOG_ERR

In addition to configure OneSpan Authentication Server for audit messages being written to syslog, the syslog configuration files have to be configured to fit your requirements. The different supported Linux distributions use the following syslog configuration files:

  • Red Hat Enterprise Linux: /etc/rsyslog.conf
  • Ubuntu Server: /etc/rsyslog.d/50-default.conf

The individual configuration steps depend on the distribution used. For more information about configuring syslog, refer to the product documentation of the respective Linux distribution.

After configuring syslog accordingly, configure OneSpan Authentication Server to use the syslog audit method.

Configuring OneSpan Authentication Server to write audit messages to the syslog

To configure OneSpan Authentication Server to use the System Log audit method

  1. Start the Configuration Utility.
  2. Click on the Auditing icon.
  3. Click Add.
  4. Select System Log from the list box.
  5. Click OK.

    The Add System Log Audit Method dialog appears.

    1. Enter a name in the Display Name field. This name will only be used for display purposes.

      If this audit method must succeed, select the Reject audit message if this method fails box. An error will be returned by OneSpan Authentication Server if an audit message cannot be written with this method.

    2. If required, select the Record audit message if no other audit method has recorded it box.
    3. Select one or more audit message types to be logged by this plug-in:

      • Error
      • Warning
      • Information
      • Success
      • Failure
  6. Select a log type or enter a new log type to be created in the Log Type list.
  7. Click OK.
  8. Click Apply.

Configuring the syslog audit message format

By default, OneSpan Authentication Server audit messages are written across multiple lines for better readability if applicable. For instance, if an audit message includes several output details, each output field is written to a new line. This behavior may not be desirable in some circumstances, for instance when using a SIEM or if you want to search for specific information using grep or a similar command and the search result should include each audit message as a whole in a single line.

You can determine the syslog format with the Allow-Newlines option in the OneSpan Authentication Server configuration file, by default /etc/vasco/ias/identikeyconfiguration.xml. If you set this option value to false, OneSpan Authentication Server writes each audit message in a single line.

XPath: //VASCO/Audit/Plugins/*/Type[@data="syslog"]/../Plugincfg/Allow-Newlines

By default, this value is not set in the configuration file (audit messages are wrapped across multiple lines).

 

<VASCO>
  <Audit>
    <Plugins>
      <Profile02>
        <Enabled type="bool" data="true"/>
        <Type type="string" data="syslog"/>
      ...
        <Plugincfg>
          <Allow-Newlines type="bool" data="false"/>
        </Plugincfg>
      </Profile02>
     ...
    </Plugins>
   ...
  </Audit>
...
</VASCO>

Cet article vous a-t-il été utile ?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle