S-Filer Portal

English

Français

English

Français

toggle dark mode

How to send audits to syslog

This page describes a procedure to send audits to a syslog server. This procedure applies to on-prem deployments of the solution. For SaaS deployments, contact OKIOK if you need access to the audit logs.

S-Filer Portal uses Log4J as its logging framework and this is a very flexible framework that can be leveraged to format and send logs to a variety of different systems.

Warning

Changing the Log4J configuration is supported by OKIOK, but is not part of the standard installation procedure. It may be necessary to reapply these changes after an upgrade.

Contextual information

The solution provides contextual information for audits. These can be used in the layout

NameLayout parameterExample
Audit message%mMFA validation failed for 'jsmith'.
Thread identifier%tpool-1-thread-3
Date and time%dSee Log4J doc for formats
Other standard Log4J%p, %c, etc.See Log4J for details.
Account name%X{MDC_USER}jsmith
IP of the user%X{MDC_REMOTE_IP}172.134.23.46
S-Filer component%X{MDC_COMPONENT}sfiler-gw-1

Audits to log

See the Audit Reference page for the list of all supported audits in S-Filer Portal.

Configuration

Configuring the layout of the logs

OKIOK recommends using a PatternLayout as it offers the most flexibility.

Configuring the syslog appender

The Log4J syslog appender has many configuration values and can work in UDP, TCP and TLS over TCP. The details of the syslog appender are here: https://logging.apache.org/log4j/2.x/manual/appenders.html#syslogappender

Examples

These examples contain only the logger and appender to write audits. They need to be combined with the regular logging configuration that includes error and debug logs.

Basic QRadar config

This example send logs to QRadar in a LEEF format using UDP protocol.

The pattern layout must be adjusted according to the facility the following way:

  1. Determine the facility code (see https://en.wikipedia.org/wiki/Syslog) based on the keyword defined in the facility parameter of the syslog appender.

    In this example: 'local1' facility has the code 17.

  2. Compute the facility value by multiplying the facility code by 8.

    In this example: facility_value = 17 * 8 = 136

  3. For each trace level, determine the severity value (see https://en.wikipedia.org/wiki/Syslog) and add it to the facility value.

    In this example:

      TRACE = facility_value + 7 = 136 + 7 = 143
  DEBUG = facility_value + 7 = 136 + 7 = 143
   INFO = facility_value + 6 = 136 + 6 = 142
   WARN = facility_value + 4 = 136 + 4 = 140
  ERROR = facility_value + 3 = 136 + 3 = 139
  FATAL = facility_value + 3 = 136 + 3 = 139

  4. Concatenate all trace levels with their calculated values and put the resulting string in the 'pattern' parameter of the PatternLayout.

xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration monitorinterval="30" status="info" strict="true">
    <Appenders>
        <Syslog name="qradar" host="127.0.0.1" port="514" facility="local1" format="RFC5424" protocol="UDP" >
            <PatternLayout pattern="&lt;%level{TRACE=143,DEBUG=143,INFO=142,WARN=140,ERROR=139,FATAL=139}&gt; %d{MMM dd HH:mm:ss} sfiler_7 LEEF:1.0|%c|\t devTime=%d{MMM dd yyyy HH:mm:ss.SSS z}\tdevTimeFormat=MMM dd yyyy HH:mm:ss.SSS z\tusrName=%X{MDC_USER}\tidentSrc=%X{MDC_REMOTE_IP}\tthread=%t\tmessage=%m%n"/>
        </Syslog>
    </Appenders>
    <Loggers>
        <Logger name="AUDIT" level="INFO">
            <appender-ref ref="qradar"/>
        </Logger>
    </Loggers>
</Configuration>

Filtering QRadar config

This is similar to the QRadar configuration above, but adding filtering of events to remove common events.

xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration monitorinterval="30" status="info" strict="true">
    <Appenders>
        <Syslog name="qradar" host="127.0.0.1" port="514" facility="local1" format="RFC5424" protocol="UDP" >
            <PatternLayout pattern="&lt;%level{TRACE=143,DEBUG=143,INFO=142,WARN=140,ERROR=139,FATAL=139}&gt; %d{MMM dd HH:mm:ss} sfiler_7 LEEF:1.0|%c|\t devTime=%d{MMM dd yyyy HH:mm:ss.SSS z}\tdevTimeFormat=MMM dd yyyy HH:mm:ss.SSS z\tusrName=%X{MDC_USER}\tidentSrc=%X{MDC_REMOTE_IP}\tthread=%t\tmessage=%m%n"/>
            <Filters>
                <StringMatchFilter text="Extension Action" onMatch="DENY" onMismatch="NEUTRAL"/>
                <StringMatchFilter text="Upload" onMatch="DENY" onMismatch="NEUTRAL"/>
                <StringMatchFilter text="uploaded" onMatch="DENY" onMismatch="NEUTRAL"/>
                <StringMatchFilter text="Download" onMatch="DENY" onMismatch="NEUTRAL"/>
                <StringMatchFilter text="downloaded" onMatch="DENY" onMismatch="NEUTRAL"/>
                <StringMatchFilter text="Server" onMatch="DENY" onMismatch="NEUTRAL"/>
                <StringMatchFilter text="Gateway" onMatch="DENY" onMismatch="NEUTRAL"/>
            </Filters>
        </Syslog>
    </Appenders>
    <Loggers>
        <Logger name="AUDIT" level="INFO">
            <appender-ref ref="qradar"/>
        </Logger>
    </Loggers>
</Configuration>

Copyright ©2011-2023 Okiok Data Ltd, All rights reserved.