Configure Syslog Monitoring

The ActivID Appliance Syslog function can be configured to send audit events and system notifications to an external Syslog server:

  • Audit events – events to log can be filtered using a regular expression on audit EventID (for example, ^.*Authenticate.*$ can be used to send the authentication audit events).
  • System events – same events as sent as SNMP notifications.

Each type of event is managed separately so only one type can be sent to the Syslog server (for example, system events (Enabled) but not the audit events (Disabled)).

<EVENTDATE> <HOSTNAME> <DOMAIN>||<CHANNEL>|<MESSAGE>|<USERID>|<ALSI>|<STATUS>|<TARGETUSERID>|< RESPONSE>|<PALSI>|<AUTHTYPECODE>|<CORRELATIONID>|<EVENTTYPE>|< CORRELATIONTYPE>|<EVENTID>|<ENTITYID>|< ENTITYTYPE>|<HOSTADDRESS>|<TEXT1>|< TEXT2>|<TEXT3>|<TEXT4>|<TEXT5>|<TEXT6>|<TEXT7>|<TEXT8>|<TEXT9>|<TEXT10>|<DIRECTEXTREF>|< INDIRECTEXTREF><PARAMETERS>

For example, an audit event for an authentication:

May 30 10:21:42 cbl.hidps.xyz MYDOMAIN||CH_WEB||8270620930151440364|f470360389015eea377ba254c19ad8da893dd35ef6d4dd65b4dfea1c3842916c|RESPONSE_SUCCESS|8270620930151440364|SUCCESS||AT_CUSTPW||||primaryAuthenticateUP|||e58fc828-c0ba-4450-8ddd-1156f6229a10|||||||||||5048f1a7-cda5-42d2-bffb-b672a6cec47b|5048f1a7-cda5-42d2-bffb-b672a6cec47b|{"ATC":"AT_CUSTPW ","USN":"null","Action":"primaryAuthenticateUP","ANS":"false","ARP":"","AUS":"ENABLED"}

Name Data type (Max length) Description

EVENTDATE

Char(19)

Date and time of event

HOSTNAME

Char(255)

Hostname FQDN that generated the Syslog event

DOMAIN

Char(20)

Security domain on which the action was performed

EVENTID

Char(50)

Identifier of the event that is audited

EVENTTYPE

Char (10)

Type of event that is audited

USERID

NUMBER (28)

Identifier of the direct user who executed the action

DIRECTEXTREF

Char (255)

External Reference ID of the direct user who executed the action

CHANNEL

Char (30)

Channel over which the action was requested.

AUTHTYPECODE

Char (10)

Authentication Type code for authentication and administrative activities that relate directly to a specific authentication type

STATUS

Char (30)

Indicates if the call successfully completed. Note that a failed authentication is still considered to be a successfully completed call.

RESPONSE

Char (50)

Indicates if the authentication request succeeded or failed (this field is only populated for authentication requests).

MESSAGE

Char (100)

Free text field used to store additional information in exceptions

ALSI

Char (100)

Session ID of the direct user who executed the action

HOSTADDRESS

Char (512)

Hostname or IP address of the remote system that performed the action being audited

TARGETUSERID

Num (28)

Id of the user on whom the action was executed (obfuscated)

INDIRECTEXTREF

Char (255)

External Reference ID of the indirect user on whom the action is being executed (obfuscated)

PALSI

Char (100)

Session ID of the indirect user. This field is only populated for indirect user authentications and logouts

PARAMETERS

Char (3000)

Contains additional parameter values specific to the action (some parts are obfuscated)

CORRELATIONID

Char (200)

Identifier of the process from which the action was performed from a remote system

CORRELATIONTYPE

Char (10)

Type of process from which the action was performed from a remote system

ENTITYTYPE

Char (10)

Type of object that is audited from the remote system

ENTITYID

Char (20)

Identifier of the object that is audited from the remote system

TEXT1/TEXT2 …/TEXT10

Char (100)

Additional fields containing information provided from the remote system that is audited.
Note:  
  • The appliance uses Syslog user-level messages (Syslog facility user). You must make sure the Syslog messages traffic is correctly secured.
  • You can only define one Syslog server for the appliance. If required, you must configure a relay Syslog server if you need to send log events to multiple Syslog servers.
  • The Syslog function is disabled by default.
  • The appliance does not check if the CA root certificate of your Syslog server (required for TLS/mTLS connections) has been imported into the appliance truststore.
  • Enabling Syslog might generate significant logging data (especially with audit events) and could impact the performance of the appliance.
Prerequisites: If you want to use the TLS or mTLS protocol to connect to your Syslog server, import the CA root certificate of your Syslog server as a trusted certificate.

  1. Log on to the ActivID Console and, under Monitoring in the left menu, select Syslog.

  2. In the Server section, configure the connection to your Syslog server:

    1. Enter the IP Address.
    2. Select the required Protocol.
    3. Enter the Port number.

      The default protocol ports are:

      • UDP - 514
      • TCP - 601
      • TLS/mTLS - 6514
  3. If you are using the mTLS protocol:

    Upload the client certificate (.p12) and enter the corresponding password.

    Note: If there is an existing certificate configured for the connection, you can View the certificate's details or Change the certificate by uploading a new one.

  4. In the Events section, select the type of appliance event data you want to send to your Syslog server by selecting Enable for Audit Events and/or System Events.

    5. In addition, for Audit Events, you can filter the type of audited event.

    For example, to send only authentication events, add the ^.*Authenticate.*$ filter.

    Note: If you have deployed the ActivID RADIUS Front End (RFE), Syslog will capture many authentication attempts when the RFE creates a pool of connections at startup.

  5. Click Save to apply the configuration.

The following illustration is an example of notifications: