Syslog

Many companies choose to centralize security and network logging to a single Syslog server or appliance to reduce the burden of log collection, investigation and reporting across many devices.

While PAM does include its own logging engine that captures and stores events, it can also be configured to output this information to your centralized syslog server.

Syslog server

To output PAM audit log events to your syslog server, please perform the following steps.

You can now configure Syslog integration by simply navigating to Administration > Settings > Syslog within the PAM interface.

To understand what types of Audut events are logged by level, please read this article.

  1. On the host where PAM is installed, open the file $PAM_HOME\web\conf\log4j.pam.properties in a text editor.
  2. Modify the second line of this file

    from this: log4j.rootLogger=INFO, file, stdout

    to this: log4j.rootLogger=INFO, file, stdout, SYSLOG

  3. At the end of the file, copy and paste the following lines of code:
  4. Copy
    # Syslog Messages
    log4j.appender.SYSLOG=org.apache.log4j.net.SyslogAppender
    log4j.appender.SYSLOG.threshold=INFO
    log4j.appender.SYSLOG.syslogHost={add your Syslog Host name or IP address here}
    log4j.appender.SYSLOG.facility=LOCAL4
    log4j.appender.SYSLOG.header=true
    log4j.appender.SYSLOG.layout=org.apache.log4j.PatternLayout
    log4j.appender.SYSLOG.layout.conversionPattern=XTAM [%p] %c{3.}:%L - %m%n

  5. Modify the log4j.appender.SYSLOG.syslogHost= line above to add your Syslog host name or IP address. If you wish to use a non-standard port, then simply add your custom port number to the end of your Syslog name or IP address. :port.
  6. When finished, Save and close this file.
  7. The syslog output is delivered over the UDP port by default, so if necessary ensure that port 514 is open.
  8. Restart the service PamManagement (Windows) or pammanager (Linux).

Once the service has completed the restart process, your Syslog server or appliance should immediately begin receiving audit log events from PAM.

Message Filtering

It is possible to filter messages sent to syslog server to reduce the traffic processed by SIEM server.

To enable filtering, add the following properties at the end of the SYSLOG configuration.

 

The example below filters all audit log messages generated by PAM about the record Local Unix.

Copy
log4j.appender.SYSLOG.filter.1=org.apache.log4j.varia.StringMatchFilter
log4j.appender.SYSLOG.filter.1.StringToMatch=Class: Record, Name: Local Unix
log4j.appender.SYSLOG.filter.1.acceptOnMatch=true
log4j.appender.SYSLOG.filter.2=org.apache.log4j.varia.DenyAllFilter

 

These four additional lines in the log4j make it possible to SYSLOG only those events that match the String Match filter. It takes this value, searches for that in the message and if found, sends it out.

The DenyAllFilter class drops the rest of the messages from output.

In our example, it searches for “Class: Record, Name: Local Unix” which would send out any events specific to a record (Class:Record) with the name Local Unix (Name: Local Unix).

 

To include several String Match filters, the configuration would be like in the example below.

As above, this configuration will forward Audit Log messages about Local Unix record.

Also, the configuration will forward the messages about system admin account authentications.

Copy
log4j.appender.SYSLOG.filter.1=org.apache.log4j.varia.StringMatchFilter
log4j.appender.SYSLOG.filter.1.StringToMatch=Class: Record, Name: Local Unix
log4j.appender.SYSLOG.filter.1.AcceptOnMatch=true
log4j.appender.SYSLOG.filter.2=org.apache.log4j.varia.StringMatchFilter
log4j.appender.SYSLOG.filter.2.StringToMatch=Event: Login, User: pamadmin
log4j.appender.SYSLOG.filter.2.AcceptOnMatch=true
log4j.appender.SYSLOG.filter.3=org.apache.log4j.varia.DenyAllFilter

 

Below is another example to demonstrate two String Match filters to exclude certain messages from the stream:

Copy
log4j.appender.SYSLOG.filter.1=org.apache.log4j.varia.StringMatchFilter
log4j.appender.SYSLOG.filter.1.StringToMatch=HTTP\ tunnel\ request\ failed
log4j.appender.SYSLOG.filter.1.acceptOnMatch=false
log4j.appender.SYSLOG.filter.2=org.apache.log4j.varia.StringMatchFilter
log4j.appender.SYSLOG.filter.2.StringToMatch=i-exWj2vOI6R2
log4j.appender.SYSLOG.filter.2.acceptOnMatch=false

Note that spaces in the message filter should be escaped by the preceding slash.

Note that filters only work on the message part of the stream event, not on the class or level. To exclude events sent by the certain sources (classes) from the stream (or to change level of the events streamed) use general log configuration line such as log4j.logger.com.package.package.ClassName=OFF

After adding these lines, restart the PAM service to test the SYSLOG output.

For log4j2, please refer section Adding Syslog configuration to log4j2.