Syslog

Many companies choose to centralize security and network logging to a single Syslog server or appliance to reduce the burden of log collection, investigation and reporting across many devices.

While XTAM does include its own logging engine that captures and stores events, it can also be configured to output this information to your centralized syslog server.

Syslog server

To output XTAM audit log events to your syslog server, please perform the following steps.

You can now configure Syslog integration by simply navigating to Administration > Settings > Syslog within the XTAM interface.

To understand what types of events are logged by level, please read this article.

  1. On the host where XTAM is installed, open the file {XTAM_HOME}\web\conf\log4j.pam.properties in a text editor.
  2. Modify the second line of this file

    from this: log4j.rootLogger=INFO, file, stdout

    to this: log4j.rootLogger=INFO, file, stdout, SYSLOG

  3. At the end of the file, copy and paste the following lines of code:
  4. Copy
    # Syslog Messages
    log4j.appender.SYSLOG=org.apache.log4j.net.SyslogAppender
    log4j.appender.SYSLOG.threshold=INFO
    log4j.appender.SYSLOG.syslogHost={add your Syslog Host name or IP address here}
    log4j.appender.SYSLOG.facility=LOCAL4
    log4j.appender.SYSLOG.header=true
    log4j.appender.SYSLOG.layout=org.apache.log4j.PatternLayout
    log4j.appender.SYSLOG.layout.conversionPattern=XTAM [%p] %c{3.}:%L - %m%n

  5. Modify the log4j.appender.SYSLOG.syslogHost= line above to add your Syslog host name or IP address.If you wish to use a non-standard port, then simply add your custom port number to the end of your Syslog name or IP address. :port.
  6. When finished, Save and close this file.
  7. The syslog output is delivered over the UDP port by default, so if necessary ensure that port 514 is open.
  8. Restart the service PamManagement (Windows) or pammanager (Linux).

Once the service has completed the restart process, your Syslog server or appliance should immediately begin receiving audit log events from XTAM.

Message Filtering

It is possible to filter messages sent to syslog server to reduce the traffic processed by SIEM server.

To enable filtering, add the following properties at the end of the SYSLOG configuration.

 

The example below filters all audit log messages generated by XTAM about the record Local Unix.

Copy
log4j.appender.SYSLOG.filter.1=org.apache.log4j.varia.StringMatchFilter
log4j.appender.SYSLOG.filter.1.StringToMatch=Class: Record, Name: Local Unix
log4j.appender.SYSLOG.filter.1.acceptOnMatch=true
log4j.appender.SYSLOG.filter.2=org.apache.log4j.varia.DenyAllFilter

 

These four additional lines in the log4j make it possible to SYSLOG only those events that match the StringToMatch filter. It takes this value, searches for that in the message and if found, sends it out.

The DenyAllFilter class drops the rest of the messages from output.

In our example, it searches for “Class: Record, Name: Local Unix” which would send out any events specific to a record (Class:Record) with the name Local Unix (Name: Local Unix).

 

To include several StringToMatch filters, the configuration would be like in the example below.

As above, this configuration will forward Audit Log messages about Local Unix record.

Also, the configuration will forward the messages about xtamadmin account authentications.

Copy
log4j.appender.SYSLOG.filter.1=org.apache.log4j.varia.StringMatchFilter
log4j.appender.SYSLOG.filter.1.StringToMatch=Class: Record, Name: Local Unix
log4j.appender.SYSLOG.filter.1.AcceptOnMatch=true
log4j.appender.SYSLOG.filter.2=org.apache.log4j.varia.StringMatchFilter
log4j.appender.SYSLOG.filter.2.StringToMatch=Event: Login, User: xtamadmin
log4j.appender.SYSLOG.filter.2.AcceptOnMatch=true
log4j.appender.SYSLOG.filter.3=org.apache.log4j.varia.DenyAllFilter

 

After adding these lines, restart the XTAM service to test the SYSLOG output.