3.13 Configuring Logging and Auditing

SSPR uses Apache Log4j. Apache log4j is a Java-based logging utility. Log4j allows logging to a variety of outputs such as files, syslog, nt event log, databases, and so forth.

The following list includes available log levels in order of severity:

TRACE: Most detailed information. This level is recommended during initial configuration.

DEBUG: Detailed information on the flow through the system.

INFO: Informational messages that highlight the progress of the application at coarse-grained level. This level is recommended for normal operations. This is the default log level for StdOut. When used with tomcat, this logs to tomcat's logs/catalina.out file.

ERROR: Runtime errors or unexpected conditions.

WARN: Potentially harmful situations.

FATAL: Severe errors that cause premature termination.

You can configure SSPR to register a log4j xml configuration file.

SSPR also allows you to enable and configure event alerts such as intruder alerts and fatal event alerts.

To configure the logging and auditing options, perform the following steps:

  1. In Configuration Editor, click Settings > Logging & Auditing.

  2. Click View > Always Show Advanced Settings to see and configure the advanced settings.

  3. Configure the following settings:

    Field

    Description

    LocalDB Log Level

    Select the log level to log events in LocalDB.

    File Log Level

    Select the log level to log events in local file log. Log files are written to the servlet's WEB-INF/logs directory.

    Daily Summary Alerts

    Select this check box to enable sending an email once a day (at 0:00 GMT) with summary of statistics and health for that day.

    System Audit Event Email Alerts

    Specify the email address on which you want to send the system audit events information. You can provide multiple email addresses.

    User Audit Event Email Alerts

    Specify the email address on which you want to send the user audit events information. You can provide multiple email addresses.

    Syslog Audit Servers

    SSPR can send events to the Syslog service.

    Specify Syslog audit servers in the format Protocol,Host,Port number.

    Where,

    Protocol: TCP, UDP or TLS/ SSL

    Host: Host name or IP address of the machine running the Syslog service

    Port: Port number to which the Syslog service is listening to

    NOTE:To configure TLS/ SSL, you require to import the certificates from the JAVA keystore. For more information about importing the certificates, refer Section 3.13.1, Setting Up SSL Auditing

    Health Check Frequency (Advanced)

    Specify the time interval in seconds to perform a self-health check. Default value is two minute.

    Java StdOut Log Level (Advanced)

    Select a log level for StdOut. Default log level for StdOut is INFO.

    Log4j Configuration File (Advanced)

    Specify the location and name of a log4j xml configuration file. This file is used to configure the log4j system.

    If unspecified, a basic log4j configuration is used for logging only to StdOut. The location specified in this setting is relative to the WEB-INF directory. An example log4jconfig.xml file is included in the WEB-INF directory.

    Maximum LocalDB Events

    Specify the number of maximum log events that can be stored in LocalDB. LocalDB retains these events and display these in the Admin Event log screen.

    This setting does not affect the normal log files configured in log4jconfig.xml or tomcat's log file settings.

    100,000 log events require approximately100 MB disk space to be stored.

    Maximum Age LocalDB Events

    Specify the maximum age of events stored in LocalDB in seconds. Default value is 2419200 seconds (four weeks). A value of zero disables this feature.

    This setting does not affect log files configured in log4jconfig.xml or tomcat's log file settings.

    SSPR periodically purges the events older than the configured value.

    User History Storage Location (Advanced)

    Select the data store location that is used for user-specific audit history.

    User History Attribute (Advanced)

    Specify the attribute to write a user event attribute in LDAP. The user event log attribute contains an XML document with the user’s event history. Leave this field blank if you want to disable logging the event history to LDAP.

    User History Maximum Events (Advanced)

    Specify the maximum number of events to retain in the event history attribute for a user.

    Enable LDAP Wire Trace (Advanced)

    Select this check box to log all LDAP events to the TRACE logging level.

    WARNING:Enabling this option may allow user passwords and other sensitive data to be written to the log files.

    Local Alerts Storage Max

    Specify the maximum age in seconds of the local audit event log. The default value is 30 days.

  4. Click Actions > Save.

3.13.1 Setting Up SSL Auditing

SSPR requires SSL certificate to audit the events. To send the audit events you require Syslog certificate that is imported to the JAVA TrustStore. Perform the following to import the certificate and audit the events:

  1. Run the following command to view the certificate:

    openssl s_client -host {ip} -port {port} -showcerts

    Where, ip is the IP address of the machine that is running the syslog service and port is the listening port number for the syslog server.

  2. Copy the certificate to any text file and save it with an extension .pem. For example, <anyname>.pem

  3. Import the certificate to the JAVA keystore of SSPR by using the keytool.

  4. Launch Configuration Editor and then click Settings > Logging and Auditing.

  5. In the Syslog Audit Servers field, specify the value as tls,<ipaddress>,1443

    Where, 1443 is the default port number.