Access Manager supports syslog for auditing. You can use Analytics Server or Sentinel server to send audit events. To configure syslog, see Specifying the Logging Server and Console Events.
On Linux, if you select syslog for auditing, then the syslog server configurations are automatically pushed to Identity Server and Access Gateway.
On Windows, you need to manually install the preferred syslog service and configure it to communicate to the local TCP port 1290. To configure the syslog agent to communicate with the remote syslog server, you need to manually configure the installed syslog agent on each device.
See Upgrading Access Manager Appliance.
NOTE:To use syslog for auditing, you need to upgrade the base operating system. After the upgrade, install the syslog RPMs manually.
To install the RPMs, run the following command:
zypper in -t pattern NetIQ-Access-Manager.
The following are the limitations of syslog:
On Identity Server and ESP, the events are cached to a local file during a local audit failure. The file locations:
Windows: C:\Program Files\Novell\Syslog\audit_common.log
Linux: /var/opt/novell/syslog/audit_common.log
The log forwarding of cached logs is not supported for Identity Server and ESP events.
The failover mechanism communication does not work in Access Gateway.
IMPORTANT:By default, syslog agents are configured without SSL communication with the remote audit server. You need to manually configure SSL between local syslog agent and remote syslog audit server.
By default, the local syslog agents do not cache or queue the audit events when the remote syslog audit server is not reachable. This results in the loss of audit events. It is recommended to enable cashing for audit events in the local syslog agent.On Linux, you can make use of the rsylsog’s queuing feature for caching the audit events.
A sample configuration for caching the audit event is as follows:
$WorkDirectory /rsyslog/work $ActionQueueType LinkedList $ActionQueueFileName example_fwd $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on
You need to create the /rsyslog/work directory manually. Add this sample configuration into the /etc/rsyslog.d/nam.conf file.
NOTE:You need to manually make the changes on each component, Administration Console, Identity Server, and Access Gateway.
For more information about syslog configuration, see Syslog Configuration White Paper.