21.3.3 Configuring Administration Console as a Remote Audit Server

You can configure Administration Console as a remote audit server for syslog. By default, audit logs are sent to /var/log/NAM_Audits.log. rsyslog provides various options and macros for Administration Console to accept logs over UDP and TLS over TCP.

Perform the following steps to use Administration Console as a remote audit server using UDP and TLS over TCP:

Communication using UDP

To load the required module for rsyslog for receiving messages using UDP, perform the following steps:

  1. Edit nam.conf of Administration Console working as the remote audit server and add the following entries:

    $ModLoad imudp # load UDP module
$UDPServerRun <port number> # UDP connection port

  2. Restart the rsyslog service.

Communication using TLS over TCP

  1. Add the following macros to nam.conf of Administration Console working as the remote audit server:

    $DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile <remote peer's CA certificate filepath>
$DefaultNetstreamDriverCertFile <public key certifcate filepath>
$DefaultNetstreamDriverKeyFile <private key file>
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode <mode>
$InputTCPServerStreamDriverPermittedPeer <permitted peer ID>

    In $InputTCPServerStreamDriverAuthMode <mode>, you can specify one of the following authentication modes for validating a remote peer:

    • anon: Anonymous authentication. It does not allow authenticating a remote peer.

    • x509/certvalid: Certificate validation only.

    • x509/name: Certificate validation and subject name authentication.

    In $InputTCPServerStreamDriverPermittedPeer <permitted peer ID>, specify remote peer’s identifier. Connections from only these peers are accepted. You can set PermittedPeer to a single peer or an array of peers of type IP or name, depending on the TLS certificate. For example,

    Single peer: InputTCPServerStreamDriverPermittedPeer ”127.0.0.1”

    Array of peers: InputTCPServerStreamDriverPermittedPeer [“test1.ex.net”,”10.1.2.3”,”*.ex.net”]

    If array syntax does not work, configure each entry individually.

    A sample nam.conf file:

    $DefaultNetstreamDriverCAFile /tmp/client_CA.pem
$DefaultNetstreamDriverCertFile /tmp/server_Cert.pem
$DefaultNetstreamDriverKeyFile /tmp/Server_Key.pem
$ModLoad imtcp # load TCP listener
$InputTCPServerRun 1290
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer 164.100.150.10
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
local0.* -/var/log/NAM_audits.log;ForwardFormat

  2. Restart the rsyslog service.