7.3 Syslog Settings

Use this page to configure Privileged Account Manager so that it can send syslog messages to a syslog server. This server can be a Sentinel server, a Sentinel Log Manager, or a syslog server that supports TCP with optional TLS or SSL support. Older syslog servers require UDP for the transport protocol.

To configure communication with a syslog server:

  1. Click Reporting on the home page of the console.

  2. Click Syslog Settings in the task pane.

  3. Configure the following fields:

    Syslog host: Specify the DNS name or IP address of the syslog server.

    Port: Specify the port the syslog server is listening on for syslog events. The default port is 514. The default port for a Sentinel server or a Sentinel Log Manager is 1468.

    SSL: Select the check box to enable SSL communication with a Sentinel server. For a syslog server, do not select this box.

    Allow Persistent Connections: Select the check box to enable a connection in which, a single connection provides multiple responses instead of opening a new connection for every single request and response.

    Use Audit Zones: Select the check box to enable the audit manager in a audit zone to send the audit data to syslog emitter.

    NOTE:To apply the changes made to the persistent connection, you must restart Privileged Account Manager.

  4. In the Event table, select the events and the format. All possible events are select:

    Session Failure: Sends an event when a Privileged Account Manager session fails.

    Start Session: Sends an event when a user starts a Privileged Account Manager session on a host.

    Session Terminate: Sends an event when a user logs out of the Privileged Account Manager session.

    Command Audit: If you have enabled auditing on the user’s session or on commands, this option sends all audited events as syslog events.

    Privilege Escalation: Sends an event when a user starts a privileged session.

    1. To delete an event, highlight it, then click Remove.

    2. To configure the format, click the format text box and specify a format string.

      The ${}$ string logs the complete string of the audit record in JSON format. For a Sentinel server, format string must be set to ${}$.

      If you are sending the events to a syslog server, you can specify strings from the Privileged Account Manager templates. For example, the format of the Start Session event could use the following string:

      User ${StartSession.user}$ initiated a Command Control session from ${StartSession.host}$

      This format string would produce output similar to the following:

      Jan 1 01:20:45 localhost npum: User ctaylor initiated a Command Control session from citlaptop
  5. Click Finish.

Sentinel Notes

For Privilege Account Manager to communicate with a Sentinel server, you need to add a Syslog Connector to the Sentinel console. You can download the Syslog Connector from the Sentinel Plug-ins website. This connector must be configured to listen on port TCP 514 using SSL and the SSL type must be Open. Configure it to listen specifically for the host that has the Syslog Emitter installed. This is usually the Framework Manager console.