Sending SiteProtector audit trail to a Syslog server
How can you send SiteProtector audit trail information to a Syslog server for monitoring?
There are essentially three main steps that are needed for to send the audit trail to a Syslog server. You need to configure the audit options, write the audit logs to the Windows Event Logs, and send the Event Logs to a Syslog server. Here are detailed instructions for each of these three steps.
Step 1: Configuring audit options
Use the Auditing Setup window to select which activities SiteProtector logs for the Audit Detail report.
- In the SiteProtector Console, select Tools > Auditing Setup.
- In the Auditing Setup window, select each of the actions you would log to keep track of. By default, all auditing options are enabled. Be sure to clear the options you do not want to see to avoid unnecessary information from being logged. You can easily enable all options in a particular category by selecting the Select All box at the top of the window.
- When all the wanted options are enabled, click Apply and OK.
Step 2: Writing audit logs to the Window Event Log
This feature cannot be enabled by using the SiteProtector Console interface. You must modify the config.properties file for your Application Server to write audit log entries to the Windows Event Log.
- Locate the config.properties file for your Application Server. The file is located in \Program Files\ISS\SiteProtector\Application Server\config.
- Edit the config.properties file by adding the following two lines:
The conversionPattern specifies the format of the message that is written to the Windows/NT Event Log.
%m is the message that was supplied
%n is a platform-dependent line separator
- Save the file and restart the SiteProtector Application Server service.
Step 3: Send Windows Event Logs to an external Syslog server
Once the previous steps are performed, the audit trail information will be logged to the Windows Event Log. At this point, you need to use some type of program or utility to transfer the Windows Event Logs to your wanted Syslog server. There are many freely available programs that transfer this but none that IBM Security Systems supports. Note that you need to work with the utility's vendor if issues arise with the transfer of the Event Logs to the Syslog server. If the information is being logged to the Event Logs, the SiteProtector configuration is correct.