Sending SiteProtector audit trail to a Syslog Server in SiteProtector 2.9

Technote (FAQ)


Question

How can you send SiteProtector audit trail information to a Syslog Server for monitoring?

Answer

There are essentially three main steps needed for this to occur. You will need to configure the audit options, write the audit logs to the Windows® Event Logs, and send the Event Logs to a Syslog server. Below are detailed instructions for each of these three steps.

Step 1: Configuring audit options

Use the Auditing Setup window to select which activities SiteProtector logs for the Audit Detail report.

  1. In the SiteProtector Console, select Tools > Auditing Setup.

  2. In the Auditing Setup window, select each of the actions you would log to keep track of. By default, all auditing options will be enabled. Be sure to deselect options you do not wish to see to avoid unnecessary information being logged. You can easily enable all options in a particular category by selecting the Select All box at the top of the window.

  3. When all desired options are enabled, click Apply and OK.


Step 2: Writing audit logs to the Window Event Log

This feature cannot be enabled using the SiteProtector Console interface. You must modify the config.properties file for your Application Server to write audit log entries to the Windows Event Log.

  1. Locate the config.properties file for your Application Server. This is located in \Program Files\ISS\SiteProtector\Application Server\config.

  2. Edit the config.properties file by adding the following two lines:

    iss.audit.NTEventLog.enable=true
    iss.audit.NTEventLog.conversionPattern=%m%n


    The conversionPattern specifies the format of the message written to the Windows/NT Event Log.
    %m is the message that was supplied
    %n is a platform-dependent line separator

  3. Save the file and restart the SiteProtector Application Server service.


Step 3: Send Windows Event Logs to an external Syslog server

Once the above steps are performed, the audit trail information will be logged to the Windows Event Log. At this point, you will need to use some type of program/utility to transfer the Windows Event Logs to your desired Syslog server. There are many freely available programs that accomplish this but none that IBM Security Systems supports. Please note that you will need to work with the utility's vendor if issues arise with the transfer of the Event Logs to the Syslog server. As long as the information is being logged to the Event Logs, the SiteProtector configuration is correct.



If the above information does not resolve your issue, contact IBM Security Systems Customer Support.

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security SiteProtector System

Software version:

2.9

Operating system(s):

Windows

Reference #:

1648104

Modified date:

2013-08-28

Translate my page

Machine Translation

Content navigation