Sending SiteProtector audit trail to a Syslog server
How can you send SiteProtector audit trail information to a Syslog server for monitoring?
There are essentially three main steps needed for this to occur. You will need to configure the audit options, write the audit logs to the Windows Event Logs, and send the Event Logs to a Syslog server. Below are detailed instructions for each of these three steps.
Step 1: Configuring audit options
Use the Auditing Setup window to select which activities SiteProtector logs for the Audit Detail report.
1. In the SiteProtector Console, select Tools > Auditing Setup.
2. In the Auditing Setup window, select each of the actions you would log to keep track of. By default, all auditing options will be enabled. Be sure to deselect options you do not wish to see to avoid unnecessary information being logged. You can easily enable all options in a particular category by selecting the Select All box at the top of the window.
3. When all desired options are enabled, click Apply and OK.
Step 2: Writing audit logs to the Window Event Log
This feature cannot be enabled using the SiteProtector Console interface. You must modify the config.properties file for your Application Server to write audit log entries to the Windows Event Log.
1. Locate the config.properties file for your Application Server. This is located in \Program Files\ISS\SiteProtector\Application Server\config.
2. Edit the config.properties file by adding the following two lines:
The conversionPattern specifies the format of the message written to the Windows/NT Event Log.
%m is the message that was supplied
%n is a platform-dependent line separator
3. Save the file and restart the SiteProtector Application Server service.
Step 3: Send Windows Event Logs to an external Syslog server
Once the above steps are performed, the audit trail information will be logged to the Windows Event Log. At this point, you will need to use some type of program/utility to transfer the Windows Event Logs to your desired Syslog server. There are many freely available programs that accomplish this but none that IBM Security Systems supports. Please note that you will need to work with the utility's vendor if issues arise with the transfer of the Event Logs to the Syslog server. As long as the information is being logged to the Event Logs, the SiteProtector configuration is correct.