Remote Syslog for login, logout, session timeout

Latest response

I would like to know how to configure syslog on my RHEL 7 IdM servers such that login, logout and idle session timeouts get sent via syslog to a central location.

Specifically, I'm using Cisco Stealthwatch and ISE to track user sessions on Cisco gear and my ISE server actually uses Red Hat IdM as its backend LDAP database. When I SSH to my Cisco switches, ISE + IdM is authenticating me. When I SSH to my Linux IPA client, obviously ISE and Stealthwatch have no idea this is taking place.

I was looking at ns-slapd's named pipe log as a possible way to grab just the access logs I require and send them via syslog to the Stealthwatch System Management Console. I also read this RHEL 6-specific article on FreeIPA centralized logging[1]. Any tips would be greatly appreciated.

  1. https://www.freeipa.org/page/Howto/Centralised_Logging_with_Logstash/ElasticSearch/Kibana

Responses

Hi - I created that page. It's a bit out of date now and was meant more as a means of me configuring all my IPA clients to send their rsyslog content back to Logstash indexers that I ran on the IPA hosts. The ES database cluster then ran on separate hardware.

To push your IPA server logs through Logstash (which is more what you're looking for) look at: http://www.freeipa.org/page/Centralized_Logging

This was created after my write-up and should cover the areas you're looking for. Not sure if it logs session timeouts as I'm not close to an IPA installation these days.

Thanks, Duncan. I'm trying to understand how much of your ipa-log-config script I want to implement if I just want to send user login/logout/timeout syslogs, not every IPA syslog. And I need to determine if a user logs out of a IPA client, does the client send any message to the IPA server that userX logged out? Or do I need to grab logs on all IPA clients as well in order to catch logouts and timeouts?

One way to do it might be to install the Logstash software on the IdM host and read the IPA log files locally. I didn't do it this way because I was looking to implement a remote send of logs on every server/client regardless of what role it had. But Logstash has a file input method. You could then get the Logstash filters to identify only the messages that you're looking for (you might need your own grok filters there) from the mass of IPA logs, before sending only those to your storage system. I always used ElasticSearch, but you could send to another log file if you wanted. Don't know about those timeout events though - you'll have to grep your IdM logs to test for timeout messages if there are any. All sounds do-able though.

so you have a loghost and you want to know how to forward syslog messages from your redhat box to that loghost? edit /etc/rsyslog.conf to forward everything to the loghost:

auth.info @yourloghost.com authpriv.info @yourloghost.com local2.info @yourloghost.com user.info @yourloghost.com *.emerg @pong3.campus.ithaca.lan user.info @pong3.campus.ithaca.lan

then enable and start rsyslog on the host:

systemctl enable rsyslog.service systemctl start rsyslog.service systemctl status rsyslog.service (to see if it's running)

(seems like my response is missing carriage returns so put one between rsyslog.conf entries and systemctl statements

Mark, thanks for your update on standard syslog forwarding, but I specifically need just login/logout/timeout syslogs from IPA. The "central" log host is not a generic central log host. It's a security management console (Cisco/Lancope Stealthwatch Management Center) that typically gathers NetFlow, sFlow, and IPFIX data. It correlates the flow data with usernames by linking to Active Directory and/or Cisco ISE (Identity Services Engine). I would like to augment my implementation by linking it with IPA (Red Hat IdM) instead of AD.

Hi Brian,

Were you able to implement secure remote logging from your IdM servers and clients over to a central logging host?

I am interested in your environment - are you able to discuss offline?

Thank you

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.