Remote Syslog for login, logout, session timeout
I would like to know how to configure syslog on my RHEL 7 IdM servers such that login, logout and idle session timeouts get sent via syslog to a central location.
Specifically, I'm using Cisco Stealthwatch and ISE to track user sessions on Cisco gear and my ISE server actually uses Red Hat IdM as its backend LDAP database. When I SSH to my Cisco switches, ISE + IdM is authenticating me. When I SSH to my Linux IPA client, obviously ISE and Stealthwatch have no idea this is taking place.
I was looking at ns-slapd's named pipe log as a possible way to grab just the access logs I require and send them via syslog to the Stealthwatch System Management Console. I also read this RHEL 6-specific article on FreeIPA centralized logging[1]. Any tips would be greatly appreciated.
- https://www.freeipa.org/page/Howto/Centralised_Logging_with_Logstash/ElasticSearch/Kibana
Responses
Hi - I created that page. It's a bit out of date now and was meant more as a means of me configuring all my IPA clients to send their rsyslog content back to Logstash indexers that I ran on the IPA hosts. The ES database cluster then ran on separate hardware.
To push your IPA server logs through Logstash (which is more what you're looking for) look at: http://www.freeipa.org/page/Centralized_Logging
This was created after my write-up and should cover the areas you're looking for. Not sure if it logs session timeouts as I'm not close to an IPA installation these days.
One way to do it might be to install the Logstash software on the IdM host and read the IPA log files locally. I didn't do it this way because I was looking to implement a remote send of logs on every server/client regardless of what role it had. But Logstash has a file input method. You could then get the Logstash filters to identify only the messages that you're looking for (you might need your own grok filters there) from the mass of IPA logs, before sending only those to your storage system. I always used ElasticSearch, but you could send to another log file if you wanted. Don't know about those timeout events though - you'll have to grep your IdM logs to test for timeout messages if there are any. All sounds do-able though.
so you have a loghost and you want to know how to forward syslog messages from your redhat box to that loghost? edit /etc/rsyslog.conf to forward everything to the loghost:
auth.info @yourloghost.com authpriv.info @yourloghost.com local2.info @yourloghost.com user.info @yourloghost.com *.emerg @pong3.campus.ithaca.lan user.info @pong3.campus.ithaca.lan
then enable and start rsyslog on the host:
systemctl enable rsyslog.service systemctl start rsyslog.service systemctl status rsyslog.service (to see if it's running)(seems like my response is missing carriage returns so put one between rsyslog.conf entries and systemctl statements
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
