SyslogAuditEventHandler
An audit event handler that responds to events by logging messages to the UNIX system log as governed by RFC 5424, The Syslog Protocol.
Declare the configuration in an audit service, as described in AuditService.
Usage
{
"class": "org.forgerock.audit.handlers.syslog.SyslogAuditEventHandler",
"config": {
"name": configuration expression<string>,
"topics": [ configuration expression<string>, ... ],
"protocol": configuration expression<string>,
"host": configuration expression<string>,
"port": configuration expression<number>,
"connectTimeout": configuration expression<number>,
"facility": configuration expression<string>,
"buffering": {
"enabled": configuration expression<boolean>,
"maxSize": configuration expression<number>
},
"severityFieldMappings": [
{
"topic": configuration expression<string>,
"field": configuration expression<string>,
"valueMappings": {
"field-value": object
}
}
]
}
}
The values in this configuration object can use expressions as long as they resolve to the correct types for each field. For details about expressions, see Expressions.
Configuration
"name"
: configuration expression<string>, required-
The name of the event handler.
"topics"
: array of configuration expression<strings>, required-
One or more topics that this event handler intercepts. IG can record the following audit event topics:
-
access
: Log access audit events. Access audit events occur at the system boundary, and include the arrival of the initial request and departure of the final response.To record
access
audit events, configure AuditService inline in a route, or in the heap. -
customTopic: Log custom audit events. To create a topic for a custom audit event, include a JSON schema for the topic in your IG configuration.
To record custom audit events, configure AuditService in the heap, and refer to it from the route or subroutes. For an example of how to set up custom audit events, see Record custom audit events.
-
"protocol"
: configuration expression<string>, required-
The transport protocol used to send event messages to the Syslog daemon.
Set this to
TCP
for Transmission Control Protocol, or toUDP
for User Datagram Protocol. "host"
: configuration expression<string>, required-
The hostname of the Syslog daemon to which to send event messages. The hostname must resolve to an IP address.
"port"
: configuration expression<number>, required-
The port of the Syslog daemon to which to send event messages.
The value must be between 0 and 65535.
"connectTimeout"
: configuration expression<number>, required when using TCP-
The number of milliseconds to wait for a connection before timing out.
"facility"
: configuration expression<enumeration>, required-
The Syslog facility to use for event messages. Set to one of the following values:
-
kern
: Kernel messages -
user
: User-level messages -
mail
: Mail system -
daemon
: System daemons -
auth
: Security/authorization messages -
syslog
: Messages generated internally bysyslogd
-
lpr
: Line printer subsystem -
news
: Network news subsystem -
uucp
: UUCP subsystem -
cron
: Clock daemon -
authpriv
: Security/authorization messages -
ftp
: FTP daemon -
ntp
: NTP subsystem -
logaudit
: Log audit -
logalert
: Log alert -
clockd
: Clock daemon -
local0
: Local use 0 -
local1
: Local use 1 -
local2
: Local use 2 -
local3
: Local use 3 -
local4
: Local use 4 -
local5
: Local use 5 -
local6
: Local use 6 -
local7
: Local use 7
-
"buffering"
: object, optional-
Buffering settings for writing to the system log facility. The default is for messages to be written to the log for each event.
"severityFieldMappings"
: object, optional-
Severity field mappings set the correspondence between audit event fields and Syslog severity values.
The severity field mappings object has the following fields:
"topic"
: configuration expression<string>, required-
The audit event topic to which the mapping applies.
Set this to a value configured in
topics
. "field"
: configuration expression<string>, required-
The audit event field to which the mapping applies.
Audit event fields use JSON pointer notation, and are taken from the JSON schema for the audit event content.
"valueMappings"
: object, required-
The map of audit event values to Syslog severities, where both the keys and the values are strings.
Syslog severities are one of the following values:
-
emergency
: System is unusable. -
alert
: Action must be taken immediately. -
critical
: Critical conditions. -
error
: Error conditions. -
warning
: Warning conditions. -
notice
: Normal but significant condition. -
informational
: Informational messages. -
debug
: Debug-level messages.
-
Example
The following example configures a Syslog audit event handler that writes to
the system log daemon on syslogd.example.com
, port 6514
over TCP with a
timeout of 30 seconds. The facility is the first one for local use, and response
status is mapped to Syslog informational messages:
{
"class": "org.forgerock.audit.handlers.syslog.SyslogAuditEventHandler",
"config": {
"name": "MySyslogAuditEventHandler",
"topics": ["access"],
"protocol": "TCP",
"host": "https://syslogd.example.com",
"port": 6514,
"connectTimeout": 30000,
"facility": "local0",
"severityFieldMappings": [
{
"topic": "access",
"field": "response/status",
"valueMappings": {
"FAILED": "INFORMATIONAL",
"SUCCESSFUL": "INFORMATIONAL"
}
}
]
}
}