PingIntelligence

Configure dashboard engine for syslog

PingIntelligence dashboard engine supports sending attack information to a syslog server. Enable syslog support by editing the dashboard.properties file. By default syslog is disabled. Dashboard uses Log4j version2.11.2 to publish attack data to syslog.

The following is a snippet of dashboard.properties with syslog enabled.

# Log4j2
# publish attacks to Log4j2. Valid values true or false
# By default it provides syslog support
 publish.log4j2.enable=true
# log4j2 config file to log attacks to an external service. For example, Syslog
# use com.pingidentity.abs.publish as logger name in log4j2 configuration
 log4j2.config=config/syslog.xml
# log4j2 log level for attack logging
log4j2.log.level=INFO
# directory for any log4j2 config dependency jar's.
# useful for third party log4j2 appenders
# it should be a directory
log4j2.dependencies.dir=plugins/

The attack data is published to a Log4j logger named com.pingidentity.abs.publish. The Log4j configuration file must have a logger named com.pingidentity.abs.publish. Any Log4j2 config file that wants to capture attack data from Dashboard must have at least one logger with name com.pingidentity.abs.publish.

PingIntelligence Dashboard ships with a syslog.xml and attack_log.xml file in the Dashboard config directory. The config file supports other formats available with Log4j including .properties, .json, or .yml.

syslog.xml

Following is a snippet of the syslog.xml file.

<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="warn" name="APIIntelligence" packages="">
  <Appenders>
    <!--<Syslog name="bsd" host="localhost" port="514" protocol="TCP"
      ignoreExceptions="false" immediateFlush="true" />-->
    <Syslog name="RFC5424"  host="localhost" port="614" protocol="TCP"
      format="RFC5424"  appName="APIIntelligence" mdcId="mdc"
      facility="LOCAL0" enterpriseNumber="18060" newLine="true"
      messageId="Audit" id="App" ignoreExceptions="false" immediateFlush="true"/>
  </Appenders>
  <Loggers>
     <Logger name="com.pingidentity.abs.publish" level="info" additivity="false">
      <AppenderRef ref="RFC5424"/>
    </Logger>
  </Loggers>
</Configuration>

Configure server and port number of syslog server

Configure the server and port number of syslog server in config/syslog.xml file. Following is a snippet of the syslog.xml file displaying the server and port number parameters:

 <!--  # Syslog RFC5424 format, TCP -->
    <Syslog name="TCP_RFC5424"
       host="localhost" port="614"
      appName="APIIntelligence"
      id="App"
      enterpriseNumber="18060"
      facility="LOCAL0"
      messageId="Audit"
      format="RFC5424"
      newLine="true"
      protocol="TCP"
      ignoreExceptions="false"
      mdcId="mdc" immediateFail="false" immediateFlush="true"
      connectTimeoutMillis="30000" reconnectionDelayMillis="5000"/>