PingIntelligence

Configuring the PingIntelligence Dashboard engine for syslog

The PingIntelligence Dashboard engine supports sending attack information to a syslog server.

About this task

The PingIntelligence Dashboard ships with a syslog.xml and attack_log.xml file in the Dashboard config directory. The config file supports other formats available with Log4j including .properties, .json, or .yml.

The following is a snippet of the syslog.xml file.

<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="warn" name="APIIntelligence" packages="">
  <Appenders>
    <!--<Syslog name="bsd" host="localhost" port="514" protocol="TCP"
      ignoreExceptions="false" immediateFlush="true" />-->
    <Syslog name="RFC5424"  host="localhost" port="614" protocol="TCP"
      format="RFC5424"  appName="APIIntelligence" mdcId="mdc"
      facility="LOCAL0" enterpriseNumber="18060" newLine="true"
      messageId="Audit" id="App" ignoreExceptions="false" immediateFlush="true"/>
  </Appenders>
  <Loggers>
     <Logger name="com.pingidentity.abs.publish" level="info" additivity="false">
      <AppenderRef ref="RFC5424"/>
    </Logger>
  </Loggers>
</Configuration>

Steps

  1. Enable syslog support by editing the dashboard.properties file.

    By default syslog is disabled. The Dashboard uses Log4j version 2.11.2 to publish attack data to syslog.

    The following is a snippet of dashboard.properties with syslog enabled.

    # Log4j2
    # publish attacks to Log4j2. Valid values true or false
    # By default it provides syslog support
     publish.log4j2.enable=true
    # log4j2 config file to log attacks to an external service. For example, Syslog
    # use com.pingidentity.abs.publish as logger name in log4j2 configuration
     log4j2.config=config/syslog.xml
    # log4j2 log level for attack logging
    log4j2.log.level=INFO
    # directory for any log4j2 config dependency jar's.
    # useful for third party log4j2 appenders
    # it should be a directory
    log4j2.dependencies.dir=plugins/

    Result:

    The attack data is published to a Log4j logger named com.pingidentity.abs.publish. The Log4j configuration file must have a logger named com.pingidentity.abs.publish. Any Log4j2 config file that wants to capture attack data from Dashboard must have at least one logger with name com.pingidentity.abs.publish.

  2. Configure the server and port number of the syslog server in config/syslog.xml file.

    The following is a snippet of the syslog.xml file displaying the server and port number parameters:

     <!--  # Syslog RFC5424 format, TCP -->
        <Syslog name="TCP_RFC5424"
           host="localhost" port="614"
          appName="APIIntelligence"
          id="App"
          enterpriseNumber="18060"
          facility="LOCAL0"
          messageId="Audit"
          format="RFC5424"
          newLine="true"
          protocol="TCP"
          ignoreExceptions="false"
          mdcId="mdc" immediateFail="false" immediateFlush="true"
          connectTimeoutMillis="30000" reconnectionDelayMillis="5000"/>