PingIntelligence dashboard engine supports sending attack information to a
syslog
server. Enable syslog
support by editing the
dashboard.properties
file. By default
syslog
is disabled. Dashboard uses Log4j version2.11.2 to publish attack
data to syslog
.
dashboard.properties
with syslog
enabled.### Log4j2
# publish attacks to Log4j2. Valid values true or false
# By default it provides syslog support
publish.log4j2.enable=true
# log4j2 config file to log attacks to an external service. For example, Syslog
# use com.pingidentity.abs.publish as logger name in log4j2 configuration
log4j2.config=config/syslog.xml
# log4j2 log level for attack logging
log4j2.log.level=INFO
# directory for any log4j2 config dependency jar's.
# useful for third party log4j2 appenders
# it should be a directory
log4j2.dependencies.dir=plugins/
The attack data is published to a Log4j logger named
com.pingidentity.abs.publish
. The Log4j configuration file must
have a logger named com.pingidentity.abs.publish
. Any Log4j2 config
file that wants to capture attack data from Dashboard must have at least one logger with
name com.pingidentity.abs.publish
.
PingIntelligence Dashboard ships with a syslog.xml
and
attack_log.xml
file in the Dashboard config
directory. The
config
file supports other formats available with Log4j including
.properties, .json, or .yml
.
syslog.xml
syslog.xml
file.<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="warn" name="APIIntelligence" packages="">
<Appenders>
<!--<Syslog name="bsd" host="localhost" port="514" protocol="TCP"
ignoreExceptions="false" immediateFlush="true" />-->
<Syslog name="RFC5424" host="localhost" port="614" protocol="TCP"
format="RFC5424" appName="APIIntelligence" mdcId="mdc"
facility="LOCAL0" enterpriseNumber="18060" newLine="true"
messageId="Audit" id="App" ignoreExceptions="false" immediateFlush="true"/>
</Appenders>
<Loggers>
<Logger name="com.pingidentity.abs.publish" level="info" additivity="false">
<AppenderRef ref="RFC5424"/>
</Logger>
</Loggers>
</Configuration>
Configure server and port number of syslog server
config/syslog.xml
file. Following is a snippet of the
syslog.xml
file displaying the server and port number parameters:
<!-- ### Syslog RFC5424 format, TCP -->
<Syslog name="TCP_RFC5424"
host="localhost"
port="614"
appName="APIIntelligence"
id="App"
enterpriseNumber="18060"
facility="LOCAL0"
messageId="Audit"
format="RFC5424"
newLine="true"
protocol="TCP"
ignoreExceptions="false"
mdcId="mdc" immediateFail="false" immediateFlush="true"
connectTimeoutMillis="30000" reconnectionDelayMillis="5000"/>