SyslogAuditEventHandler
An audit event handler that responds to events by logging messages to the UNIX system log as governed by RFC 5424, The Syslog Protocol.
Declare the configuration in an audit service, as described in AuditService.
Usage
{
"class": "org.forgerock.audit.handlers.syslog.SyslogAuditEventHandler",
"config": {
"name": configuration expression<string>,
"topics": [ configuration expression<string>, ... ],
"protocol": configuration expression<string>,
"host": configuration expression<string>,
"port": configuration expression<number>,
"connectTimeout": configuration expression<number>,
"facility": configuration expression<string>,
"buffering": {
"enabled": configuration expression<boolean>,
"maxSize": configuration expression<number>
},
"severityFieldMappings": [
{
"topic": configuration expression<string>,
"field": configuration expression<string>,
"valueMappings": {
"field-value": object
}
}
]
}
}
The values in this configuration object can use expressions as long as they resolve to the correct types for each field. For details about expressions, see Expressions.
Configuration
"name"
: configuration expression<string>, required-
The name of the event handler.
"topics"
: array of configuration expression<string>, required-
An array of one or more topics that this event handler intercepts. IG can record the following audit event topics:
-
access
: Log access audit events. Access audit events occur at the system boundary, and include the arrival of the initial request and departure of the final response.To record
access
audit events, configure AuditService inline in a route, or in the heap. -
customTopic: Log custom audit events. To create a topic for a custom audit event, include a JSON schema for the topic in your IG configuration.
To record custom audit events, configure AuditService in the heap, and refer to it from the route or subroutes.
For an example of how to set up custom audit events, see Record Custom Audit Events.
-
"protocol"
: configuration expression<string>, required-
The transport protocol used to send event messages to the Syslog daemon.
Set this to
TCP
for Transmission Control Protocol, or toUDP
for User Datagram Protocol. "host"
: configuration expression<string>, required-
The hostname of the Syslog daemon to which to send event messages. The hostname must resolve to an IP address.
"port"
: configuration expression<number>, required-
The port of the Syslog daemon to which to send event messages.
The value must be between 0 and 65535.
"connectTimeout"
: configuration expression<number>, required when using TCP-
The number of milliseconds to wait for a connection before timing out.
"facility"
: configuration expression<string>, required-
The Syslog facility to use for event messages.
Set this to one of the following values:
kern
-
Kernel messages
user
-
User-level messages
mail
-
Mail system
daemon
-
System daemons
auth
-
Security/authorization messages
syslog
-
Messages generated internally by
syslogd
lpr
-
Line printer subsystem
news
-
Network news subsystem
uucp
-
UUCP subsystem
cron
-
Clock daemon
authpriv
-
Security/authorization messages
ftp
-
FTP daemon
ntp
-
NTP subsystem
logaudit
-
Log audit
logalert
-
Log alert
clockd
-
Clock daemon
local0
-
Local use 0
local1
-
Local use 1
local2
-
Local use 2
local3
-
Local use 3
local4
-
Local use 4
local5
-
Local use 5
local6
-
Local use 6
local7
-
Local use 7
"buffering"
: object, optional-
Buffering settings for writing to the system log facility. The default is for messages to be written to the log for each event.
"enabled"
: configuration expression<boolean>, optional-
Whether log buffering is enabled.
Default: false.
"maxSize"
: configuration expression<number>, optional-
The maximum number of buffered event messages.
Default: 5000.
"severityFieldMappings"
: object, optional-
Severity field mappings set the correspondence between audit event fields and Syslog severity values.
The severity field mappings object has the following fields:
"topic"
: configuration expression<string>, required-
The audit event topic to which the mapping applies.
Set this to a value configured in
topics
. "field"
: configuration expression<string>, required-
The audit event field to which the mapping applies.
Audit event fields use JSON pointer notation, and are taken from the JSON schema for the audit event content.
"valueMappings"
: object, required-
The map of audit event values to Syslog severities, where both the keys and the values are strings.
Syslog severities are one of the following values:
emergency
-
System is unusable.
alert
-
Action must be taken immediately.
critical
-
Critical conditions.
error
-
Error conditions.
warning
-
Warning conditions.
notice
-
Normal but significant condition.
informational
-
Informational messages.
debug
-
Debug-level messages.
Example
The following example configures a Syslog audit event handler that writes to
the system log daemon on syslogd.example.com
, port 6514
over TCP with a
timeout of 30 seconds. The facility is the first one for local use, and response
status is mapped to Syslog informational messages:
{
"class": "org.forgerock.audit.handlers.syslog.SyslogAuditEventHandler",
"config": {
"name": "MySyslogAuditEventHandler",
"topics": ["access"],
"protocol": "TCP",
"host": "https://syslogd.example.com",
"port": 6514,
"connectTimeout": 30000,
"facility": "local0",
"severityFieldMappings": [
{
"topic": "access",
"field": "response/status",
"valueMappings": {
"FAILED": "INFORMATIONAL",
"SUCCESSFUL": "INFORMATIONAL"
}
}
]
}
}