Configuring remote syslog auditing in SSMC

SSMC supports export of audit log events to a remote syslog server (Security Information and Event Management (SIEM) systems). You can configure this in multiple ways.

If you intend to export audit log events pertaining to the web application that is simple and easy to use, then follow the instructions given in this section. However, if you want a more comprehensive means that includes auditable events from both web application and SSMC appliance user sessions and follows NIST 800-53 guidelines, then skip this section and see the section Export logs to remote logging server.

Prerequisites
  • Create a backup copy of the log4j2.json located in the /opt/hpe/ssmc/ssmcbase/resources/ directory in the SSMC appliance.
    NOTE:

    The SSMC administrator can take a backup copy of the JSON file in the home directory. For example, the administrator can run the command cp -p /opt/hpe/ssmc/ssmcbase/resources/log4j2.json ~/log4j2.json.bak, which creates a backup of the /opt/hpe/ssmc/ssmcbase/resources/log4j2.json file as /home/ssmcadmin/log4j2.json.bak.

  • Use a text editor with JSON-aware syntax checking to avoid any errors. Syntax mistakes in the log4j2.json file, such as missing a bracket or comma, can cause all logging to fail.

    If you do not have the JSON-aware syntax text editor, then run the following command: 

    ssmcadmin@ssmc361:/opt/hpe/ssmc/ssmcbase/resources$ python -m json.tool < log4j2.json > /dev/null
Expecting property name: line 25 column 1 (char 497)
ssmcadmin@ssmc361:/opt/hpe/ssmc/ssmcbase/resources$

    If there are no errors, this command does not generate any output.

    You can also use the SSMC setup menu to avoid the syntax errors.

  • Gather the host IP address, port number, and protocol values from your Syslog host system.

  • If your Syslog host system uses SSL, you must have the password for the truststore that contains the trusted certificate for your Syslog host. To generate a new trusted certificate for your Syslog host, see Generating a new trust store for SSMC remote Syslog appender.

Procedure
  1. On the SSMC host system, locate the /opt/hpe/ssmc/ssmcbase/resources/log4j2.json file.
  2. Create a backup copy of the log4j2.json file before making any changes, so that you can restore it if needed.
  3. Locate the "appenders" block in the file.
  4. Insert an entry similar to the one shown, replacing the host, port, and protocol values with the values from your Syslog host.

    The protocol entry must contain a value of tcp or udp.

    IMPORTANT:

    When you toggle SSMC FIPS mode to ON, the "type" entry changes automatically from "JKS" to "BCFKS". FIPS requires a "type" setting of "BCFKS". 

      "appenders" : {
      "Syslog" : {
            "host" : "192.168.1.1",
            "port" : "6514",
            "protocol" : "tcp",
            "newLine" : "false",
            "appName" : "ssmcaudit",
            "includeMDC" : "true",
            "name" : "RemoteSyslog",
            "format" : "RFC5424",
            "mdcID" : "ssmcaudit",
            "messageId" : "Audit",
            "facility" : "AUTH",
            "SSL" : {
                  "protocol" : "SSL",
                  "TrustStore" : {
                        "password" : "password here",
                        "location" : "resources/syslog-truststore",
                        "type" : "JKS"
                  }
            }
      },
  5. Change "newline" to "true".
  6. Review the SSL information in the file.

    If your Syslog server does not use SSL, then you can omit the SSL block.

    If your Syslog server does use SSL, enter the password for the truststore that contains the trusted certificate of your Syslog server.

  7. Locate the entry with "name":"RemoteAudit" defined under loggers block in the log4j2.json file and replace with the following entry: 
    {
				"name":"RemoteAudit",
				"level": "info",
				"additivity": "false",
				"appender-ref": {
					"ref": "RemoteSyslog"
				}
}
  8. Save the modified file to the SSMC/ssmcbase/resources folder.

    The new logging configuration is effective immediately. If the change is successful, you can see the similar audit entries on your remote Syslog server: 

    Oct 20 14:26:21 ssmc-host.example.com ssmcaudit "192.168.1.2",
"unknown","unknown","unknown","CREATE","foundation action","SUCCESS",
"https://192.168.1.3:8443/foundation/REST/sessionservice/sessions",
"unknown","unknown","SUCCESS"