26. 10. 2010 Patrick Zambelli Log Auditing, Syslog

Centralized syslog agent configuration for SAFED

Today’s blog article will highlight the latest news from the Syslog Server development area. The focus lays on the integration of the distributed syslog agents into the SyslogView module of the NetEye server.

The motivation for this strategic implementation is the acceleration of the installation – only a single MSI executable without user iteration has to be installed in your infrastructure –  next to the deployment of the configuration for the agent.
With this feature it is possible to automatically configure and update a remotely installed SAFED agent in your infrastructure.

The configuration structure

The configuration of a SAFED agent consists of an architecture of three sections:

  • Microsoft EventLog auditing
  • Log file auditing ( text files written by applications, DBMS, etc. )
  • Setup of SAFED – Server communication specific settings

As indicated in the schema below the EventID and LogFile configuration is abstracted by a templates configuration allowing the assign to a template configuration single objects.

Templates: the abstraction layer

With the introduction of an additional layer for the presentation of the configuration additional flexibility is provided.

While the single configuration object ( EventID object or LogFile object ) defines a specific event id or logfile behind a filter to monitor, the layer of the templates allows the packing of such object definitions into a logical agglomerate of of objects and filters to exclude or include.
In the same time this enables to configure an objects definition once and reuse it multiple times within templates for the various scenarios.

SAFED configuration profiles

The SAFED syslog agent has been developed for both the Windows and Unix/Linux world. These two worlds differ in many aspects and also the SAFED agent allows different configuration settings. For this the general settings profile differs slightly but generally trough the central configuration form we define:

  • Activation of EventLog and LogFile read engine
  • Local and domain wide system administrator discovery for authentication auditing
  • Syslog data stream destination, port and protocol
  • Security and access restriction settings

Administrator auditing

The special profile of administrator authentication auditing is realized by an integrated discovery of local and domain wide administrator accounts within SAFED. This feature audits on the Windows system the proper EventIDs for the system SAFED is installed on and enables a rule for logging of authentication activities of administrative accounts.

The benefit

The SAFED configuration architectures can be defined by logical host and service groups and assigned via remote commit to the remote agent. The benefit lays in the flexibility to update and extend configuration settings and to update the remote agents with a single action. Every update on the abstracted configuration structures is highlighted on the interested servers indicating the requirement for an configuration update.

Patrick Zambelli

Patrick Zambelli

Product Manager at Würth Phoenix
After my graduation in Applied Computer Science at the Free University of Bolzano I decided to start my professional career outside the province. With a bit of good timing and good luck I went into the booming IT-Dept. of Geox in the shoe district of Montebelluna, where I realized how a big IT infrastructure has to grow and adapt to quickly changing requirements. During this experience I had also the nice possibility to travel the world, while setting up the various production and retail areas of this company. Arrived at Würth Phoenix I started developing on our monitoring solution NetEye. Today, in my position as Product Manager, I aim to continuously improve our solutions and to adapt them to actual market requirements.

Author

Patrick Zambelli

After my graduation in Applied Computer Science at the Free University of Bolzano I decided to start my professional career outside the province. With a bit of good timing and good luck I went into the booming IT-Dept. of Geox in the shoe district of Montebelluna, where I realized how a big IT infrastructure has to grow and adapt to quickly changing requirements. During this experience I had also the nice possibility to travel the world, while setting up the various production and retail areas of this company. Arrived at Würth Phoenix I started developing on our monitoring solution NetEye. Today, in my position as Product Manager, I aim to continuously improve our solutions and to adapt them to actual market requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive