Syslog integration with TPAM.

Hello,

I want to integrate the Syslog server(LogRhythm) with TPAM.

For this, i have configured the Syslog setting in TPAM, moreover I am not able to find any logs and not able to find the log source type in syslog server device.

Do i need to do any additional configuration from TPAM side.

Please advise.Thanks

Regards,

jafar

Parents
  • Hi Jafar

    First thing to understand is that TPAM uses a proprietary syslog format. Once you have configured TPAM with the network address and port that your Syslog server uses the TPAM will send syslog data. You can then select select the check boxes to send the sys-admin activity log, the user-activity log and the Failed login logs.

    So if you have configures and enabled these settings TPAM will be sending this information.

    Your next step is to ensure that your Syslog server is actually receiving these files and not just ignoring them as it does not understand the format that they are being sent in.

    I used to use a very simple free Syslog server that does not use any format to check out that syslog data was being sent and also show the format. This can be insgtalled on a pc/laptop and will allow you to analyse the data being sent. You can find it here  https://sourceforge.net/projects/syslogserverwindows/

    If you want more information on the format that TPAM sends syslog data in check out KB77533 from the One Identity web site.

    This is a short example of the raw syslog data TPAM sends:

    <14>PAR[55]: UserName: ParAdmin Operation: Logout ObjectType: Authentication Target: ParAdmin Role: N/A Failed? 0 OtherInfo: Inactive for 95 seconds. From address 192.168.0.200
    <14>PAR[64]: UserName: ParAdmin Operation: Login ObjectType: Authentication Target:  Role: N/A Failed? 0 OtherInfo: Primary Authentication.  TargetURL=192.168.0.143/.../main.asp. From address 192.168.0.200.
    <14>PAR[66]: UserName: ParAdmin Operation: Add ObjectType: ManagedAccount Target: syslog_test/funcacct Role: Admin Failed? 0 OtherInfo: New un-managed account
    <14>PAR[66]: UserName: ParAdmin Operation: Add ObjectType: System Target: syslog_test Role: Admin Failed? 0 OtherInfo: Network Address = TBA

    This is the filtered output from the simple syslog server:

    192.168.0.143 Jul 06 14:50:55  user info PAR[63] AdminName: ParMaster Operation: Load Queue ObjectType: Test Queue ObjectName: Test Queue OtherInfo:
    192.168.0.143 Jul 06 14:51:06  user info PAR[63] AdminName: ParMaster Operation: Stop ObjectType: Auto Management Service ObjectName: N/A OtherInfo:
    192.168.0.143 Jul 06 14:51:09  user info PAR[63] AdminName: ParMaster Operation: Start ObjectType: Auto Management Service ObjectName: N/A OtherInfo:
    192.168.0.143 Jul 06 18:53:50  user info PAR[51] AdminName: ParMaster Operation: Run ObjectType: SupportBundle ObjectName: N/A OtherInfo:
    192.168.0.143 Jul 06 18:55:59  user info PAR[57] AdminName: Internal Account Operation: Create Support Bundle ObjectType: SupportBundle ObjectName: SupportBundle_ForInternalUseOnly_20160706T175353.zip OtherInfo: Checksum=8394b84135acb79cd4c589ef172eaf43 */cygdrive/c/temp

    I have used the simple syslog server to export this filtered data to a directory and then imported in into another syslog server where it could be more easily translated.

    I have other examples that were captured if you need more.

    Hope this helps

    Best regards

    Tim

Reply
  • Hi Jafar

    First thing to understand is that TPAM uses a proprietary syslog format. Once you have configured TPAM with the network address and port that your Syslog server uses the TPAM will send syslog data. You can then select select the check boxes to send the sys-admin activity log, the user-activity log and the Failed login logs.

    So if you have configures and enabled these settings TPAM will be sending this information.

    Your next step is to ensure that your Syslog server is actually receiving these files and not just ignoring them as it does not understand the format that they are being sent in.

    I used to use a very simple free Syslog server that does not use any format to check out that syslog data was being sent and also show the format. This can be insgtalled on a pc/laptop and will allow you to analyse the data being sent. You can find it here  https://sourceforge.net/projects/syslogserverwindows/

    If you want more information on the format that TPAM sends syslog data in check out KB77533 from the One Identity web site.

    This is a short example of the raw syslog data TPAM sends:

    <14>PAR[55]: UserName: ParAdmin Operation: Logout ObjectType: Authentication Target: ParAdmin Role: N/A Failed? 0 OtherInfo: Inactive for 95 seconds. From address 192.168.0.200
    <14>PAR[64]: UserName: ParAdmin Operation: Login ObjectType: Authentication Target:  Role: N/A Failed? 0 OtherInfo: Primary Authentication.  TargetURL=192.168.0.143/.../main.asp. From address 192.168.0.200.
    <14>PAR[66]: UserName: ParAdmin Operation: Add ObjectType: ManagedAccount Target: syslog_test/funcacct Role: Admin Failed? 0 OtherInfo: New un-managed account
    <14>PAR[66]: UserName: ParAdmin Operation: Add ObjectType: System Target: syslog_test Role: Admin Failed? 0 OtherInfo: Network Address = TBA

    This is the filtered output from the simple syslog server:

    192.168.0.143 Jul 06 14:50:55  user info PAR[63] AdminName: ParMaster Operation: Load Queue ObjectType: Test Queue ObjectName: Test Queue OtherInfo:
    192.168.0.143 Jul 06 14:51:06  user info PAR[63] AdminName: ParMaster Operation: Stop ObjectType: Auto Management Service ObjectName: N/A OtherInfo:
    192.168.0.143 Jul 06 14:51:09  user info PAR[63] AdminName: ParMaster Operation: Start ObjectType: Auto Management Service ObjectName: N/A OtherInfo:
    192.168.0.143 Jul 06 18:53:50  user info PAR[51] AdminName: ParMaster Operation: Run ObjectType: SupportBundle ObjectName: N/A OtherInfo:
    192.168.0.143 Jul 06 18:55:59  user info PAR[57] AdminName: Internal Account Operation: Create Support Bundle ObjectType: SupportBundle ObjectName: SupportBundle_ForInternalUseOnly_20160706T175353.zip OtherInfo: Checksum=8394b84135acb79cd4c589ef172eaf43 */cygdrive/c/temp

    I have used the simple syslog server to export this filtered data to a directory and then imported in into another syslog server where it could be more easily translated.

    I have other examples that were captured if you need more.

    Hope this helps

    Best regards

    Tim

Children