The syslog-ng Administrator GuideDocument version: 1.1.4
|
 |
The syslog-ng Administrator GuideDocument version: 1.1.4
|
|
The System i can log a wide variety of security events. You may wish to audit all events, or a subset of security events. Please consult the IBM System i Security Guide for a description of the events you can log.
To enable security auditing, use the CHGSECAUD command. The Change Security Audit (CHGSECAUD) command performs many of the steps to implement security audit through one command step. This command will create the journal receiver, the QAUDJRN journal, and change system values to enable security auditing. The command provides a fast way to implement system I security logging. If you use this command to start security auditing you should review the IBM System i Security Guide to determine if there are other security options you would like to enable. You should especially review the Change User Audit (CHGUSRAUD) command and consider logging security administrator user profiles. See Section 6.5.2, “Enabling user auditing” and Section 6.5.3, “Enabling object auditing”.
![[Note]](./note.png) |
Note |
|---|---|
If you will be sending system audit journal information to syslog-ng you may wish to delete older journal receivers before starting the process. The syslog-ng Agent collects journal entries from the beginning of the current chain of journal receivers. The date of all log entries is the date of the actual journal entry, but there may be a lot of historical information that you do not want to process. You should consider making a permanent backup of system audit journals before deleting them. Use the Work With Journal Attributes (WRKJRNA) command to view the journal receivers for the QAUDJRN journal. |
If you want to manually enable security auditing instead of using the CHGSECAUD command, complete the following steps.
Create the journal receiver for the security journal. It is recommended that you create a library to contain the journal receiver, and then create the receiver using a 4 digit sequence number in the name. Issue the following commands:
CRTLIB LIB(AUDJRN) TEXT(‘AUDIT JOURNALS’) CRTJRNRCV JRNRCV(AUDJRN/AUDRCV0001) THRESHOLD(100000) AUT(*EXCLUDE) TEXT(’Auditing Journal Receiver’)
Create the journal QAUDJRN in the system library QSYS and refer to the journal receiver you created above. It is recommended that you allow the system to manage the receivers. Issue the following commands:
CRTJRN JRN(QSYS/QAUDJRN) + JRNRCV(JRNLIB/AUDRCV0001) + MNGRCV(*SYSTEM) DLTRCV(*NO) + AUT(*EXCLUDE) TEXT(’Auditing Journal’)
![[Warning]](./warning.png) |
Warning |
|---|---|
The system will not automatically delete security audit journals. You will need to periodically backup and delete old journals. |
Change system values to enable security logging. You can now use the Work With System Values (WRKSYSVAL) command to change the QAUDLVL and QAUDLVL2 settings. These settings are used to select the security audit features and begin security logging. Please see the IBM System i Security Guide for a complete description of the audit options.
You can use the Change User Audit (CHGUSRAUD) command to enable the logging of specific user activity. You should consider enabling user auditing for any user with special privileges such as QSECOFR and any user with *SECADM and *AUDIT capabilities.
You may wish to enable specific object auditing using the Change Object Audit (CHGOBJAUD), Change DLO audit (CHGDLOAUD), and Change Audit (CHGAUD) commands. These commands can be use to enable the monitoring of specific objects on your system.
The syslog-ng Agent for IBM System i can be configured fro a native System i configuration interface. Configuring the syslog-ng Agent application involves configuring the global options for collecting and sending syslog messages, and configuring the communications client application to talk to the syslog server.
Issue the following commands to add the ALLSYL100 library to your library list and display the main menu of the syslog-ng Agent for IBM System i:
ADDLIBLE ALLSYL100 GO SYMAIN
Select the option for Configuration, then select the option to Configure Alliance Syslog. The following panel is displayed:
Enable diagnostic logging: Enter 1 for Yes to enable diagnostic logging. When diagnostic logging is enabled the job descriptions are set for maximum job logs. Enter 2 for No to disable application logging.
Enable QAUDJRN messages: Enter 1 for Yes to enable sending QAUDJRN messages to a syslog server. When enabled the system security audit journal reader job will be started in the Alliance subsystem ALLSYL100. Enter 2 for No to not send audit journal entries to the syslog server.
Enable QSYSOPR messages: Enter 1 for Yes to enable sending QSYSOPR messages to a syslog server. Enter 2 for No to not send QSYSOPR messages to the syslog server.
Message queue name: If you select the option to send QSYSOPR messages to a syslog server enter the name of the message queue. The default is QSYSOPR.
Format: Enter option 1 to create log messages in the Syslog format (RFC 3164). Enter option 2 to create log messages in Common Event Format (CEF).
The syslog-ng Agent for IBM System i can send the log messages to a syslog or syslog-ng server or relay destination. The server can be a remote server, or it can run in the PASE of the System i. To configure the destination server, start the configuration interface of the syslog-ng Agent (GO SYMAIN) and select > . The following panel is displayed:
Three sample configurations are displayed:
SYSLOG: Send log messages to a syslog-ng server using a standard TCP connection.
SYSLOGD: Send log messages to a syslog-ng server using a standard UDP connection.
SYSLOGSSL: Send log messages to a syslog-ng Premium Edition server using an TLS-encrypted connection.
|
Note |
|---|---|
Only TLS encryption is supported, SSL is disabled. |
Use option 2 to change a configuration.
Use option 3 to copy the configuration to a new definition.
Use option 4 to delete a configuration.
Use option 6 to print the configuration details.
When you select option 2 to change the TCP client configuration the following panel is displayed:
The following parameters can be configured
| Attribute | Description |
|---|---|
| Client name | The name of this configuration. |
| Description | Enter a description for this configuration. |
| Status | Enter 1 for Active or 2 for Inactive. When the status is inactive the TCP client application will not be enabled. |
| Auto start client | Enter 1 for Yes to automatically start the TCP client communications when the ALLSYL100 subsystem starts. Enter 2 for No to not automatically start the TCP client. Normally you will want to automatically start the TCP client application when the subsystem starts. |
| Remote host name | Enter the DNS name for the syslog server. Use the IP address field if you do not have a DNS name for the server. |
| IP address | Enter the IP address of the syslog server if you do not have a DNS name. |
| Remote port number | Enter the port number for the syslog server. Consult with your network administrator for the port number. This will be the port number for the source syslog TCP service. |
| Application logging | Enter 1 for Yes to enable application logging. Enter 2 for No to not enable application logging. When this option is enabled detailed log records are written to the file ALLOGA. These log entries are not sent to the syslog server. |
| SSL Application ID | If this client application will use secure TLS communications enter an Application ID. You can use the IBM Digital Certificate Manage to create certificates and associated Application Ids. |
| SSL certification passthrough | Enter 1 for Yes to enable certificate passthrough. Enter 2 for No to not allow certificate passthrough. Enabling certificate passthrough will disable certificate validity checking, but will not allow un-secure connections. |
Table 6.1. Connection parameters of syslog-ng Agent for IBM System i
Use this option to define user-created QAUDJRN journal entries. When a user application sends an entry to the security journal QAUDJRN a user-defined journal entry type is used. This is a two-character value and is different than the journal entry types that are created by i5/OS. In order to report these events you need to define them with this option and provide text and severity values.
| Attribute | Description |
|---|---|
| Description | Enter a description for this journal entry type |
| Type | The type indicates whether the event is a system provided event or a user defined event. This is an output field only. |
| Security text | Enter the text to be used with the log message. This text should be a brief description of the event type. |
| Syslog severity | Enter a value for the severity of this event type. The lower the value higher the severity level of the message. |
| Syslog facility | Enter a facility ID for this event type. See the documentation in RFC 3164 for information on facility Ids. Since the priority of an event is the result of adding the severity by the facility, the lower the facility number the higher the severity of the message. |
| CEF severity | If you are reporting log events in the Common Event Format enter the CEF severity level. The higher the severity number the more severe the event. |
| CEF signature | Enter a signature number for this event type. Alliance uses signature values from 1000 to 1999 so you should avoid signature values in this range. |
| Send to log server | Enter 1 for Yes to send this type of event to a log server. Enter 2 for No to suppress sending this event type to the log server. The default is Yes. |
Table 6.2. Parameters of user-created journal entries
© 2007-2008 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com
