Configuring Enterprise Server Auditing

You can configure the audit facility to use syslog to create audit events and then specify where the events are sent. To enable auditing, you need to do the following:

  1. A syslog facility is required to listen on a specific port.
  2. The security configuration for the service you want to audit (for example, MFDS or a region) must be configured to generate audit events.
  3. The audit.cfg file must be configured to send audit events to the syslog port.

Configuring the External Security Manager

To generate audit events from MFDS or from a region, click Create audit events for the relevant External Security Manager (ESM). This is in the SAF Security Facility Configuration group for the relevant ESM as follows:

  • To enable auditing for MFDS, this option is in the MF Directory Server tab in the security options.
  • To enable auditing for a region, this option is available in the SAF configuration for the security manager that is in use for the region.
Note: If the region is configured to use the Default External Security manager (ESM) then this option located in the SAF configuration in the Default ES Security tab.

If the region is configured to use a specific ESM the SAF configuration can be found in the Security tab for the particular region.

In the relevant Security Facility, click Create audit events, and then click Apply.

Note: You must first configure the audit.cfg file, otherwise auditing will fail and the security manager will not be initialised.

Configuring the audit.cfg

The configuration is specified in the audit.cfg file, which must be located in the Enterprise Developer bin directory %ProgramFiles(x86)%\Micro Focus\Enterprise Developer\bin . The configuration file follows the standard INI file format containing sections, properties and values.

The configuration file is read when the audit process is initialized. Changes made to the configuration file are not picked up by the audit process that is running. You must restart the audit process to reload a modified configuration file.

The audit.cfg file must be configured to point to the machine and port that is running the syslog facility.

The following is an example of the audit.cfg configuration file:

[audit]
; The type of emitter used to output audit events, valid values [syslog]|[oldaudit].
emitter=syslog

; This section is for configuring the syslog emitter
[syslog]
; The hostname and port of the syslog collector, where the syslog packets are sent.
; The hostname may be a host name string, dotted IPv4 or hex IPv6 notation.
; If you are using TLS, the hostname value may be used for hostname verification. See serverCertHostname for more information.
hostname=
port=

; protocol: Specifies the protocol syslog should use, valid values [TCP]|[TLS].
protocol=TLS

; All configuration  values for syslog below this point are optional:
; tzKnown: If the timezone of this machine is known, this value should be 1. 
; If not known, it should be 0.
tzKnown=1
; isSynced: If this machine's clock is synced to a known external source, this must be set to 1. 
; Otherwise, it must be 0.
isSynced=0
; syncAccuracy: The accuracy to which the machine's clock is synced. This is an integer, in 
; microseconds, that the machine's clock may be off.
syncAccuracy=
; ip: The IP address of this machine. This may be a comma-delimited list, in the case of 
; multi-homed devices.
ip=192.168.0.1

; maxRetryTime: Configure how long (in seconds) the audit process should spend attempting to re-send data if a failure occurs. 
; The application will continue retrying until a time greater than this value has elapsed. 
; Negative values mean an infinite timeout. Defaults to 1. 
maxRetryTime=1 


; This section is for TLS configuration, which may be used by syslog.
[TLS]
; CARootFile: This is the certificate authority root file the client uses when connecting to verify 
; the server's certificate.
CARootFile=C:\Program Files (x86)\Micro Focus\DemoCA\private\CARootcert.pem

; All configuration values for TLS below this point are optional
; verifyServer: Specifies whether the client should verify the server's certificate or not. 
; Valid values: [true]|[false]. Default value is true.
verifyServer=true
; clientCertificate: The full file path to the client's certificate:
clientCertificate=C:\Program Files (x86)\Micro Focus\DemoCA\clicert.pem
; keyfile: The full file path to the client's key file:
keyfile=C:\Program Files (x86)\Micro Focus\DemoCA\clikey.pem
; keyfilePassphrase: If the keyfile has a passphrase, it is specified here:
keyfilePassphrase=srvrootpwd
; serverCertHostname: The value that is used to compare against the Hostname on the server's certificate. 
; If this is not specified (not present/commented out), by default the hostname specified in the syslog section is used. 
; If a value is not specified, for example 'serverCertHostname=', then the hostname verification is disabled.
serverCertHostname=