2.4 Logging of Syslog Audit Messages

SecureLogin includes a facility to log Syslog audit messages. During installation, NetIQ SecureLogin is configured on each host such as Citrix, terminal servers, and so on to connect and generate logs to a specific syslog service.

This enhances the auditing mechanism and removes the need of having another Security Information and Event Management (SIEM) solution.

2.4.1 Installing and Configuring Syslog Auditing

Installing Syslog Auditing Feature Using the Windows Installer Wizard

  1. Select Syslog Server option under Auditing to enable the Syslog auditing feature.

    If the Forward to Syslog Server option under Windows EventLog is also selected, duplicate events gets generated in the Syslog server. For more information, see Logging Event Messages.

  2. Specify the name of the server that is to be configured as the Syslog server. By default the Syslog server address is set to localhost and the supported protocols are UDP, and TLS.

    By default, the Syslog server listens to default ports for each protocol. Such as, for UDP the Syslog server listens to 514 and for TLS the server listens to 6514.

  3. Select the language in which the event message should be sent to Syslog server. The supported languages are:

    • German

    • English

    • Spanish

    • French

    • Japanese

    • Portuguese

    • Chinese (Traditional)

    • Polish

      The default language is English.

  4. Click Next to install the Syslog Auditing feature on the workstation.

Configuring Syslog Auditing Using the Windows Installer Command-Line Option

To configure Syslog using command-line option, use the following command:

APPENDLOCAL=Syslog SYSLOGSERVERURI=protocol-type://server-name:port-number:X_SYSLOGLANGUAGEID=<language-code>

Replace language-code with the code from the following supported languages:

  • 1028 - Chinese (Traditional)

  • 1031 - German

  • 1033 - English (Default)

  • 1034 - Spanish

  • 1036 - French

  • 1041 - Japanese

  • 1045 - Polish

  • 1046 - Portuguese

For example: APPENDLOCAL=Syslog SYSLOGSERVERURI=udp://localhost:514:1045

Modifying the Registry Settings

To enable/ disable Syslog audit messages, create the following registry entries:

EnableSysLog

Purpose

Enable/Disable sending audit events to the syslog server

Location

HKEY_LOCAL_MACHINE\Software\Protocom\SecureLogin

Type

REG_DWORD

Value

1 - Enable

0 - Disable (Default)

SyslogServerUri

Purpose

Syslog server details in the form of URI

Location

HKEY_LOCAL_MACHINE\Software\Protocom\SecureLogin

Type

REG_SZ

Value

<protocol-type>://<server-name>:<port-number>:X_SYSLOGLANGUAGEID=<language-code>

For example: udp://syslog.myserver.com:514:X_SYSLOGLANGUAGEID=1033

SyslogMessageLanguageId

Purpose

Language that should be used in sending the event message to syslog server.

Location

HKEY_LOCAL_MACHINE\SOFTWARE\Protocom\SecureLogin

Type

REG_DWORD

Value

Decimal value of the respective language as mentioned in section 1.3.1.2.

2.4.2 Enabling Logging to Syslog

  1. Launch an Administrative Utility.

  2. Click Preferences > Auditing. The Enable logging to Syslog Server option is an administrator setting that is disabled by default. To enable logging of Syslog events on the user’s workstation, select this option and set it to Yes.