Uploaded image for project: 'Commons - Audit'
  1. Commons - Audit
  2. CAUD-462

severityFieldMappings in syslog audit configuration not mapping correctly to syslog files

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
    • Support Ticket IDs:

      Description

      Current syslog audit behaviour doesn't seem to evaluate the valueMappings correctly.  For eg. It isn't sending a failed recon to the /var/log/emerg.log file, it appears in /var/log/info.log file, when it's configured to be sent to /var/log/emerg.log.

      Steps to replicate:

      • rsyslog configuration file rsyslog.conf
      • $ModLoad imudp
        $UDPServerRun 10514
        
        $template t_idm,"%rawmsg%\n"
        
        *.info             /usr/local/var/log/info.log;t_idm
        *.emerg            /usr/local/var/log/emerg.log;t_idm
        

         

      • Enable syslog audit handler in audit.json by adding the below code block (copied from integrator's guide)
      • {
            "class" : "org.forgerock.audit.handlers.syslog.SyslogAuditEventHandler",
            "config" : {
                "protocol" : "UDP",
                "host" : "172.16.206.5",
                "port" : 514,
                "connectTimeout" : 5,
                "facility" : "KERN",
                "severityFieldMappings" : [
                    {
                        "topic" : "recon",
                        "field" : "exception",
                        "valueMappings" : {
                            "SEVERE" : "EMERGENCY",
                            "INFO" : "INFORMATIONAL"
                        }
                    }
                ],
                "buffering" : {
                    "enabled" : false
                },
                "name" : "syslog1",
                "topics" : [
                    "config",
                    "activity",
                    "authentication",
                    "access",
                    "recon",
                    "sync"
                ],
                "enabled" : true
            }
        }
        
      • Unzip IDM 6.5.0.3 
      •  ./startup.sh p samples/sync-with-ldap without installing ldap
      • run reconciliation with the systemLdapAccount_managedUser recon and it will fail
      • logs will be in /var/log/info.log rather than /var/log/emerg.log

      Various scenarios have been tried, this isn't unique to recon.  

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              margaret.rizkalla Margaret Rizkalla
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: