Log Settings
Starting with version 4.2.0, there are additional options for configuring how the audit log gets forwarded to syslog.
┌───────────────────────────────────────────────────────────────────────┐
│ Log Settings on node1 (Version X.X.X build XXXX) │
└───────────────────────────────────────────────────────────────────────┘
┌─┬─────────────────────────────────────────────────────────────────────┐
|1|Show current log settings |
│2│Audit to syslog filter │
│3│Audit to syslog format │
└─┴─────────────────────────────────────────────────────────────────────┘
Move the cursor or enter a it's corresponding number (Q to Quit)
Main> System Settings> Appliance>
Note
Regardless of filters, ALARM DECRYPTED events will always be forwarded to syslog.
Warning
Previously, ALARM DECRYPTED and DECRYPTED events would be translated to alarm-decrypted and decrypted in the syslog. If an audit to syslog filter is set, all events will be passed as is, without translation. To revert to the legacy behavior, simply unset the filter.
Show current log settings
Shows all current filter and format configurations.
Show current log settings
Audit to syslog filter mode: whitelist
Audit to syslog filter pattern: /.*/
Audit to syslog format: action="%action%" user="%user.username%" obj="%object.id%" id="%log.id%"
(Press any key to continue)
Audit to syslog filter
Configure a regular expression to determine which events will be passed from audit to syslog. This can be set in whitelist or blacklist mode.
Use U to unset the filter to revert to the legacy behavior.
Audit to syslog filter
ALARM DECRYPTED events are always passed syslog.
By setting a filter, all or a subset of events can be passed to syslog.
The filter can be set in whitelist (include matches),
or blacklist (exclude matches) mode.
The filter pattern is a regular expression, including delimiters.
Unset the pattern to revert to default behaviour.
Example filter: /^AUTH FAILURE|^BACKUP HAD ERRORS/
will match events starting with "AUTH FAILURE" or "BACKUP HAD ERRORS".
Filter mode (w/b, Q to Quit)? <whitelist>:
Filter mode set to whitelist.
Filter pattern (U to Unset, Q to Quit)? </.*/>:
Filter pattern set to: /.*/
(Press any key to continue)
Audit to syslog format
Configure the format in which audit entries should be forwarded. The available variables for substitution are listed in the example below.
Use U to unset the format and revert to the default format.
Audit to syslog format
The following variables are available for replacement:
%log.id% (database ID for this log entry)
%action%
%object.name%
%object.id%
%group.name%
%group.id%
%vault.name% (alias for group.name)
%vault.id% (alias for group.id)
%user.fullname%
%user.username%
%user.id%
%user.ip%
%time.unix% (unix epoch timestamp)
%time.ecs% (Y-m-d\TH:i:s.v\Z)
%time.sql% (Y-m-d H:i:s)
%time.iso8601% (Y-m-d\TH:i:sP)
For example, '{"user":"%user.username%"}' would log only the username
in a JSON format when a tracked event occurs.
Unset the format to revert to the default syslog format.
Syslog format (U to Unset, Q to Quit)? <action="%action%" user="%user.username%" obj="%object.id%" id="%log.id%">:
Format set to: action="%action%" user="%user.username%" obj="%object.id%" id="%log.id%"
(Press any key to continue)
The default format is:
action="%action%" what="%object.name% (%object.id%)" user="%user.fullname% (%user.id%)" source="%user.ip%" username="%user.username%"
Example filters
The following filters assume the mode is set to whitelist.
Forward everything:
/.*/ or `//`
Forward login and logout events:
/^LOGIN|^LOGOUT/
Forward API key auth failures and errors from backup script:
/^AUTH FAILURE.*APIKEY|^create-backup/
Check the event column in the audit log from the StoredSafe GUI to see more events that can be forwarded.