Enable security log
Enable security events
To enable a server to send security events, do the following:
-
Add the
channels
section to the/etc/saymon/logger.json
configuration file. Create this file if it doesn’t exist.You can find a list of all channels and their configuration in the Security log configuration article. { "categories": { "Default": "Warn" }, "channels": { "session": [ { "type": "kafka", "options": { "server": "localhost:9092", "topic": "LOG_SESSION" } } ], "audit": [ { "type": "udp", "options": { "server": "localhost:10001" } } ], "faults": [ { "type": "udp", "options": { "server": "localhost:10001" } } ] } },
You can set up each channel ( session
,audit
orfaults
) to send messages to Kafka (in their own topic respectively:LOG_SESSION
,LOG_AUDIT
,LOG_FAULTS
) or to external systems like syslog via UDP -
Launch
fluentd
log shipper.
To do this, complete the following steps:-
On the server, go to the
/etc/saymon/
directory:$ cd /etc/saymon/
-
Download fluentd configuration files:
$ sudo wget http://docs.saymon.tech//_attachments/enable-security-log/fluentd.tar.gz
-
Extract files from the archive into
/etc/saymon/fluentd/
:$ tar -xvzf fluentd.tar.gz
-
Execute the following command:
$ sudo docker run -d --restart=unless-stopped --name=fluentd --network=host -v /etc/saymon/fluentd/config:/fluentd/etc -v /var/log/auth.log:/var/log/auth.log:ro -uroot --log-opt max-file=3 --log-opt max-size=10m portus.saymon.info/saymon-public/fluentd:latest
-
-
Launch SAYMON server
After this, all security events from SAYMON server will be sent to the fluentd
log shipper.
Enable security log UI
To see security log from SAYMON UI, do the following:
-
Add the
logdb
section to the server configuration file/etc/saymon/saymon-server.conf
:{ "server": { ... }, "logdb": { "url": "mongodb://localhost:27017/logs", "collection": "securityLogs" } }
-
Launch SAYMON server
-
Give appropriate users permission to see a security log. To do this, enable the "Monitoring logs and events" permission in the Permissions menu.
After that, users with the permission to see security log, will have a new button ("Security log") in the current user’s menu. Users can press this button to go to the security log UI.