Enable security log

Enable security events

To enable a server to send security events, do the following:

  1. Add the channels section to the /etc/saymon/logger.json configuration file. Create this file if it doesn’t exist.

    You can find a list of all channels and their configuration in the Security log configuration article.
    {
        "categories": {
            "Default": "Warn"
        },
        "channels": {
            "session": [
                {
                    "type": "kafka",
                    "options": {
                        "server": "localhost:9092",
                        "topic": "LOG_SESSION"
                    }
                }
            ],
            "audit": [
                {
                    "type": "udp",
                    "options": {
                        "server": "localhost:10001"
                    }
                }
            ],
            "faults": [
                {
                    "type": "udp",
                    "options": {
                        "server": "localhost:10001"
                    }
                }
            ]
        }
    },
    You can set up each channel (session, audit or faults) to send messages to Kafka (in their own topic respectively: LOG_SESSION, LOG_AUDIT, LOG_FAULTS) or to external systems like syslog via UDP
  2. Launch fluentd log shipper.
    To do this, complete the following steps:

    1. On the server, go to the /etc/saymon/ directory:

      $ cd /etc/saymon/
    2. Download fluentd configuration files:

      $ sudo wget http://docs.saymon.tech//_attachments/enable-security-log/fluentd.tar.gz
    3. Extract files from the archive into /etc/saymon/fluentd/:

      $ tar -xvzf fluentd.tar.gz
    4. Execute the following command:

      $ sudo docker run -d --restart=unless-stopped --name=fluentd --network=host -v /etc/saymon/fluentd/config:/fluentd/etc -v /var/log/auth.log:/var/log/auth.log:ro -uroot --log-opt max-file=3 --log-opt max-size=10m portus.saymon.info/saymon-public/fluentd:latest
  3. Launch SAYMON server

After this, all security events from SAYMON server will be sent to the fluentd log shipper.

Enable security log UI

To see security log from SAYMON UI, do the following:

  1. Add the logdb section to the server configuration file /etc/saymon/saymon-server.conf:

    {
      "server": { ... },
      "logdb": {
        "url": "mongodb://localhost:27017/logs",
        "collection": "securityLogs"
      }
    }
  2. Launch SAYMON server

  3. Give appropriate users permission to see a security log. To do this, enable the "Monitoring logs and events" permission in the Permissions menu.

After that, users with the permission to see security log, will have a new button ("Security log") in the current user’s menu. Users can press this button to go to the security log UI.