6.3 Syslog Settings

Use this page to configure Privileged User Manager so that it can send syslog messages to a syslog server. This server can be a Sentinel server, a Sentinel Log Manager, or a syslog server that supports TCP with optional TLS or SSL support. Older syslog servers require UDP for the transport protocol.

To configure communication with a syslog server:

  1. Click Reporting on the home page of the console.

  2. Click Syslog Settings in the task pane.

  3. Configure the following fields:

    Syslog host: Specify the DNS name or IP address of the syslog server.

    Port: Specify the port the syslog server is listening on for syslog events. The default port is 514. The default port for a Sentinel server or a Sentinel Log Manager is 1468.

    SSL: Select the check box to enable SSL communication with a Sentinel server. For a syslog server, do not select this box.

  4. In the Event table, select the events and the format. All possible events are select:

    Session Failure: Sends an event when a Privileged User Manager session fails.

    Start Session: Sends an event when a user starts a Privileged User Manager session on a host.

    Session Terminate: Sends an event when a user logs out of the Privileged User Manager session.

    Command Audit: If you have enabled auditing on the user’s session or on commands, this option sends all audited events as syslog events.

    Privilege Escalation: Sends an event when a user starts a privileged session.

    1. To delete an event, highlight it, then click Remove.

    2. To configure the format, click the format text box and specify a format string.

      The ${}$ string logs the complete string of the audit record in JSON format. For a Sentinel server, format string must be set to ${}$.

      If you are sending the events to a syslog server, you can specify strings from the Privileged User Manager templates. For example, the format of the Start Session event could use the following string:

      User ${StartSession.user}$ initiated a Command Control session from ${StartSession.host}$
      

      This format string would produce output similar to the following:

      Jan 1 01:20:45 localhost npum: User ctaylor initiated a Command Control session from citlaptop
      
  5. Click Finish.

Sentinel Notes

For Privilege User Manager to communicate with a Sentinel server, you need to add a Syslog Connector to the Sentinel console. This connector must be configured to listen on port TCP 514 using SSL and the SSL type must be Open. Configure it to listen specifically for the host that has the Syslog Emitter installed. This is usually the Framework Manager console.