Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Linux OS

 

The Linux OS DSM for JSA records Linux operating system events and forwards the events using syslog or syslog-ng.

If you are using syslog on a UNIX host, upgrade the standard syslog to a more recent version, such as, syslog-ng.

Note

Do not run both syslog and syslog-ng at the same time.

To integrate Linux OS with JSA, select one of the following syslog configurations for event collection:

You can also configure your Linux operating system to send audit logs to JSA. For more information, see Configuring Linux OS to send audit logsConfigure Linux OS to send audit logs to JSA..

Supported Event Types

The Linux OS DSM supports the following event types:

  • cron

  • HTTPS

  • FTP

  • NTP

  • Simple Authentication Security Layer (SASL)

  • SMTP

  • SNMP

  • SSH

  • Switch User (SU)

  • Pluggable Authentication Module (PAM) events.

Configuring Syslog on Linux OS

Configure the syslog protocol on Linux OS.

  1. Log in to your Linux OS device, as a root user.
  2. Open the /etc/syslog.conf file.
  3. Add the following facility information:

    authpriv.*@<IP address>

    Where: <IP address> is the IP address of JSA.

  4. Save the file.
  5. Restart syslog by using the following command:

    service syslog restart

  6. Log in to the JSA user interface.
  7. Add a Linux OS log source.
  8. On the Admin tab, click Deploy Changes.

    For more information on syslog, see your Linux operating system documentation.

Configuring Syslog-ng on Linux OS

Configure Linux OS to use the syslog-ng protocol.

  1. Log in to your Linux OS device, as a root user.
  2. Open the /etc/syslog-ng/syslog-ng.conf file.
  3. Add the following facility information:

    filter auth_filter{ facility(authpriv); };

    destination auth_destination { tcp("<IP address>" port(514)); };

    log{

    source(<Sourcename>);

    filter(auth_filter);

    destination(auth_destination);

    };

    Where:

    • <IP address> is the IP address of the JSA.

    • <Source name> is the name of the source that is defined in the configuration file.

  4. Save the file.
  5. Restart syslog-ng by using the following command:

    service syslog-ng restart

  6. Log in to the JSA user interface.
  7. Add a Linux OS log source.
  8. On the Admin tab, click Deploy Changes.

    For more information about syslog-ng, see your Linux operating system documentation.

Configuring Linux OS to Send Audit Logs

Configure Linux OS to send audit logs to JSA.

This task applies to Red Hat Enterprise Linux v6 operating systems.

If you use SUSE, Debian, or Ubuntu operating system, see your vendor documentation for specific steps for your operating system.

  1. Log in to your Linux OS device, as a root user.
  2. Type the following command:

    yum install audit service auditd start chkconfig auditd on

  3. Open the following file:

    /etc/audisp/plugins.d/syslog.conf

  4. Verify that the parameters match the following values:

    active = yes direction = out path = builtin_syslog type = builtin args = LOG_LOCAL6 format = string

  5. Open the following file:

    /etc/rsyslog.conf

  6. Add the following line to the end of the file:

    local6.* @@ JSA_Collector_IP_address

  7. Type the following commands:
    • service auditd restart

    • service syslog restart

  8. Log in to the JSA user interface.
  9. Add a Linux OS log source.
  10. On the Admin tab, click Deploy Changes.
  11. Log in to JSA as the root user.
  12. Type the following command:

    service auditd restart service syslog restart