Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Centrify Infrastructure Services on a UNIX or Linux Device to Communicate with JSA

 

You can configure your UNIX or Linux device to send audit events to JSA. The audit events are available locally in the syslog event logs where the Centrify Infrastructure Services is installed and configured.

  1. Log in to your Centrify Infrastructure Services device.
  2. Ensure that syslog or rsyslog is installed.
    • To verify that syslog is installed, type service syslog status.

    • To verify that rsyslog is installed, type service rsyslog status.

  3. If syslog or rsylog is not installed, install them by using your preferred method based on your Unix or Linux device. For example, you can type the following command to install rsyslog on a Linux device:

    yum install rsyslog

  4. To forward events to your JSA Event Collector, open the rsyslog.conf file or the syslog.conf file that is located in /etc/ directory, and then add the following line:

    :msg, contains, "AUDIT_TRAIL" @@<JSA Event Collector IP>:514

  5. Restart the syslog or rsyslog service.
    • If you are using syslog, type service syslog restart.

    • If you are using rsylog, type service rsyslog restart.

    Note

    Centrify Linux agent might forward some Linux system messages along with the Audit Trail logs. If no specific category is found, the Linux OS log source type in JSA discovers the Linux messages and normalizes them as stored.

Sample event message

Use this sample event message as a way of verifying a successful integration with JSA.

The following table shows sample event messages from Centrify Infrastructure Services:

Table 1: . Centrify Infrastructure Services Sample Message

Event name

Low level category

Sample log message

Remote login success

Remote Access Login Succeeded

<13>May 09 20:58:48 127.1.1.1 AgentDevice=WindowsLog AgentLogFile=Application Plugin Version=7.2.6.39 Source=Centrify AuditTrail V2 Computer=Centrify WindowsAgent.Centrify.lab OriginatingComputer=127.1.1.1 User=user Domain =CENTRIFY EventID=1234 EventID Code=1234 EventType=4 Event Category=4 RecordNumber=1565 TimeGenerated=1494374321 TimeWritten=1494374321 Level=Informational Keywords= ClassicTask=None Opcode=Info Message=Product: Centrify Suite Category: Direct Authorize - Windows Event name: Remote login success Message: User successfully logged on remotely using role ’Windows Login/CentrifyTest’. May 09 16:58:41 centrifywindowsagent. centrify.lab dzagent[2008]: INFO AUDIT_TRAIL|Centrify Suite |DirectAuthorize - Windows| 1.0|3|Remote login success|5 |user=username userSid=domain \username sessionId=6 centrify EventID=6003 DAInst=N/A DASess ID=N/A role=Windows Login/ CentrifyTest desktopguid=7678b3 5e-00d0-4ddf-88f5-6626b8b1ec4b

The user logged in to the system successfully

User Login Success

<38>May 4 23:45:19 hostname adclient[1472]: INFO AUDIT _TRAIL|Centrify Suite|Centrify Commands|1.0|200|The user login to the system successfully|5|user =user pid=1234 utc=1493952319951 centrifyEventID=18200 DASessID= c6b7551c-31ea-8743-b870- cdef47393d07 DAInst=Default Installation status=SUCCESS service =sshd tty=/dev/pts/2