Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Centrify Infrastructure Services on a UNIX or Linux Device to Communicate with JSA

You can configure your UNIX or Linux device to send audit events to JSA. The audit events are available locally in the syslog event logs where the Centrify Infrastructure Services is installed and configured.

  1. Log in to your Centrify Infrastructure Services device.
  2. Ensure that syslog or rsyslog is installed.

    • To verify that syslog is installed, type service syslog status.

    • To verify that rsyslog is installed, type service rsyslog status.

  3. If syslog or rsylog is not installed, install them by using your preferred method based on your Unix or Linux device. For example, you can type the following command to install rsyslog on a Linux device:

    yum install rsyslog

  4. To forward events to your JSA Event Collector, open the rsyslog.conf file or the syslog.conf file that is located in /etc/ directory, and then add the following line:

    :msg, contains, "AUDIT_TRAIL" @@<JSA Event Collector IP>:514

  5. Restart the syslog or rsyslog service.

    • If you are using syslog, type service syslog restart.

    • If you are using rsylog, type service rsyslog restart.

    Note:

    Centrify Linux agent might forward some Linux system messages along with the Audit Trail logs. If no specific category is found, the Linux OS log source type in JSA discovers the Linux messages and normalizes them as stored.

Centrify Infrastructure Services Sample event message

Use this sample event message as a way of verifying a successful integration with JSA.

The following table shows sample event messages from Centrify Infrastructure Services:

Table 1: . Centrify Infrastructure Services Sample Message

Event name

Low level category

Sample log message

Remote login success

Remote Access Login Succeeded

 
<13>May 09 20:58:48
127.1.1.1 AgentDevice=WindowsLog
AgentLogFile=Application Plugin
Version=7.2.6.39 Source=Centrify
AuditTrail V2 Computer=Centrify
WindowsAgent.Centrify.lab
OriginatingComputer=127.1.1.1
User=user Domain
=CENTRIFY EventID=1234 EventID
Code=1234 EventType=4 Event
Category=4 RecordNumber=1565
TimeGenerated=1494374321
TimeWritten=1494374321
Level=Informational Keywords=
ClassicTask=None Opcode=Info
Message=Product: Centrify
Suite Category: Direct
Authorize - Windows Event name:
Remote login success Message:
User successfully logged on
remotely using role 'Windows
Login/CentrifyTest'. May 09
16:58:41 centrifywindowsagent.
centrify.lab dzagent[2008]:
INFO AUDIT_TRAIL|Centrify Suite
|DirectAuthorize - Windows|
1.0|3|Remote login success|5
|user=username userSid=domain
\username sessionId=6 centrify
EventID=6003 DAInst=N/A DASess
ID=N/A role=Windows Login/
CentrifyTest desktopguid=7678b3
5e-00d0-4ddf-88f5-6626b8b1ec4b

The user logged in to the system successfully

User Login Success

 
<38>May 4 23:45:19
hostname adclient[1472]: INFO AUDIT
_TRAIL|Centrify Suite|Centrify
Commands|1.0|200|The user login
to the system successfully|5|user
=user pid=1234 utc=1493952319951
centrifyEventID=18200 DASessID=
c6b7551c-31ea-8743-b870-
cdef47393d07 DAInst=Default
Installation status=SUCCESS service
=sshd tty=/dev/pts/2