Kaspersky Next XDR Expert
1.3

Contents

Configuring export of FreeIPA events to KUMA

To configure the export of FreeIPA events to KUMA via the Syslog protocol in JSON format:

  1. Connect to the FreeIPA server via SSH using an account with administrator rights.
  2. In the /etc/rsyslog.d/ directory, create a file named freeipa-to-siem.conf.
  3. Add the following lines to the /etc/rsyslog.d/freeipa-to-siem.conf configuration file:

    $ModLoad imfile

    $InputFileName /var/log/httpd/error_log

    $InputFileTag tag_FreeIPA_log:

    $InputFileStateFile FreeIPA_log

    $InputRunFileMonitor

    $InputFileName /var/log/dirsrv/slapd-*/audit

    $InputFileTag tag_FreeIPA_log:

    $InputFileStateFile FreeIPA_log_audit

    $InputRunFileMonitor

    $InputFileName /var/log/dirsrv/slapd-*/errors

    $InputFileTag tag_FreeIPA_log:

    $InputFileStateFile FreeIPA_log_errors

    $InputRunFileMonitor

    $InputFileName /var/log/dirsrv/slapd-*/access

    $InputFileTag tag_FreeIPA_log:

    $InputFileStateFile FreeIPA_log_access

    $InputRunFileMonitor

    $InputFileName /var/log/krb5kdc.log

    $InputFileTag tag_FreeIPA_log:

    $InputFileStateFile FreeIPA_log_krb5kdc

    $InputRunFileMonitor

    template(name="ls_json" type="list" option.json="on") {

    constant(value="{")

    constant(value="\"@timestamp\":\"") property(name="timegenerated" dateFormat="rfc3339")

    constant(value="\",\"@version\":\"1")

    constant(value="\",\"message\":\"") property(name="msg")

    constant(value="\",\"host\":\"") property(name="fromhost")

    constant(value="\",\"host_ip\":\"") property(name="fromhost-ip")

    constant(value="\",\"logsource\":\"") property(name="fromhost")

    constant(value="\",\"severity_label\":\"") property(name="syslogseverity-text")

    constant(value="\",\"severity\":\"") property(name="syslogseverity")

    constant(value="\",\"facility_label\":\"") property(name="syslogfacility-text")

    constant(value="\",\"facility\":\"") property(name="syslogfacility")

    constant(value="\",\"program\":\"") property(name="programname")

    constant(value="\",\"pid\":\"") property(name="procid")

    constant(value="\",\"syslogtag\":\"") property(name="syslogtag")

    constant(value="\"}\n")

    }

    if $syslogtag contains 'tag_FreeIPA_log' then {

    *.* action(type="omfwd" target="<IP address of the KUMA collector>" port="<port of the KUMA collector>" protocol="<udp or tcp>" template="ls_json")

    stop

    }

  4. Add the following lines to the /etc/rsyslog.conf configuration file:

    $IncludeConfig /etc/freeipa-to-siem.conf

    $RepeatedMsgReduction off

  5. Save changes to the configuration file.
  6. Restart the rsyslog service by executing the following command:

    sudo systemctl restart rsyslog.service

Page top
[Topic 258520]