Configuring export of FreeIPA events to KUMA

To configure the export of FreeIPA events to KUMA via the Syslog protocol in JSON format:

  1. Connect to the FreeIPA server via SSH using an account with administrator rights.
  2. In the /etc/rsyslog.d/ directory, create a file named freeipa-to-siem.conf.
  3. Add the following lines to the /etc/rsyslog.d/freeipa-to-siem.conf configuration file:

    $ModLoad imfile

    input(type="imfile"

    File="/var/log/httpd/error_log"

    Tag="tag_FreeIPA_log_httpd"

    facility="local3")

    input(type="imfile"

    File="/var/log/dirsrv/slapd-*/audit"

    Tag="tag_FreeIPA_log_audit"

    StartMsg.regex="^time:"

    facility="local3")

    input(type="imfile"

    File="/var/log/dirsrv/slapd-*/errors"

    Tag="tag_FreeIPA_log_errors"

    facility="local3")

    input(type="imfile"

    File="/var/log/dirsrv/slapd-*/access"

    Tag="tag_FreeIPA_log_access"

    facility="local3")

    input(type="imfile"

    File="/var/log/krb5kdc.log"

    Tag="tag_FreeIPA_log_krb5kdc"

    facility="local3")

    template(name="ls_json" type="list" option.json="on") {

    constant(value="{")

    constant(value="\"@timestamp\":\"") property(name="timegenerated" dateFormat="rfc3339")

    constant(value="\",\"@version\":\"1")

    constant(value="\",\"message\":\"") property(name="msg")

    constant(value="\",\"host\":\"") property(name="fromhost")

    constant(value="\",\"host_ip\":\"") property(name="fromhost-ip")

    constant(value="\",\"logsource\":\"") property(name="fromhost")

    constant(value="\",\"severity_label\":\"") property(name="syslogseverity-text")

    constant(value="\",\"severity\":\"") property(name="syslogseverity")

    constant(value="\",\"facility_label\":\"") property(name="syslogfacility-text")

    constant(value="\",\"facility\":\"") property(name="syslogfacility")

    constant(value="\",\"program\":\"") property(name="programname")

    constant(value="\",\"pid\":\"") property(name="procid")

    constant(value="\",\"syslogtag\":\"") property(name="syslogtag")

    constant(value="\"}\n")

    }

    if $syslogtag contains 'tag_FreeIPA_log' then {

    action(type="omfwd"

    target="<IP address of KUMA collector>"

    port="<port of KUMA collector>"

    protocol="<udp or tcp>"

    template="ls_json")

    stop

    }

  4. Add the following lines to the /etc/rsyslog.conf configuration file:

    $IncludeConfig /etc/rsyslog.d/freeipa-to-siem.conf

    $RepeatedMsgReduction off

  5. If necessary, disable the local recording of FreeIPA events by doing the following:
    1. Open the rsyslog configuration file /etc/rsyslog.conf or the default rules file /etc/rsyslog.d/50-default.conf for editing.
    2. In that file, find the line that is responsible for recording system events, and add the local3.none parameter to it because in the /etc/rsyslog.d/freeipa-to-siem.conf configuration file, the facility is set to local3. The edited line should look like this:

      *.info;mail.none;authpriv.none;cron.none;local3.none /var/log/messages

      If facility is set to local3 for another application on the server, change the facility of FreeIPA in the /etc/rsyslog.d/freeipa-to-siem.conf file to a different value and edit the chosen rsyslog file accordingly.

    3. Save your changes.
  6. Save changes to the /etc/rsyslog.d/freeipa-to-siem.conf configuration file.
  7. Restart the rsyslog service by executing the following command:

    sudo systemctl restart rsyslog.service

Page top