Unjoin Starling
It is the responsibility of the Appliance Administrator to unjoin Safeguard for Privileged Passwords from Starling.
For additional information and documentation regarding the Starling Cloud platform and services, see the One Identity Documentation.
To unjoin Safeguard for Privileged Passwords from Starling
- Go to Starling:
- web client: Navigate to External Integration > Starling.
-
Click Unjoin Starling.
IMPORTANT: If there is an issue with the connection to Starling, a warning message will appear on the page and you will instead see a Force Unjoin button.
-
Safeguard for Privileged Passwords will no longer be joined to Starling, which means that Cloud Assistant, Starling identity providers, and integrated connectors are also disabled in Safeguard for Privileged Passwords. A Starling Organization Admin account can rejoin Safeguard for Privileged Passwords to Starling at any time.
IMPORTANT: If you attempt to unjoin from Starling while there are still Safeguard users or groups that use the Starling provider for identity and authentication, you will get an error. You must manually delete any users or groups first before unjoining from Starling.
Syslog
Safeguard for Privileged Passwords allows you to define one or more syslog servers to be used for logging Safeguard for Privileged Passwords event messages. Appliance Administrators can specify to send different types of messages to different syslog servers. You may configure a connection to a syslog server to use TLS encryption, with or without a client authentication certificate. For more information, see Syslog Client Certificate.
To define and manage the syslog servers, go to Syslog:
- web client: Navigate to External Integration > Syslog.
The Syslog pane displays the following about each syslog server defined.
Table 54: Syslog server: Properties
Name |
The name of the syslog server |
Network Address |
The IP address or FQDN of the syslog server |
Port |
The port number for syslog server |
Protocol |
The network protocols and syslog header type |
TCP Framing |
When using syslog with the TCP protocol, since the connection is stream based both the client and server need to be configured to process the data using the same delimiter. See RFC 6587 section 3.4.1 and 3.4.2 for more details. By default, Safeguard for Privileged Passwords will use octet counting, as is recommended by RFC 6587. However, some syslog servers do not support octet counting. If that is the case, use this setting to configure Safeguard for Privileged Passwords to use the delimiter that is supported by your syslog server. |
Use TLS Encryption |
If selected, provides encrypted communication with the syslog server instead of plain text over TCP |
Use Client Certificate |
If selected, the syslog server requires clients to authenticate |
Verify Server Certificate |
If selected, the syslog server certificate messages will only be sent if Safeguard for Privileged Passwords is able to verify the authenticity of the syslog server TLS certificate |
Use these toolbar buttons to manage the syslog server configurations
Configuring and verifying a syslog server
It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to log event messages to a syslog server. The steps below cover configuration.
Other considerations:
To configure a syslog server
- Go to Syslog:
- web client: Navigate to External Integration > Syslog.
- Click Add to display the Syslog Serverdialog.
-
In the Syslog Server dialog, enter the following:
-
Name: Enter a descriptive name for the syslog server.
- Network Address: Enter the IP address or FQDN of the syslog server. Limit: 255 characters
-
Port: Enter the port number for the syslog server. Default: 514 and range: between 1 and 32767
-
Protocol: Select the network protocol and syslog header type:
- UDP (RFC 5424): Sends messages over UDP using the syslog header format specified in RFC 5424.
- TCP (RCF 5424): Sends messages over TCP using the syslog header format specified in RFC 5424. TCP is required for TLS options.
- If you selected a Protocol of TCP (RCF 5424), additional selections can be made to set the TCP framing and configure Safeguard for Privileged Passwords to use Transport Layer Security (TLS). This provides encrypted communication with the syslog server instead of plain text over TCP.
-
Select the TCP Framing. By default, Octet Counting will be selected. Possible options are:
-
Octet Counting: The default and recommended framing. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.1. With octet counting, there is no chance of a message containing a character that may otherwise be intended to be used as a delimiter.
-
LF: Use a line feed character (LF 0x0A) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.
-
CR: Use a carriage return character (CR 0x0D) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.
-
CRLF: Use both carriage return and line feed characters (CRLF 0x0D0A) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.
-
NUL: Use a NUL character (0x00) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.
-
Select Use TLS Encrypton.
- Verify Syslog Server Certificate: If selected, the syslog server certificate messages will only be sent if Safeguard for Privileged Passwords is able to verify the authenticity of the syslog server TLS certificate. If Safeguard for Privileged Passwords cannot resolve the syslog server TLS certificate to a trusted root, the message will not be sent.
- Use Client Certificate: Select this option if the syslog server requires clients to authenticate. You should also set the syslog client certificate appropriately. For more information, see Creating a syslog client Certificate Signing Request.
- Click OK to save your selection and add the syslog server configuration.
- You can verify the syslog server. See the next section.
To verify a syslog server
-
Navigate to External Integration > Syslog Event.
-
Click Send Test Event. For more information, see Syslog Events.
Syslog Events
You can configure audit event logs to send to syslog server (cluster-wide). Audit events include connection, closure, and failures. Failures include the reason, the initiator, and the target. For example, a certificate validation failure will include the initiator and the target.
Debug logging to syslog server is available and is appliance specific (see Debug).
To configure audit event logs to send to a syslog server
- You will need a configured syslog server. If you have not configured a syslog server, you will see a message like this: To configure additional debut logging options, you need to configure a syslog server. Click Configure a syslog server. For more information, see Configuring and verifying a syslog server.
- Navigate to External Integration > Syslog Events.
- The Syslog Events pane displays the following.
Table 56: Syslog server: Properties
Syslog Server |
The name of the syslog server |
Facility |
The type of program being used to create syslog messages (for example, User or Mail) |
Log Format |
The format which can be CEF or JSON |
Description |
The description of the syslog event |
# of Events |
The number of events selected to be logged to the syslog server |
Use these toolbar buttons to manage the syslog server configurations