Chat now with support
Chat with Support

Safeguard for Privileged Passwords On Demand Hosted - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Activity Center Search box Privileged access requests Toolbox Accounts Account Groups Assets
General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Asset Groups Discovery Entitlements Linked Accounts Partitions Profiles Settings
Access Request settings Appliance settings Asset Management settings Tags Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings Security Policy Settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Syslog

Safeguard for Privileged Passwordsallows you to define one or more syslog servers to be used for logging Safeguard for Privileged Passwords event messages. Appliance Administrators can specify to send different types of messages to different syslog servers. You may configure a connection to a syslog server to use TLS encryption, with or without a client authentication certificate. For more information, see Syslog Client Certificate.

To define and manage the syslog servers, go to Syslog:

  • web client: Navigate to External Integration | Syslog.
  • desktop client: Navigate to Administrative Tools | Settings | External Integration | Syslog.

The Syslog pane displays the following about each syslog server defined. The desktop client is in a different order and includes some fields that are in the Syslog Events setting in the web client.

Table 218: Syslog server: Properties
Property Description

Name

web client

The name of the syslog server

Network Address The IP address or FQDN of the syslog server
Port The port number for syslog server

Protocol

The network protocols and syslog header type

TCP Framing

web client

When using syslog with the TCP protocol, since the connection is stream based both the client and server need to be configured to process the data using the same delimiter. See RFC 6587 section 3.4.1 and 3.4.2 for more details. By default, Safeguard for Privileged Passwords will use octet counting, as is recommended by RFC 6587. However, some syslog servers do not support octet counting. If that is the case, use this setting to configure Safeguard for Privileged Passwords to use the delimiter that is supported by your syslog server.

Use TLS Encryption

web client

If selected, provides encrypted communication with the syslog server instead of plain text over TCP

Use Client Certificate

web client

If selected, the syslog server requires clients to authenticate

Verify Server Certificate

web client

If selected, the syslog server certificate messages will only be sent if Safeguard for Privileged Passwords is able to verify the authenticity of the syslog server TLS certificate

Facility

desktop client

The type of program being used to create syslog messages

Description

desktop client

The description of the syslog server configuration

# of Events

desktop client

The number of events selected to be logged to the syslog server

Format

desktop client

The format which can be CEF or JSON

Prefix

desktop client

  • If the format is JSON, the text that will be prepended to the JSON attributes
  • Use these toolbar buttons to manage the syslog server configurations

    Table 219: Syslog server: Toolbar
    Option Description
    Add Add a new syslog server configuration. For more information, see Configuring and verifying a syslog server.
    Remove

    Remove the selected syslog server configuration from Safeguard for Privileged Passwords.

    If you attempt to remove a syslog server in use, you will see a message like: <syslog server> will be removed. Select Yes or No.

    A second Force Delete message like this may display: There are dependencies on this syslog server: This object is referenced by ServiceDebug. Do you want to force delete this server? Select Force Delete or Cancel. If you select Force Delete, the dependent setting (such as an event subscriber or debug logging) will be deleted as well.

    Edit Modify the selected syslog server configuration.
    Copy Syslog Template Clone the selected syslog server configuration.
    Refresh Update the list of syslog server configurations.

    Configuring and verifying a syslog server

    It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to log event messages to a syslog server. The steps below cover configuration.

    Other considerations:

    Some of the actions performed from Syslog on the desktop client are in the web client: Syslog Events and Debug.

    To configure a syslog server

    1. Go to Syslog:
      • web client: Navigate to External Integration | Syslog.
      • desktop client: Navigate to Administrative Tools | Settings | External Integration | Syslog.
    2. Click Add to display the Syslog Serverdialog.
    3. In the Syslog Server dialog, enter the following:

      1. Name: Enter a descriptive name for the syslog server.

      2. Network Address: Enter the IP address or FQDN of the syslog server. Limit: 255 characters
      3. Port: Enter the port number for the syslog server. Default: 514 and range: between 1 and 32767

      4. Protocol: Select the network protocol and syslog header type:

        • UDP (RFC 3164): Sends messages over UDP using the syslog header format specified in RFC 3164. (desktop client)

        • UDP (RFC 5424): Sends messages over UDP using the syslog header format specified in RFC 5424.
        • TCP (RCF 5424): Sends messages over TCP using the syslog header format specified in RFC 5424. TCP is required for TLS options.
      5. If you selected a Protocol of TCP (RCF 5424), additional selections can be made to set the TCP framing and configure Safeguard for Privileged Passwords to use Transport Layer Security (TLS). This provides encrypted communication with the syslog server instead of plain text over TCP.
        • ( web client only) Select the TCP Framing. By default, Octet Counting will be selected. Possible options are:

          • Octet Counting: The default and recommended framing. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.1. With octet counting, there is no chance of a message containing a character that may otherwise be intended to be used as a delimiter.

          • LF: Use a line feed character (LF 0x0A) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.

          • CR: Use a carriage return character (CR 0x0D) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.

          • CRLF: Use both carriage return and line feed characters (CRLF 0x0D0A) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.

          • NUL: Use a NUL character (0x00) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.

        • Select Use TLS Encrypton (or in the desktop client, select Use TLS (Requires TCP)).

        • Verify Syslog Server Certificate: If selected, the syslog server certificate messages will only be sent if Safeguard for Privileged Passwords is able to verify the authenticity of the syslog server TLS certificate. If Safeguard for Privileged Passwords cannot resolve the syslog server TLS certificate to a trusted root, the message will not be sent.
        • Use Client Certificate: Select this option if the syslog server requires clients to authenticate. You should also set the syslog client certificate appropriately. For more information, see Creating a syslog client Certificate Signing Request.
    4. The following settings in the desktop client. For the web client, the same capabilities are available from Syslog Events and Debug.
      1. Format: Select between Common Event Format (CEF) or Javascript Object Notation (JSON).
      2. Description: Enter the description of the syslog event.
      3. For Events, click Browse then select the check boxes of the Events to which you want to subscribe You can enter characters then click Search to limit the events that are displayed. Click OK.
      4. Facility: Select which syslog facility to use, for example User or Mail.
    5. Click OK to save your selection and add the syslog server configuration.
    6. You can verify the syslog server. See the next section.

    To verify a syslog server

    desktop client:

    1. Navigate to Administrative Tools | Settings | External Integration | Syslog.
    2. When configuring the syslog server, add the test event. For more information, see To configure a syslog server.
    3. Select the syslog server configuration on the grid you want to test.
    4. Select Send Test Event. Safeguard for Privileged Passwords logs a test message to the designated syslog server.

    web client:

    1. Navigate to External Integration | Syslog Event.

    2. Click Send Test Event. For more information, see Syslog Events.

    Syslog Events

    web client only

    You can configure audit event logs to send to syslog server (cluster-wide). Audit events include connection, closure, and failures. Failures include the reason, the initiator, and the target. For example, a certificate validation failure will include the initiator and the target.

    Debug logging to syslog server is available and is appliance specific (see Debug).

    To configure audit event logs to send to a syslog server

    1. You will need a configured syslog server. If you have not configured a syslog server, you will see a message like this: To configure additional debut logging options, you need to configure a syslog server. Click Configure a syslog server. For more information, see Configuring and verifying a syslog server.
    2. Navigate to External Integration | Syslog Events.
    3. The Syslog Events pane displays the following.
    Table 220: Syslog server: Properties
    Property Description

    Syslog Server

    The name of the syslog server

    Facility The type of program being used to create syslog messages (for example, User or Mail)

    Log Format

    The format which can be CEF or JSON

    Description The description of the syslog event
    # of Events The number of events selected to be logged to the syslog server

    Use these toolbar buttons to manage the syslog server configurations

    Table 221: Syslog server: Toolbar
    Option Description
    Add Add a new syslog server configuration. For more information, see Configuring and verifying a syslog server.
    Remove

    Remove the selected syslog server configuration from Safeguard for Privileged Passwords.

    Edit Modify the selected syslog server configuration.
    Copy Syslog Template Clone the selected syslog server configuration.
    Refresh Update the list of syslog server configurations.

    Send Test Event

  • To send a test message to the designated syslog server
  • Add a syslog event subscriber

    web client only

    It is the responsibility of the Appliance Administrator to add an event subscriber.

    To add an event subscriber

    1. Navigate to External Integration | Syslog Event.
    2. Click Add to display the Syslog Events dialog.
    3. In the Syslog Events dialog, enter the following:

      1. Syslog Server: Select the server to which you want to send the events.

      2. Description: Enter the description of the syslog event.
      3. Subscribe to All Events: Select this check box to subscribe to all events, including new events that may be added in the future. If unselected, select specific events.

        Make sure that the user creating the Syslog Event entry has sufficient permission to receive all of the events configured. If the Syslog Event entry is configured by a user with inadequate permissions to receive all the events that are configured, some events may not be received. If this happens, delete the Syslog Event entry and recreate it as a user that has sufficient permission.

      4. If you left Subscribe to All Events unselected, click Browse then select the check boxes of the Events to which you want to subscribe You can enter characters then click Search to limit the events that are displayed. Click OK.

      5. Facility: Select which syslog facility to send, for example User or Mail.
      6. Log Format: Select between Common Event Format (CEF) or Javascript Object Notation (JSON).
      7. If you select JSON, enter the Attribute Prefix which is text that will be prepended to the JSON attributes.
    4. Click OK.
    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating