Configuring receipt of FreeIPA events
You can configure the receipt of FreeIPA events in KUMA via the Syslog protocol.
Configuring event receiving consists of the following steps:
- Configuring export of FreeIPA events to KUMA.
- Creating a KUMA collector for receiving FreeIPA events.
To receive FreeIPA events, in the KUMA Collector Setup Wizard, at the Event parsing step, in the Normalizer field, select [OOTB] FreeIPA.
- Installing the KUMA collector in the network infrastructure.
- Verifying receipt of FreeIPA events by KUMA.
To verify that the FreeIPA event source server is configured correctly, you can search for related events.
Configuring export of FreeIPA events to KUMA
To configure the export of FreeIPA events to KUMA via the Syslog protocol in JSON format:
- Connect to the FreeIPA server via SSH using an account with administrator rights.
- In the /etc/rsyslog.d/ directory, create a file named freeipa-to-siem.conf.
- Add the following lines to the /etc/rsyslog.d/freeipa-to-siem.conf configuration file:
$ModLoad imfileinput(type="imfile"File="/var/log/httpd/error_log"Tag="tag_FreeIPA_log_httpd")input(type="imfile"File="/var/log/dirsrv/slapd-*/audit"Tag="tag_FreeIPA_log_audit"StartMsg.regex="^time:")input(type="imfile"File="/var/log/dirsrv/slapd-*/errors"Tag="tag_FreeIPA_log_errors")input(type="imfile"File="/var/log/dirsrv/slapd-*/access"Tag="tag_FreeIPA_log_access")input(type="imfile"File="/var/log/krb5kdc.log"Tag="tag_FreeIPA_log_krb5kdc")template(name="ls_json" type="list" option.json="on") {constant(value="{")constant(value="\"@timestamp\":\"") property(name="timegenerated" dateFormat="rfc3339")constant(value="\",\"@version\":\"1")constant(value="\",\"message\":\"") property(name="msg")constant(value="\",\"host\":\"") property(name="fromhost")constant(value="\",\"host_ip\":\"") property(name="fromhost-ip")constant(value="\",\"logsource\":\"") property(name="fromhost")constant(value="\",\"severity_label\":\"") property(name="syslogseverity-text")constant(value="\",\"severity\":\"") property(name="syslogseverity")constant(value="\",\"facility_label\":\"") property(name="syslogfacility-text")constant(value="\",\"facility\":\"") property(name="syslogfacility")constant(value="\",\"program\":\"") property(name="programname")constant(value="\",\"pid\":\"") property(name="procid")constant(value="\",\"syslogtag\":\"") property(name="syslogtag")constant(value="\"}\n")}if $syslogtag contains 'tag_FreeIPA_log' then {action(type="omfwd"target="<IP address of KUMA collector>"port="<port of KUMA collector>"protocol="<udp or tcp>"template="ls_json")stop} - Add the following line to the /etc/rsyslog.conf configuration file:
$RepeatedMsgReduction off - Save changes to the configuration file.
- Restart the rsyslog service by executing the following command:
sudo systemctl restart rsyslog.service