Question

46
Views
SanBan Member since 2015 10 posts
Cognizant Technology Solutions
Posted: 11 months ago
Last activity: 11 months 3 weeks ago

Capturing Custom Security Event in rSyslogd

Hi - We have a requirement where the custom security log implemented through the use of OOTB method tools.getSecEventLogger().logCustomEvent need to be pushed into syslog.We changed the prlog4j2.cml(Pega7.3.1) and add one logger as below

<!-- START OF CUSTOM LOGGING FOR SIEM -->

<Logger name="com.pega.pegarules.session.internal.mgmt.SecurityEventLogger" additivity="false" level="info">
<AppenderRef ref="SECURITYEVENTSYSLOG"/>
</Logger>
<!-- END OF CUSTOM LOGGING FOR SIEM -->
Then add the below within Appender
<!-- START OF CUSTOM ENTRY FOR SIEM -->
<Syslog name=""SECURITYEVENTSYSLOG"" format="RFC5424" host="10.9.145.36" port="514"
protocol="UDP" appName="APP14722" connectTimeoutMillis="10000"
reconnectionDelayMillis="5000" facility="local0" newLine="false"
messageId="PegaAudit">
<LoggerFields>
<KeyValuePair key="thread" value="%t"/>
<KeyValuePair key="priority" value="%p"/>
<KeyValuePair key="category" value="%c"/>
<KeyValuePair key="exception" value="%ex"/>
</LoggerFields>
</Syslog>
<!-- END OF CUSTOM LOGGER -->
Syslogd is running in 514 however we are not seeing any custom security even captured in syslog .
Please can you review and advice what's the possible issue here. I have my doubt regarding how the Pega decided Logger name will work with different Appender.
***Edited by Moderator Marissa to update platform capability tags****
Security System Administration
Share this page LinkedIn