Configure Syslog to Cull Events in AD Bridge
To collect sudo events and other system events that appear in syslog, you must configure syslog to write data to a location where the AD Bridge reapsysl service can find it and copy it to the local event log.
You can set an AD Bridge Group Policy setting to modify /etc/syslog.conf on target computers.
The reapsysl service creates three named pipes and picks up the syslog information written to them:
/var/lib/pbis/syslog-reaper/error /var/lib/pbis/syslog-reaper/warning /var/lib/pbis/syslog-reaper/information
To configure event forwarding using policy settings:
- In the Group Policy Management Console, create a Group Policy Object (GPO) for an organizational unit, and then edit the OU in the Group Policy Management Editor.
- In the console tree, expand Computer Configuration > Policies > Unix and Linux Settings > BeyondTrust Settings > Logging and Auditing Settings, and then click SysLog.
- Double-click SysLog, and then check the Define this policy setting box.
- At the bottom left, check the Enable AD Bridge Auditing box.
- Click OK.
Additionally, these settings can be changed on the agent machine. To configure syslog to write to the pipes, add the following lines to /etc/syslog.conf:
*.err /var/lib/pbis/syslog-reaper/error *.warning /var/lib/pbis/syslog-reaper/warning *.debug /var/lib/pbis/syslog-reaper/information
The last entry is not analogous to the first two. Some versions of syslog require a tab character rather than spaces to separate the two components of each line.
After you modify syslog.conf, you must restart the syslog service for the changes to take effect:
/etc/init.d/syslog restart
systemctl restart syslog
For more information, see the following:
- AD Bridge GPO Reference Guide.
- Your syslog documentation.