SSH log forwarding enables forwarding of the recordings of SSH sessions to customer log repository.
Prerequisites
In order to configure log forwarding you need to follow the instructions here.
Syslog Configuratoin
Edit logand.conf:
target_syslog_tag="ssh-audit-export"
target_log_type="syslog"
target_syslog_network="udp"
target_syslog_host="<host>:<port>"
Splunk configuration:
Prerequisites: Splunk HTTP Event Collector: https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/UsetheHTTPEventCollector
target_log_type="splunk"
target_splunk_sourcetype="<your_sourcetype>"
target_splunk_source="<your_source>"
target_splunk_index="<your_index>"
target_splunk_token="<your_token>"
target_splunk_url="<your_splunk_host_address>"
ELK / Logstash Configuration
target_log_type="logstash"
target_logstash_dns="localhost:8911"
target_logstash_protocol="tcp"
Configure your Logstash to use the same port and protocol:
Add to logstash.conf:
input { tcp { port => 8911 codec => json } }
ELK Elasticsearch Configuration
target_log_type="elasticsearch"
target_elasticsearch_host="host"
target_elasticsearch_nodes="http://host1:9200,http://host2:9200"
Updated 2 months ago