Enhanced Audit Logging in WildFly Elytron - RFC Support and Reliabiliity/Speed Customization

rfc_support_reliability_customization

Overview

WildFly Elytron is currently having its audit logging capabilities enhanced. In this blog post, I will give an overview about the enhancements being added in regards to additional RFC Support and the ability to configure how many times Elytron should attempt to connect to a syslog server.

Additional RFC Support

RFC Formats

WildFly Elytron’s syslog audit logging currently only supports RFC 5424, but some users may wish to use the legacy RFC 3164. Elytron is now being enhanced to provide support for this additional RFC through the addition of a syslog-format parameter. This new parameter will default to the current supported value of RFC 5424 and will support the value of RFC 3164, or can be explicitly set as RFC 5424. The parameter can be used on the WildFly CLI in the following ways:

/subsystem=elytron/syslog-audit-log=syslog-test:add(server-address="127.0.0.1",port=10999,transport=UDP,host-name=localhost,syslog-format=RFC3164)
/subsystem=elytron/syslog-audit-log=syslog-test:add(server-address="127.0.0.1",port=10999,transport=UDP,host-name=localhost,syslog-format=RFC5424)
/subsystem=elytron/syslog-audit-log=syslog-test:add(server-address="127.0.0.1",port=10999,transport=UDP,host-name=localhost)

Additional RFC Events

Rfc3164SyslogEvent and Rfc5424SyslogEvent

Two new publicly accessible SecurityEvent classes have been added to WildFly Elytron, along with the publicly accessible abstract class SyslogAuditEvent. These new events can be used to provide more information on what is being sent to the syslog-server, showing the syslog-format along with the standard security-identity and event-time values.

Audit Logging Enabled Message

WildFly Elytron will now send a syslog message to the syslog server when the syslog audit logging is enabled, to allow the user to verify their connection and syslog server are both working. This new message will consist of “Elytron audit logging enabled with RFC format:” followed by the syslog-format that has been set, with a priority of Informational.

Reliability vs Speed

Users will now be able to limit how many times WildFly Elytron will attempt to resend a message to the syslog-server, as compared to currently trying to resend the message forever. This new parameter is called “reconnect-attempts” and is an optional parameter on the WildFly CLI with a default value of -1. The following values available to the parameter and their use are:

Value Use
-1 Always attempt to resend the message
0 Never attempt to resend the message (results in an IOException if message sending fails)
Positive integer Attempt to resend the message n number of times (results in an IOException if message sending fails after n times)

On the WildFly CLI, these values would look like, with infinite, no resends, n resends, default of infinite:

/subsystem=elytron/syslog-audit-log=syslog-test:add(server-address="127.0.0.1",port=10999,transport=UDP,host-name=localhost,reconnect-attempts=-1)
/subsystem=elytron/syslog-audit-log=syslog-test:add(server-address="127.0.0.1",port=10999,transport=UDP,host-name=localhost,reconnect-attempts=0)
/subsystem=elytron/syslog-audit-log=syslog-test:add(server-address="127.0.0.1",port=10999,transport=UDP,host-name=localhost,reconnect-attempts=50)
/subsystem=elytron/syslog-audit-log=syslog-test:add(server-address="127.0.0.1",port=10999,transport=UDP,host-name=localhost)

Summary

This blog post provides some information about upcoming changes to enhance audit logging in WildFly Elytron, in particular it talks about the addition of a syslog-format parameter and a reconnect-attempts parameter, two new SecurityEvents and a new abstract SecurityEvent, and an initial connect message.

Comments

Popular posts from this blog

Converting Legacy Properties Files into a FileSystemRealm with Elytron Tool

Dynamically Generating KeyStores, TrustStores, and Certificates with WildFly Elytron