Enhanced Audit Logging in WildFly Elytron - RFC Support and Reliabiliity/Speed Customization Update

rfc_support_reliability_customization_final

Enhancing Audit Logging in WildFly Elytron - RFC Support and Configuring Reconnects Update

Overview

In WildFly 18, audit logging in WildFly Elytron has now been enhanced with additional audit logging capabilities, with additional RFC Support and the ability to configure how many times Elytron should attempt to send messages to a syslog server when an error sending is encountered. This blog post will give an overview about the enhancements that have been added and some examples on how to use these new enhancements. Some sections of this blog post have already been detailed in the original blog post detailing the enhancements that were being worked on, available at: https://justinwildfly.blogspot.com/2019/06/enhanced-audit-logging-in-wildfly.html

Additional RFC Support

RFC Formats

WildFly Elytron’s syslog audit logging currently only supports RFC 5424, but some users may wish to use the legacy RFC 3164. Elytron is now being enhanced to provide support for this additional RFC through the addition of a syslog-format parameter. This new parameter will default to the current supported value of RFC 5424 and will support the value of RFC 3164, or can be explicitly set as RFC 5424. The parameter can be used on the WildFly CLI in the following ways:

/subsystem=elytron/syslog-audit-log=syslog-test:add(server-address="127.0.0.1",port=10999,transport=UDP,host-name=localhost,syslog-format=RFC3164)
/subsystem=elytron/syslog-audit-log=syslog-test:add(server-address="127.0.0.1",port=10999,transport=UDP,host-name=localhost,syslog-format=RFC5424)
/subsystem=elytron/syslog-audit-log=syslog-test:add(server-address="127.0.0.1",port=10999,transport=UDP,host-name=localhost)

Additional RFC Events

Rfc3164SyslogEvent and Rfc5424SyslogEvent

Two new publicly accessible SecurityEvent classes have been added to WildFly Elytron, along with the publicly accessible abstract class SyslogAuditEvent. These new events can be used to provide more information on what is being sent to the syslog-server, showing the syslog-format along with the standard security-identity and event-time values.

Audit Logging Enabled Message

WildFly Elytron will now send a syslog message to the syslog server when the syslog audit logging is enabled, to allow the user to verify their connection and syslog server are both working. This new message will consist of “Elytron audit logging enabled with RFC format:” followed by the syslog-format that has been set, with a priority of Informational.

Reliability vs Speed

Users will now be able to limit how many times WildFly Elytron will attempt to resend a message to the syslog-server, as compared to currently trying to resend the message forever. This new parameter is called “reconnect-attempts” and is an optional parameter on the WildFly CLI with a default value of -1. The following values available to the parameter and their use are:

Value Use
-1 Always attempt to send audit messages, regardless of the amount of previous failures
0 Only attempt to send a single message, which would be the initial connection message, before closing the endpoint if there was an error sending
Positive integer Closes the endpoint if there messages failed to send n times

On the WildFly CLI, these values would look like, with infinite, no resends, n resends, default of infinite:

/subsystem=elytron/syslog-audit-log=syslog-test:add(server-address="127.0.0.1",port=10999,transport=UDP,host-name=localhost,reconnect-attempts=-1)
/subsystem=elytron/syslog-audit-log=syslog-test:add(server-address="127.0.0.1",port=10999,transport=UDP,host-name=localhost,reconnect-attempts=0)
/subsystem=elytron/syslog-audit-log=syslog-test:add(server-address="127.0.0.1",port=10999,transport=UDP,host-name=localhost,reconnect-attempts=50)
/subsystem=elytron/syslog-audit-log=syslog-test:add(server-address="127.0.0.1",port=10999,transport=UDP,host-name=localhost)

Summary

This blog post provides some information about enhancements to WildFly Elytron’s audit logging, in particular it talks about the addition of a syslog-format parameter and a reconnect-attempts parameter for syslog audit logging, two new SecurityEvents and a new abstract SecurityEvent, and an initial connect message.

Comments

Popular posts from this blog

Converting Legacy Properties Files into a FileSystemRealm with Elytron Tool

Enhanced Audit Logging in WildFly Elytron - RFC Support and Reliabiliity/Speed Customization

Dynamically Generating KeyStores, TrustStores, and Certificates with WildFly Elytron