How to configure Syslogging on the WiKID Two-factor authentication server

Knowing what's going on in your network is key, for both security and user management. Setting up syslogging enables feeding logs to Splunk or other SIEMs for more visiblity.

We'll be adding rsyslog to the WiKID server itself. This is for Centos/Redhat or our ISO/virtual image. Let us know if you need Ubuntu instructions. You can change the remote host as shown below if you prefer.

Install rsyslog:

# yum install rsyslog

You need to disable syslog:

service syslog stop

Add the following to /etc/rsyslog.conf at the bottom of the file:

#load the kernel logger module
$ModLoad imklog
#load the UNIX sockets module to receive local messages from processen
$ModLoad imuxsock
#load UDP powers, to receive messages via the UDP protocol
$ModLoad imudp
#make rsyslog listen on all ip addresses, you could specify an address
$UDPServerAddress 0.0.0.0
#make rsyslog listen on UDP port 514
$UDPServerRun 514
#repeated lines will be reduced
$RepeatedMsgReduction on ()

Start rsyslog:

service rsyslog start

That's it for rsyslog, now let's tell WiKID to send the logs to syslog.

Edit the file /etc/WiKID/log4j.properties. Read the comments for instructions (as they may be more up-to-date than this doc). In general, command the third line and uncomment the 5th line. Then uncomment the lines for syslog. The file should look like:

# Logging detail level,
# Must be one of ("trace", "debug", "info", "warn", "error", or "fatal").
#log4j.rootLogger=DEBUG, socketLogger

# comment the line above and uncomment the line below to use syslog
log4j.rootLogger=DEBUG, socketLogger, Syslog

# comment out the rootLogger above and uncomment the line below to output logs to the console
#log4j.rootLogger=DEBUG, socketLogger, A1

log4j.appender.socketLogger=org.apache.log4j.net.SocketAppender
log4j.appender.socketLogger.RemoteHost=localhost
log4j.appender.socketLogger.Port=8300
log4j.appender.socketLogger.LocationInfo=true

# Uncomment the lines below if using syslog
log4j.appender.Syslog=org.apache.log4j.net.SyslogAppender
log4j.appender.Syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.Syslog.layout.ConversionPattern=%-5p %c{2} [%t,%M:%L] %m%n
log4j.appender.Syslog.SyslogHost=localhost
log4j.appender.Syslog.Facility=USER
log4j.appender.Syslog.FacilityPrinting=true

# A1 is set to be a ConsoleAppender.
log4j.appender.A1=org.apache.log4j.ConsoleAppender

# A1 uses PatternLayout.
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
log4j.appender.A1.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n

log4j.logger.com.wikidsystems.radius.access.WikidAccess4=INFO
log4j.logger.com.mchange.v2.resourcepool.BasicResourcePool=INFO
log4j.logger.com.mchange.v2.c3p0.impl=INFO

NB: You can change the line 'log4j.appender.Syslog.SyslogHost=localhost' to point to a remote host if you prefer.

Now, run:

tail -f /var/log/messages

And login to a see the logs. Here's a typical log where a user gets an OTP from the WiKID software token, the server validates it and grants access:

Sep 12 10:20:35 localhost.localdomain user: INFO server.DeviceTransactionExec [http-bio-80-exec-3,processPasscodeRequest:717] Issued passcode to device -2607729168221619508
Sep 12 10:20:39 localhost.localdomain user: INFO access.WikidAccess4 [Session.0,authenticate:293] Access granted for nowen, domain code: 192168001102 client: /192.168.1.74
Sep 12 10:20:39 localhost.localdomain user: INFO log.DBSvrLogImpl [Session.0,write:44] <7> Access-Accept(2) LEN=115 192.168.1.74:33569 Access-Request by nowen succeeded

Questions? Feedback?Olark live chat software