Introduction:
This document will show the steps required to route CA Privileged Identity Manager r12.8 events from JBoss to Windows Event Log, so one can use the routed events to monitor the activity inside ENTM using third-party SIEM software.
Question:
How to route events from JBoss to Windows Event Log?
Environment:
CA Privileged Identity Manager 12.8 running on Windows Server 2008 R2.
Answer:
1) Download the log4j full package here: http://archive.apache.org/dist/logging/log4j/1.2.17/log4j-1.2.17.zip
2) Inside the ZIP file you will find two DLLs:
- NTEventLogAppender.amd64.dll (for 64bits machines)
- NTEventLogAppender.dll (for 32bits machines)
Extract the DLL for your system's architecture to C:\WINDOWS\System32 of your ENTM server - if your system is 64bits, please rename the extracted DLL to NTEventLogAppender.dll.
3) Stop JBoss server;
4) Edit the file jboss-log4j.xml - this file can be found in the following path: jboss-4.2.3.GA\server\default\conf
5) Add the following configuration to jboss-log4j.xml file, right after the CONSOLE appender block:
<appender name="ENTM_NTEventLog" class="org.apache.log4j.nt.NTEventLogAppender">
<param name="Source" value="CA Access Control Enterprise Management"/>
<param name="Threshold" value="INFO"/>
<layout class="org.apache.log4j.SimpleLayout"/>
</appender>
6) Add the following line inside the <root> block:
<appender-ref ref="ENTM_NTEventLog"/>
Your <root> block will look similar to the following:
<root>
<appender-ref ref="CONSOLE"/>
<appender-ref ref="FILE"/>
<appender-ref ref="ENTM_NTEventLog"/>
</root>
7) Start JBoss.
Now you should be able to find the information on Windows Event Viewer, under Application log. To monitor, for example, Check-in events, look for the following text inside event's description:
INFO - Administrator: CN=Privileged Identity Manager Administrator,OU=IT,OU=Company,DC=ca,DC=lab selects the action: CHECKIN on account: eTDYNAccountName=hr.three,eTDYNAccountContainerName=Accounts,eTDYNDirectoryName=Lab DC1,eTNamespaceName=Windows Agentless,dc=im,dc=etasa
To monitor Check-out events, look for the following text inside event's description:
INFO - Administrator: CN=Privileged Identity Manager Administrator,OU=IT,OU=Company,DC=ca,DC=lab selects the action: CHECKOUT on account: eTDYNAccountName=hr.three,eTDYNAccountContainerName=Accounts,eTDYNDirectoryName=Lab DC1,eTNamespaceName=Windows Agentless,dc=im,dc=etasa
Additional Information:
N/A