JSON/Leaf Syslog Formatting for remote logging

[Garrett B]

Can the ability to have the log format of JSON (Key Value Pair)/Leaf be added to password state when setting up forwarding to a remote syslog server? This would assist with building alerting and correlation around password state activity in a SIEM. Currently the log format varies so much and it makes it difficult to extract our field such as: source user, event type, action, resource accessed.

[mUser]

Hello,

is there any progress on this topic yet?
We also need the possibility to forward the syslog messages to a SIEM in a structured way.

 

Currently there is only one ID (110) for all events and the sent text has no clear structure, which makes it cumbersome to filter out the needed information.

So far, only the description from the passwordstate audit log is sent along, which we have to edit via regex to get the desired information.

 

Best regards.

[support]

Hello,

 

Unfortunately there has been no progress on this, as there has not been any customers voting on this feature so far.

Could you be specific about the data you wish to send across, and it what format?

Thanks

Click Studios

[John Berkers]

We would like to request the same.  We have been using PasswordState for a long time (8 or 9 years?), and have added it to our SIEM for correlation.  The major issue is that the Syslog messages are far too "English" to be easily parsed with Regular Expressions.

 

Having an option to send the data in a structured, machine parsable, way would make ingestion into a SIEM much easier.  We don't really care which standard is followed, so long as it is consistent.

 

Formats typically supported by SIEMs are:

 

• LEEF
• CEF
• JSON
• Key Value Pairs (key1='value1' key2='value2' or key1: value1; key2: value2)

We would be looking for the following information in the logs (not necessarily in this order):

 

For password operations:

• Operation Performed
• Who performed it (domain\user or user@domain.net, display name is optional, or API)
• Client IP/hostname
• Result (Success/Fail)
• Full path to password list (group/folder structure)
• PasswordList ID
• PasswordEntry Title
• PasswordEntry ID
• PasswordEntry Username

 

For authentication events:

 

Authentication could be split across multiple logs

• Authentication against Primary Authentication Server
• Authentication against additional Authentication server (eg. MFA, token, etc)

For these we would expect

 

• Authentication Server Name
• Authentication Method (AD, LDAP, SAML, OAuth, etc)
• Auth status (success/fail)
• Auth status reason (if available) eg. account locked, account disabled, account does not exist, etc

For host operations:

 

• Operation Performed
• Who performed it (domain\user or user@domain.net, display name is optional, or API)
• Client IP/hostname
• Result (Success/Fail)
• Full path to host (group/folder structure)
• HostEntry ID
• HostEntry Hostname
• HostEntry Site
• HostEntry IP
• Connection Port

Some additional information may be useful, but this would be among the minimum critical information.

 

Hopefully enough people are interested in this to make it happen.

 

Regards,

JohnB

 

[support]

Thanks for the feedback John.

 

With your requirements, that would be quite a large redesign of our auditing feature, as we do not store most of this data in the Auditing table, with some of it being combined in the Description field.

 

We appreciate the feedback though.

Regards

Click Studios

[MarkusR]

We would like to request the same.
Please implement RFC conform Syslog Export following RFC https://datatracker.ietf.org/doc/html/rfc5424#section-6.2.4