Additions to add the ability to log in the CommonEventFormat.

server/src/main/java/password/pwm/config/PwmSetting.java

@@ -273,7 +273,6 @@ public enum PwmSetting {
     LDAP_ENABLE_WIRE_TRACE(
             "ldap.wireTrace.enable", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.LDAP_GLOBAL),
 
-
     // email settings
     EMAIL_SERVER_ADDRESS(
             "email.smtp.address", PwmSettingSyntax.STRING, PwmSettingCategory.EMAIL_SETTINGS),
@@ -664,10 +663,6 @@ public enum PwmSetting {
 
     AUDIT_COMMONEVENTFORMAT_ENABLE(
             "audit.CommonEventFormat.enable", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.AUDIT_FORWARD),
-    AUDIT_COMMONEVENTFORMAT_SERVERS(
-            "audit.CommonEventFormat.servers", PwmSettingSyntax.STRING_ARRAY, PwmSettingCategory.AUDIT_FORWARD),
-    AUDIT_COMMONEVENTFORMAT_CERTIFICATES(
-            "audit.CommonEventFormat.certificates", PwmSettingSyntax.X509CERT, PwmSettingCategory.AUDIT_FORWARD),
 
     // challenge settings
     CHALLENGE_ENABLE(

server/src/main/java/password/pwm/svc/event/AuditService.java

@@ -74,13 +74,12 @@ public class AuditService implements PwmService {
     private ServiceInfoBean serviceInfo = new ServiceInfoBean(Collections.emptyList());
 
     private SyslogAuditService syslogManager;
-    private CEFAuditService cefManager;
     private ErrorInformation lastError;
     private UserHistoryStore userHistoryStore;
     private AuditVault auditVault;
+    private boolean cefEnabled = false;
 
     private PwmApplication pwmApplication;
-    private boolean cefEnabled = true;
 
     public AuditService() {
     }
@@ -92,9 +91,8 @@ public class AuditService implements PwmService {
     public void init(final PwmApplication pwmApplication) throws PwmException {
         this.status = STATUS.OPENING;
         this.pwmApplication = pwmApplication;
-
-        settings = new AuditSettings(pwmApplication.getConfig());
         cefEnabled = pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AUDIT_COMMONEVENTFORMAT_ENABLE);
+        settings = new AuditSettings(pwmApplication.getConfig());
 
         if (pwmApplication.getApplicationMode() == null || pwmApplication.getApplicationMode() == PwmApplicationMode.READ_ONLY) {
             this.status = STATUS.CLOSED;
@@ -109,15 +107,10 @@ public class AuditService implements PwmService {
         }
 
         final List<String> syslogConfigString = pwmApplication.getConfig().readSettingAsStringArray(PwmSetting.AUDIT_SYSLOG_SERVERS);
-        final List<String> cefConfigString = pwmApplication.getConfig().readSettingAsStringArray(PwmSetting.AUDIT_COMMONEVENTFORMAT_SERVERS);
 
-        if ((syslogConfigString != null && !syslogConfigString.isEmpty()) || (cefConfigString != null && !cefConfigString.isEmpty())) {
+        if (syslogConfigString != null && !syslogConfigString.isEmpty()) {
             try {
-                if (cefEnabled) {
-                    cefManager = new CEFAuditService(pwmApplication);
-                } else {
-                    syslogManager = new SyslogAuditService(pwmApplication);
-                }
+                syslogManager = new SyslogAuditService(pwmApplication);
             } catch (Exception e) {
                 final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SYSLOG_WRITE_ERROR, "startup error: " + e.getMessage());
                 LOGGER.error(errorInformation.toDebugStr());
@@ -186,16 +179,10 @@ public class AuditService implements PwmService {
 
     @Override
     public void close() {
-        if (cefEnabled) {
-            if (cefManager != null) {
-                cefManager.close();
-            }
-        } else {
-            if (syslogManager != null) {
+
+        if (syslogManager != null) {
                 syslogManager.close();
             }
-        }
-
         this.status = STATUS.CLOSED;
     }
 
@@ -206,14 +193,9 @@ public class AuditService implements PwmService {
         }
 
         final List<HealthRecord> healthRecords = new ArrayList<>();
-        if (cefEnabled) {
-            if (cefManager != null) {
-                healthRecords.addAll(cefManager.healthCheck());
-            }
-        } else {
-            if (syslogManager != null) {
-                healthRecords.addAll(syslogManager.healthCheck());
-            }
+
+        if (syslogManager != null) {
+            healthRecords.addAll(syslogManager.healthCheck());
         }
         if (lastError != null) {
             healthRecords.add(new HealthRecord(HealthStatus.WARN, HealthTopic.Audit, lastError.toDebugStr()));
@@ -364,21 +346,12 @@ public class AuditService implements PwmService {
         }
 
         // send to syslog
-        if (cefEnabled) {
-            if (cefManager != null) {
-                try {
-                    cefManager.add(auditRecord);
-                } catch (PwmOperationalException e) {
-                    lastError = e.getErrorInformation();
-                }
-            }
-        } else {
-            if (syslogManager != null) {
-                try {
-                    syslogManager.add(auditRecord);
-                } catch (PwmOperationalException e) {
-                    lastError = e.getErrorInformation();
-                }
+
+        if (syslogManager != null) {
+            try {
+                syslogManager.add(auditRecord);
+            } catch (PwmOperationalException e) {
+                lastError = e.getErrorInformation();
             }
         }
 
@@ -457,10 +430,6 @@ public class AuditService implements PwmService {
     }
 
     public int syslogQueueSize() {
-        if (cefEnabled) {
-            return cefManager != null ? cefManager.queueSize() : 0;
-        } else {
-            return syslogManager != null ? syslogManager.queueSize() : 0;
-        }
+        return syslogManager != null ? syslogManager.queueSize() : 0;
     }
 }

server/src/main/java/password/pwm/svc/event/SyslogAuditService.java

@@ -75,27 +75,26 @@ public class SyslogAuditService {
     private static final String SYSLOG_INSTANCE_NAME = "syslog-audit";
     private static final int LENGTH_OVERSIZE = 1024;
 
-
     private SyslogIF syslogInstance = null;
     private ErrorInformation lastError = null;
     private List<X509Certificate> certificates = null;
-
     private WorkQueueProcessor<String> workQueueProcessor;
-
+    private List<SyslogIF> syslogInstances = new ArrayList<>();
 
     private final Configuration configuration;
     private final PwmApplication pwmApplication;
-    private List<SyslogIF> syslogInstances = new ArrayList<>();
+    private static boolean cefEnabled = true;
 
     public SyslogAuditService(final PwmApplication pwmApplication)
             throws LocalDBException
     {
+        cefEnabled = pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AUDIT_COMMONEVENTFORMAT_ENABLE);
         this.pwmApplication = pwmApplication;
         this.configuration = pwmApplication.getConfig();
+
         this.certificates = configuration.readSettingAsCertificate(PwmSetting.AUDIT_SYSLOG_CERTIFICATES);
 
         final List<String> syslogConfigStringArray = configuration.readSettingAsStringArray(PwmSetting.AUDIT_SYSLOG_SERVERS);
-
         try {
             for(String entry : syslogConfigStringArray) {
                 final SyslogConfig syslogCfg = SyslogConfig.fromConfigString(entry);
@@ -130,6 +129,7 @@ public class SyslogAuditService {
         }
     }
 
+
     private SyslogIF makeSyslogInstance(final SyslogConfig syslogConfig)
     {
         final AbstractSyslogConfigIF syslogConfigIF;
@@ -174,11 +174,21 @@ public class SyslogAuditService {
     }
 
     public void add(final AuditRecord event) throws PwmOperationalException {
-        try {
-            final String syslogMsg = convertAuditRecordToSyslogMessage(event, configuration);
-            workQueueProcessor.submit(syslogMsg);
-        } catch (PwmOperationalException e) {
-            LOGGER.warn("unable to add email to queue: " + e.getMessage());
+
+        if (cefEnabled) {
+            try {
+                final String CEFMsg = convertAuditRecordToCEFMessage(event, configuration);
+                workQueueProcessor.submit(CEFMsg);
+            } catch (PwmOperationalException e) {
+                LOGGER.warn("unable to add email to queue: " + e.getMessage());
+            }
+        } else {
+            try {
+                final String syslogMsg = convertAuditRecordToSyslogMessage(event, configuration);
+                workQueueProcessor.submit(syslogMsg);
+            } catch (PwmOperationalException e) {
+                LOGGER.warn("unable to add email to queue: " + e.getMessage());
+            }
         }
     }
 
@@ -220,17 +230,20 @@ public class SyslogAuditService {
         syslogInstance = null;
     }
 
+
+
     private static String convertAuditRecordToSyslogMessage(
             final AuditRecord auditRecord,
             final Configuration configuration
     )
     {
         final int maxLength = Integer.parseInt(configuration.readAppProperty(AppProperty.AUDIT_SYSLOG_MAX_MESSAGE_LENGTH));
+        String jsonValue = "";
         final StringBuilder message = new StringBuilder();
         message.append(PwmConstants.PWM_APP_NAME);
         message.append(" ");
 
-        final String jsonValue = JsonUtil.serialize(auditRecord);
+        jsonValue = JsonUtil.serialize(auditRecord);
 
         if (message.length() + jsonValue.length() <= maxLength) {
             message.append(jsonValue);
@@ -273,6 +286,61 @@ public class SyslogAuditService {
         return message.toString();
     }
 
+    public static String convertAuditRecordToCEFMessage(final AuditRecord auditRecord, final Configuration configuration) {
+
+        //final String recordType = auditRecord.getType().name();
+        String recordString = "";
+        String translatedString = "";
+        if (auditRecord.getType().name().equals("USER")) {
+            final UserAuditRecord cefRecord = new UserAuditRecord(auditRecord.timestamp, auditRecord.eventCode, null, null, null,
+                    auditRecord.message, null, null);
+            recordString = JsonUtil.serialize(cefRecord);
+
+        } else if (auditRecord.getType().name().equals("SYSTEM")) {
+            final SystemAuditRecord cefRecord = new SystemAuditRecord(auditRecord.eventCode, auditRecord.message, null);
+            recordString = JsonUtil.serialize(cefRecord);
+        } else if (auditRecord.getType().name().equals("HELPDESK")) {
+            final HelpdeskAuditRecord cefRecord = new HelpdeskAuditRecord(auditRecord.timestamp, auditRecord.eventCode, null, null, null,
+                    auditRecord.message, null, null, null, null, null);
+            recordString = JsonUtil.serialize(cefRecord);
+        } else {
+            recordString = JsonUtil.serialize(auditRecord);
+        }
+        recordString = recordString.replace("\"", "");
+        recordString = recordString.replace("\\", "");
+        recordString = recordString.replace("{", "");
+        recordString = recordString.replace("}", "");
+
+        recordString = recordString.replace("type:", " cat | ");
+        recordString = recordString.replace("eventCode:", " act | ");
+        recordString = recordString.replace("timestamp:", " rt | ");
+        recordString = recordString.replace("message:", " msg | ");
+        recordString = recordString.replace("narrative:", " reason | ");
+        recordString = recordString.replace("perpetratorID:", " suid | ");
+        recordString = recordString.replace("perpetatorDN:", " suser | ");
+        recordString = recordString.replace("sourceAddress:", " dvc | ");
+        recordString = recordString.replace("sourceHost:", " dvchost | ");
+        recordString = recordString.replace("targetID:", " duid | ");
+        recordString = recordString.replace("targetDN:", " duser | ");
+        recordString = recordString.replace("SSPR:", " sproc | ");
+        recordString = recordString.replace("PWM:", " sproc | ");
+
+
+        final int idxStart = recordString.indexOf("act | ");
+        final int idxEnd = recordString.indexOf(",guid");
+        translatedString = auditRecord.getTimestamp().toString();
+        translatedString = translatedString.concat(" host CEF:0 | security | threatmanager | 1.0 | 100 ");
+        if (idxStart != -1 && idxEnd != -1) {
+            translatedString = translatedString.concat(recordString.substring(idxStart, idxEnd));
+        } else {
+            translatedString = translatedString.concat("UNKNOWN REASON");
+        }
+        recordString = recordString.replace(",", " ");
+
+        translatedString = translatedString.concat(recordString);
+        return (translatedString);
+    }
+
     public static class SyslogConfig implements Serializable {
         public enum Protocol { sslTcp, tcp, udp, tls }