SIEM and Syslog

Table of contents

Overview

This HowTo describes how to configure WebADM to send logs to the local syslog and optionally after to a remote syslog (rsyslog) server. Procedure may change according to the operating system, this configuration has been tested with CentOS Stream and RHEL OS. Please, refer to Rsyslog documentation for more information.

Configuration

WebADM configuration

On WebADM side, you need to edit the following configuration file :

/opt/webadm/conf/webadm.conf

Then you have to configure/enable the following settings:

log_syslog yes
syslog_facility LOG_LOCAL0
syslog_format CEF

Here, we are using le syslog facility local0 and the logs format is configured to the CEF which is a standard for every SIEM solutions.

Restart WebADM with the following command in order for changes takes effect:

/opt/webadm/bin/webadm restart

WebADM configuration is done.

Syslog configuration

WebADM is now configured to send logs to /var/log/local0.log. If the file does not already exist, you have to create it.

touch /var/log/local0.log

Set the proper permissions to /var/log/local0.log file:

chmod 600 /var/log/local0.log
chown root:root /var/log/local0.log

For Debian/Ubuntu OS, permissions should be as follow:

chmod 600 /var/log/local0.log
chown syslog:adm /var/log/local0.log

Now, configure the following in /etc/rsyslog.conf:

#### RULES ####

local0.*                         /var/log/local0.log

Restart syslog and rsyslog services.

systemctl restart rsyslog
systemctl restart syslog

Verification

WebADM logs should now be sent to /var/log/local0.log

cat /var/log/local0.log
...
2026-01-23T15:58:28.677636+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|New openotpStatus SOAP request|INFO|rt=1769180308 sid=DKMN767J
2026-01-23T15:58:28.679103+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|Checking OpenOTP license for RCDevs Documentation|INFO|rt=1769180308 sid=DKMN767J
2026-01-23T15:58:28.679431+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|License Ok (41/100 active users)|INFO|rt=1769180308 sid=DKMN767J
2026-01-23T15:58:28.707589+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|Sent status response (Ok)|INFO|rt=1769180308 sid=DKMN767J
2026-01-23T15:58:47.513353+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|New openotpNormalLogin SOAP request|INFO|rt=1769180327 sid=BGSEIGVK
2026-01-23T15:58:47.513650+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|> Username: Administrator|INFO|rt=1769180327 sid=BGSEIGVK
2026-01-23T15:58:47.513691+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|> Domain: rcdevsdocs|INFO|rt=1769180327 sid=BGSEIGVK
2026-01-23T15:58:47.513731+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|> Client ID: OpenID|INFO|rt=1769180327 sid=BGSEIGVK
2026-01-23T15:58:47.513776+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|> Source IP: 192.168.3.166|INFO|rt=1769180327 sid=BGSEIGVK
2026-01-23T15:58:47.513808+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|> Context: eeae479b8b12e2a2ae0697dc616441dd|INFO|rt=1769180327 sid=BGSEIGVK
2026-01-23T15:58:47.513837+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|> Options: -LDAP|INFO|rt=1769180327 sid=BGSEIGVK
2026-01-23T15:58:47.528140+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|Registered openotpNormalLogin request|INFO|rt=1769180327 sid=BGSEIGVK src=192.168.3.166
2026-01-23T15:58:47.586754+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|Resolved LDAP user: CN=Administrator,CN=Users,DC=rcdevsdocs,DC=com (route #00)|INFO|rt=1769180327 sid=BGSEIGVK src=192.168.3.166
2026-01-23T15:58:47.587002+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|Resolved LDAP groups: Organization Management,Enterprise Key Admins,Group Policy Creator Owners,Domain Admins,Enterprise Admins,Schema Admins,Administrators,Remote Desktop Users,Denied RODC Password Replication Group (route #00)|INFO|rt=1769180327 sid=BGSEIGVK src=192.168.3.166
2026-01-23T15:58:47.598571+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|Started transaction lock for user|INFO|rt=1769180327 sid=BGSEIGVK src=192.168.3.166 suser=rcdevsdocs\Administrator
2026-01-23T15:58:47.599243+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|Found user language: EN|INFO|rt=1769180327 sid=BGSEIGVK src=192.168.3.166 suser=rcdevsdocs\Administrator
2026-01-23T15:58:47.599312+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|Found 1 user emails: yoann@rcdevs.com|INFO|rt=1769180327 sid=BGSEIGVK src=192.168.3.166 suser=rcdevsdocs\Administrator
2026-01-23T15:58:47.607060+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|Found 53 user settings: LoginMode=LDAP,OTPType=TOKEN,PushLogin=Yes,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,OfflineExpire=30,MobileTimeout=30,EnableLogin=Yes,SelfRegister=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA256-6:QN06-T1M,U2FPINMode=Preferred,SMSType=Normal,SMSMode=Ondemand,ReplyData=[1 Items],MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID|INFO|rt=1769180327 sid=BGSEIGVK src=192.168.3.166 suser=rcdevsdocs\Administrator
2026-01-23T15:58:47.699906+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|Encryption key #a72c39a5 not available anymore|ERROR|rt=1769180327 sid=BGSEIGVK src=192.168.3.166 suser=rcdevsdocs\Administrator
2026-01-23T15:58:47.699987+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|Requested login factors: No factor available|INFO|rt=1769180327 sid=BGSEIGVK src=192.168.3.166 suser=rcdevsdocs\Administrator
2026-01-23T15:58:47.700020+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|Encryption key #a72c39a5 not available anymore|ERROR|rt=1769180327 sid=BGSEIGVK src=192.168.3.166 suser=rcdevsdocs\Administrator
2026-01-23T15:58:47.700050+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|Updated user data|INFO|rt=1769180327 sid=BGSEIGVK src=192.168.3.166 suser=rcdevsdocs\Administrator
2026-01-23T15:58:47.700087+01:00 webadm1 webadm[298142]: CEF:0|RCDevs|WebADM|2.4.13-2|OpenOTP|Sent login success response|INFO|rt=1769180327 sid=BGSEIGVK src=192.168.3.166 suser=rcdevsdocs\Administrator

The structure of the generated logs in CEF format is the following:

DATE | SERVER NAME | Process Name & PID | LOG FORMAT | Product Provider | Product name | Product version | Web Service/Application name | Request summary | severity | Log details

Configure syslog to send logs to a remote syslog server

In order to send local syslog logs to a remote syslog, you have to edit the file /etc/rsyslog.conf and add the following:

local0.* action(type="omfwd" 
queue.type="linkedlist" 
queue.filename="rcdevs_fwd" 
action.resumeRetryCount="-1" 
queue.saveOnShutdown="on" 
target="192.168.10.250" port="514" protocol="tcp" 
)

Just replace the target and port by your Rsyslog IP address/hostname, port and protocol if needed according to your Rsyslog server configuration. On my side it is 192.168.10.250, port 514/TCP. Your system may use other ports for sending logs over TCP, such as 1470.

Restart syslog and rsyslog services.

systemctl restart rsyslog
systemctl restart syslog

Logs should now be sent to your Rsyslog server.