Sailpoint

Sailpoint provides audit logging for user and resource access.

Chronicle Data Types

• SAILPOINT_IAM

Configuration - Sailpoint Identity IQ

Sailpoint utilizes log4j which is a highly flexible and configurable Java tool for logging.

Reference: https://community.sailpoint.com/t5/Working-With-Support/log4j-Support-Guide/ta-p/137421

1. Navigate to the log4j.properties file on each server that should be logging
2. Edit the log4j.properties file with the following configuration provided by Sailpoint to configure rolling logs. Cyderes recommends appending the example configuration with additional directives to increase verbosity related to Provisioners and Workflows.

3. Modify the example configuration to include the location which the log file should be written to by editing the line log4j.appender.file.File=D:/path/sailpoint.log

   IMPORTANT NOTE: Sailpoint advises that depending on load, excessive logging can have negative performance implications to the server. Monitor the server's performance after these configuration options are updated and validate if performance is at an acceptable level.

   #
   # (c) Copyright 2014 SailPoint Technologies, Inc., All Rights Reserved.
   #
   log4j.appender.stdout=org.apache.log4j.ConsoleAppender
   log4j.appender.stdout.Target=System.out
   log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
   log4j.appender.stdout.layout.ConversionPattern=%d{ISO8601} %5p %t %c{4}:%L - %m%n
   log4j.appender.syslog=sailpoint.api.logging.SyslogAppender
   log4j.appender.file=org.apache.log4j.RollingFileAppender
   log4j.appender.file.File=D:/path/sailpoint.log
   log4j.appender.file.layout=org.apache.log4j.PatternLayout
   log4j.appender.file.layout.ConversionPattern=%d{ISO8601} %5p %t %c{4}:%L - %m%n
   log4j.appender.file.MaxFileSize=10MB
   log4j.appender.file.MaxBackupIndex=20
   log4j.rootLogger=warn,file
   log4j.logger.net.sf.ehcache=error
   log4j.logger.org.hibernate.engine.StatefulPersistenceContext=error
   log4j.logger.net.sf.jasperreports.engine.xml=error
   log4j.logger.org.apache.myfaces.renderkit.html.util.MyFacesResourceLoader=error
   log4j.logger.org.apache.myfaces.renderkit.html.util.DefaultAddResource=error
   log4j.logger.org.apache.myfaces.renderkit.html.util.ReducedHTMLParser=error
   log4j.logger.sailpoint=warn,file
   log4j.logger.sailpoint.api.logging.SyslogAppender=error,file
   log4j.additivity.sailpoint.api.logging.SyslogAppender=false
   log4j.logger.sailpoint.object.SyslogEvent=error,file
   log4j.additivity.sailpoint.object.SyslogEvent=false
   
   # Cyderes recommendations
   log4j.logger.sailpoint.api.Provisioner=trace
   log4j.logger.sailpoint.WorkflowTrace=trace
   log4j.logger.sailpoint.api.Workflower=trace
   

   Reference: https://community.sailpoint.com/t5/IdentityIQ-Wiki/Rolling-log4j-Configuration-Example/ta-p/721900

4. Changes to the log4j.properties file will only take effect after the file is read by reloading the Logging Configuration on the IdentityIQ Debug page. If using a multi-server environment, a reload of the file on all servers in the configuration is needed unless work is being targeted on a specific server. The “Reload Logging” in the UI will just reload logging for that server.

5. Once log4j is configured appropriately, Cyderes recommends using NXLog to send data written to the logging location to a CYCLOPS forwarder. The following NXLog example configuration can be used to point to the logging directory, gather all logs, and send them via syslog to a CYCLOPS forwarder.

   define ROOT C:\\Program Files (x86)\\nxlog
   Moduledir %ROOT%\\modules
   CacheDir %ROOT%\\data
   Pidfile %ROOT%\\data\\nxlog.pid
   SpoolDir %ROOT%\\data
   LogFile %ROOT%\\data\\nxlog.log
   
   <Extension syslog>
   Module xm_syslog
   </Extension>
   
   <Input messages>
       Module  im_file
       File    'C:\path\to\logs\\*.log'
   </Input>
   
   <Output out>
     Module om_tcp
     Host <hostname/IP>
     Port <port>
     Exec to_syslog_ietf();
   </Output>
   
   <Route 1>
   Path messages => out
   </Route>