11117: Send audit or event message to Syslog Collector

Overview of the test

In this test, a client sends audit records or event reports using transaction [ITI-20] Record Audit Event to the Syslog Collector tool acting as an Audit Record Repository or Event Repository.   The Syslog Collector is one of the tools embedded in the Gazelle Security Suite.  

This test is performed by an ATNA Secure Node, Secure Application or Audit Record Forwarder.  It is also performed by a SOLE Event Reporter.

Note that this test checks the transport of audit messages.  The content of your audit message is verified in a different test.   

Location of the ATNA Tools:  Gazelle Security Suite (GSS)

Instructions

  • Access the Syslog Collector in GSS under menu Audit Trail --> Syslog Collector.  This page displays the tool's IP address and UPD and TCP-TLS ports.
  • Configure your application to send your audit messages (event reports) to the Syslog Collector.
  • Then trigger any event that initiate an ITI-20 transaction. This event may be an IHE transaction or other system activity (eg system start/stop or one of the SOLE events). Your system should finally send the message to the Syslog Collector.

Evaluation

You must check that your audit message has been received by the Syslog Collector and that the protocol SYSLOG is correctly implemented.

  • Go to Gazelle Security Suite, on page Audit Trail > Syslog Collector.
  • Filter the list of received messages by the host or the IP of the sender, and find the message you sent according to the timestamps.
  • Click on the magnifying glass to display the message details.
  • If the protocol is UDP or TLS, if there is a message, a message content, no errors and RFC5424 parsing succeeeded, then the test is successful.  There is an example screenshot below.
  • Copy the URL to your successful result and paste it into your local Gazelle Test Management as the Log Return file for pre-Connectathon test 11117.  
  • Do not forget to stop sending audit-messages to the Syslog Collector once you’ve finished the test. If your system sends a large amount of messages, administrators of the tool may decide to block all your incoming transactions to prevent spam.

Tips

TCP Syslog is using the same framing requirement as TLS Syslog. You can first use the TCP port of Syslog Collector to debug your implementation. Keep in mind that the IHE ATNA Profile expects at least UDP or TLS for actors that produce SYSLOG messages.

.