Introduction

Syslog Writer is a dockerized application that captures events from Centrify and logs them to a syslog server. This syslog then becomes the data source for a SIEM solution using Splunk.

Syslog Writer is configured to start fetching Centrify PAS events from the previous day and then run every five minutes to fetch events incrementally. Events are fetched from the Centrify PAS server using REST APIs after authenticating via OAuth client credentials.

This document provides the instructions to install and configure Docker and Syslog server. It specifically focuses on CentOS 6.9 and Windows Server 2016.

The supported platforms to use Syslog Writer for Centrify PAS on cloud, include:

  • CentOS 6.9, CentOS 7
  • RHEL 8.x
  • Windows Server 2016
  • Windows 10 (using Docker Desktop)

The supported platforms to use Syslog Writer for Centrify PAS on premise, include:

  • CentOS 6.9/10
  • RHEL 8.x
  • Ubuntu 18.04

This document supplies:

  • Detailed steps to configure the OAuth app and the SIEM user on a tenant as a prerequisite for setting up Syslog Writer
  • Installation procedures for Docker and an interactive configuration to set up the Syslog Writer on Linux or Windows
  • Guidelines for the user to set up the Splunk add-on for Centrify PAS (for Splunk 8.x and above)