11117: Send audit or event message to Syslog Collector

Overview of the test

In this test, a client sends audit records or event reports using transaction [ITI-20] Record Audit Event to the Syslog Collector tool acting as an Audit Record Repository or Event Repository.   The Syslog Collector is one of the tools embedded in the Gazelle Security Suite.  

This test is performed by an ATNA Secure Node, Secure Application or Audit Record Forwarder.  It is also performed by a SOLE Event Reporter.

Note that this test checks the transport of audit messages.  The content of your audit message is verified in a different test.   

Location of the ATNA Tools:  Gazelle Security Suite (GSS)

Log in to the GSS tool

When logging in to GSS, you will use your username & password from Gazelle Test Management for your testing event.  There are separate CAS systems for different instances of Gazelle Test Management, and you will have to take this into account when logging in to GSS:

  • The European CAS is linked to Gazelle Test Management at http://gazelle.ihe.net/TM/ <---This will be used for the 2022 IHE Connectathon
  • The North American CAS is linked to Gazelle Test Management at https://gazelle.iheusa.org/gazelle-na/
  • If you don't have an account, you can create a new on the Gazelle Test Management home page.

On the GSS home page (http://gazelle.ihe.net/gss) find the "Login" link at the upper right of the page.  

  • Select either "European Authentication" or "North American Authentication"
  • Enter the username and password from either Gazelle Test Management linked above.

Instructions

  • Access the Syslog Collector in GSS under menu Audit Trail --> Syslog Collector.  This page displays the tool's IP address and UPD and TCP-TLS ports.
  • Configure your application to send your audit messages (event reports) to the Syslog Collector.
  • Then trigger any event that initiate an ITI-20 transaction. This event may be an IHE transaction or other system activity (eg system start/stop or one of the SOLE events). Your system should finally send the message to the Syslog Collector.
  • IMPORTANT NOTE:  The Syslog Collector tool is a free, shared resource. It is intended for intended for brief, intermittent use.  Developers SHOULD NOT configure their system to send syslog messages to the tool on a long-term basis.  Flooding the tool with audit messages can make it unavailble for use by others.

Evaluation

You must check that your audit message has been received by the Syslog Collector and that the protocol SYSLOG is correctly implemented.

  • Go to Gazelle Security Suite, on page Audit Trail > Syslog Collector.
  • Filter the list of received messages by the host or the IP of the sender, and find the message you sent according to the timestamps.
  • Click on the magnifying glass to display the message details.
  • If the protocol is UDP or TLS, if there is a message, a message content, no errors and RFC5424 parsing succeeeded, then the test is successful.  There is an example screenshot below.
  • Copy the URL to your successful result and paste it into your local Gazelle Test Management as the Log Return file for test 11117.  
  • Do not forget to stop sending audit-messages to the Syslog Collector once you’ve finished the test. If your system sends a large amount of messages, administrators of the tool may decide to block all your incoming transactions to prevent spam.

Tips

TCP Syslog is using the same framing requirement as TLS Syslog. You can first use the TCP port of Syslog Collector to debug your implementation. Keep in mind that the IHE ATNA Profile expects at least UDP or TLS for actors that produce SYSLOG messages.

.