External Auditing

Security—Connecting to an External Audit Server

Using the Secure TCP Syslog/CEF Protocol will make Secret Server try to establish a secure connection to your external audit server. Secret Server will only use TLS v1.2 or v1.1 for security reasons.

If your audit server requires Client Certificates, see Configuring Client Certificates. If configured, Secret Server will pass the Secret Server certificate to the external audit server when it connects, so the audit server can validate the Secret Server machine.

If the connection between Secret Server and the external audit server is disconnected or cannot be established, Secret Server will log an internal error and automatically try to re-send any missed audit messages later. For more information, see Determining Status of a Remote Audit Server.

For a connection to be successfully established using Secure TCP protocol, Secret Server must trust the SSL certificates being used by the audit server. If the audit server is using a self-signed certificate, the Certificate Authorities that created it must be installed on the Secret Server machine. If Secret Server has issues trusting the certificate, details will be logged internally.

More information on creating your own Certificate Authorities can be found at the OpenSSL Certificate Authority.

Configuring Syslog/CEF External Audit Server

Compatible Audit Servers

  • syslog-ng

  • Any Audit server that accepts TLS encrypted messages using the BSD Syslog Protocol

Configuring Your External Audit Server

  1. Navigate to Admin | Configuration, then click Edit.
  2. You will see a configuration area in the General tab under Application Settingsto Enable Syslog/CEF Logging. Check this box to enable:

    Enable Syslog/CEF Logging
Syslog/CEF may require an additional license key. To install licenses, navigate to Admin | Licenses and select Install New License. Once installed, you will need to activate your license. Contact your Delinea Sales Representative if you have questions about your licensing.

  • Syslog/CEF Server. Configure the Syslog/CEF IP address for the IIS Server hosting the Syslog/CEF web application.

  • Syslog/CEF Port. Next, configure the port number where the logging information will be passed for the Syslog/CEF Port. 6514 is the default port for Secure TCP Syslog. Secret Server requires outbound access to this server and port so communication can pass freely.

  • Syslog/CEF Protocol. Set the Syslog/CEF Protocol to Secure TCP. This setting will accept either TLS v1.2 or v1.1 for added security, because other versions of SSL (i.e. SSL v3 and TLS v 1.0) have known weaknesses.

  • Syslog/CEF Time Zone. Lastly set Syslog/CEF Time Zone to UTC Time or Server Time depending on your preference.

The standard for Syslog is ISO timestamps; however, some still use the legacy format. Syslog is the default for upgrades to allow current configurations to retain their behavior, and ISO format is the default in new instances. Syslog format: Jun 23 2022 11:22:33. ISO 8601 format: 2022-06-23T11:22:33.000. You must enable the configuration preview to modify this setting.

Caching Syslog Audits

Once secure logging is enabled in Secret Server, if the connection breaks between the external Syslog server and Secret Server, failed syslog messages will be cached in the Secret Server database and re-sent at regular intervals until the connection between the syslog server and Secret Server is reestablished.

Compatibility Notes Related to Using Client Certificates

If you are using a Client Certificate, Secret Server’s IIS AppPool must be granted access to use the certificate using the Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe). Otherwise if Secret Server is configured to use a Client Certificate, and IIS doesn’t have permission, you will see errors like this in the logs:

TLS Error Detected (Authentication Error connecting to IP:PORT) - The credentials supplied to the package were not recognized.

Example usage:
cd C:\Program Files (x86)\Windows Resource Kits\Toolswinhttpcertcfg.exe -g -c LOCAL_MACHINE\MY -s "CertificateSubject" -a "HOSTNAME\IIS APPPOOL\SecretServer"

Download the Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe).

If you are using a Client Certificate and a Syslog-NG logging server, you may occasionally see this message in the main Syslog-NG log file:

SSL error while reading stream; tls_error='SSL routines:ssl_get_prev_session:session id context uninitialized'

On the Secret Server side, it shows up like this:

TLS Error Detected (Authentication Error connecting to IP:PORT) - Authentication failed because the remote party has closed the transport stream.

This error is caused because Windows tries to cache secure connections when client certificates are in use, but because Syslog-NG has not configured their OpenSSL “session id context”, OpenSSL gives this error when it tries to resume a previous session.

Secret Server will automatically reconnect and resend any missed messages, so these errors really should cause no impact. However if you would like, you can disable Window’s secure connection caching, by adding the ClientCacheTime setting set to 0 (zero) in the Registry, and then doing a reboot. This did not cause any significant performance impact in our internal testing, but your mileage may vary.

If Syslog-NG configures their OpenSSL session ID context, this error message correction will no longer be needed.

Configuring Auditing for TLS Connections

To track problems with TLS connections including whenever the connection might fail, enable the TLS Certificate Chain Policy and Error Auditing in Secret Server by navigating to Admin ZZ_BAR_ZZ Configuration ZZ_BAR_ZZ Security tab, then scrolling down to the TLS Auditing section.

  • Ensure that the Apply TLS Certificate Chain Policy and Error Auditing is set to Yes. If not set to yes, Client Certificates cannot be used.

  • Ensure that the Enable TLS Debugging and Connection Tracking is set to Yes. When set to yes, Secret Server will send information logs to your audit server about when TLS connections are opened or closed. If debug logging is enabled in "web-log4net.config" detailed information about X509 certificate chain validation will also be logged. Note that this setting may create a lot of extra messages in your log files.

A screenshot of a cell phone Description generated with very high confidence

To Edit click the Edit button and check the setting you want to turn on or uncheck the setting you want to turn off.

If the TLS connection breaks, an error message will be logged in the local audit trail and Secret Server will keep trying every 60 seconds to reestablish the TLS connection to the syslog server.

If Secure TCP is used for the Syslog/CEF Protocol, and there are one or more Client Certificate Thumbprints entered, Secret Server will check the Local Computer’s Web Hosting and Personal certificate store and use the first one it finds. For more information see Configuring Client Certificates.

To add Client Certificate Thumbprints, you can copy and paste a list in bulk after clicking Edit, then Advanced (not required). Separate each SSL Certificate SHA1 Thumbprint (40 characters each) with a semicolon (up to ten total are allowed).

Determining Status of a Remote Audit Server

To view the logs for any TLS-Connection related errors:

  • Open Microsoft SQL Server Management Studio, navigate to your SecretServer database (DBMachineName > Databases > SecretServer) and run a New Query.

  • Type select * from tbSecurityAuditLog to view the events from your TLS Audit:

Secret Server Database Query

For more detailed troubleshooting reporting, refer to the logs in File Explorer on Secret Server’s web server C:\inetpub\wwwroot\SecretServer\log) including ss.log, ss-BSSR.log (Background Scheduler), ss-BSWR.log (Background Worker) for any errors that might crop up.