Configuration Syslog Server Settings

  1. Log into the KeyControl webGUI using an account with Security Admin privileges.
  2. In the top menu bar, click Settings.
    1. In the System Settings section, click Syslog Server.

  4. On the Syslog Server Settings page, specify the options you want to use.

    Option

    Description

    State

    		 Select ENABLED to use a syslog server.

    Protocol

    		 Select the protocol that you want to use. You can use TCP or UDP for syslog.

    TLS Authentication List

    Select one of the following: 

    • No validation
    • x509/certvalid—Requires server certificate validation.
    • x509/name—Requires server certificate validation and hostname validation.
    • x509/fingerprint—Requires server certificate fingerprint. The fingerprint is a SHA1 hash of the server certificate, for example:  "SHA1:00:11:22:33:44:55:66:77:88:99:00:11:22:33:44:55:66:77:88:99".

    Server List

    		 Enter the list of syslog servers and their corresponding ports. For the port, enter an outbound port between 25 and 65535.

    CA Certificate

    		 Upload a CA certificate if you are using x509/certvalid or x509/name.

    Client Certificate

    		 Upload a client certificate if you are using x509/certvalid, x509/name, or x509/fingerprint.
  5. Click Apply.

Important: If you plan to use an external syslog server for your audit logs, you must also complete the following: 

  1. Configure your syslog server to receive messages from each of the KeyControl nodes in the cluster. The syslogd flags that specify the KeyControl nodes should contain names that are resolvable. Make sure that your /etc/hosts file is set up correctly, with either IP addresses or hostnames. If you use hostnames, make sure that reverse lookups work on the syslog server.

  2. Add the tag hcs_audit to your syslog.conf file. The FreeBSD example below directs all hcs_audit messages to go to the log file /var/log/hcs_audit.log:

    ! hcs_audit *.* /var/log/hcs_audit.log
! -hcs_audit

  3. Make sure the audit log file is only writeable by root. For example:

    # touch /var/log/hcs_audit.log
# chmod 0600 /var/log/hcs_audit.log

  4. Configure your rc.conf file. For example, the following should be set prior to changing to syslog.conf:

    syslogd_enable="YES"
syslogd_flags="-a kps1.domain -a kps2.domain -v"

  5. Restart the syslog daemon and verify that audit records generated by every KeyControl node are being written to the hcs_audit.log file by logging out and then log back in on each of the KeyControl nodes in the cluster. When you are done, examine the audit log to make sure those logins were properly recorded.

    If messages are not being added, use tcpdump to make sure that packets are arriving at the syslog server. If the packets are arriving, check the documentation for your syslog server to make sure the configuration is correct.