Syslogs
Audit records are logged to a local database and a Loki Grafana microservice by default. This is suitable for production systems and clusters with a limited load. However, for clusters that support a large number of transactions, it is recommended to configure the CipherTrust Manager to disable logging to a local database and enable logging using remote Syslog server(s). This significantly reduces the cluster traffic and disk usage.
Timezone Configuration
CipherTrust Manager server audit records and client audit records are always recorded in UTC time zone, in keeping with RFC 3339. This is important to note when you configure any external logging system such as a log forwarder or legacy syslog connection.
Add a new Syslog Server
The preferred Syslog configuration is through Connection Manager and Log Forwarders commands and menus. The syslog configuration is specific to the domain it is created in.
Note
Upgraded CipherTrust Manager instances can have existing syslog connections through Admin Settings, which continue to be supported. Syslog servers configured as log forwarders can forward client audit records, while syslog servers configured through Admin Settings cannot.
Add a Syslog Connection with Connection Manager
The preferred Syslog configuration is through Connection Manager. Provide the following values:
Host: IP address or hostname of the Syslog server.
Port: port number for connecting to the Syslog server.
Transport Format: select the transport mode for sending data. The TLS mode requires a trusted CA certificate in the PEM format.
Note
If you set the transport format to UDP, log messages are limited to a size of 1024 bytes. After this size, the log message is truncated.
CA Cert: either upload the CA certificate or paste the certificate content. Make sure the server certificate contains the valid IP SANs.
Upload CSR: select and click Upload CSR to upload the trusted CA certificate from your machine.
Text: select and paste the certificate content in the text field.
Message Format: select the log message format.
Add a Syslog Log Forwarder
Once you have added a syslog connection, you can create a syslog log forwarder on CipherTrust Manager to forward KMIP activity logs, NAE activity logs, server audit records, and client audit records to Syslog server.
To add a Syslog log forwarder, you must provide:
a connection ID of the Syslog connection manager (refer to Connection Manager for details)
a connection name for the log forwarder configuration
You can optionally activate/deactivate:
forward logs for activity kmip
forward logs for activity nae
forward logs for client audit records
forward logs for server audit records
Syntax for Syslog
ksctl log-forwarders add syslog --name <name of log forwarder> --connection-id <Syslog ConnectionID/Name> --forward-client-audit-records <true/false> --forward-logs-activity-kmip <true/false> --forward-logs-activity-nae <true/false> --forward-server-audit-records <true/false>]
Modifying Legacy Connection to a Syslog Server
Updating a syslog server connection managed through Connection Manager is described on the Connection Manager page. The following instructions describe how to update legacy syslog server connections managed through admin settings. The table below indicates editable parameters.
Parameter | Description |
---|---|
Hostname or IP address | Hostname or IP address of the Syslog server. |
Port | Port of the Syslog server. The default port is 514. |
Log Format | Format in which the audit records are transferred to the Syslog server. The options are:
The default log format is RFC5424. This format adheres to the Syslog Protocol RFC 5424 guidelines. |
Transport | Transport protocol for the Syslog connection. The options are UDP, TCP, and TLS. The default protocol is UDP. With UDP, log messages are limited to a size of 1024 bytes. After this size, the log message is truncated. |
Certificate | Trusted CA certificate in the PEM format. This field is available when the transport protocol is TLS. |
To modify the connection to a legacy Syslog server:
Log on to the CipherTrust Manager console as administrator.
Click Admin Settings to open the application.
Click Notifications > Syslog. The Syslog Settings section is displayed on the right. This section displays the configured connections to Syslog servers.
Click the ellipsis icon corresponding to the desired connection and click Edit.
Note
To delete a connection, click Delete.
Modify the fields as required.
Save the changes.
Managing Syslog Messages Redirection to Parent Domain using ksctl
Syslog messages redirection allows you to send the legacy syslog messages of the current domain to the syslog server configured in its parent domain. If the current domain is receiving the syslog messages from its child domain, those syslog messages will also be sent to the syslog server configured in the parent domain of the current domain.