Syslogs
Timezone Configuration
CipherTrust Manager server audit records and client audit records are always recorded in UTC time zone, in keeping with RFC 3339. This is important to note when you configure any external logging system such as a log forwarder or legacy syslog connection.
Add a new Syslog Server
The preferred Syslog configuration is through Connection Manager and Log Forwarders commands and menus. The syslog configuration is specific to the domain it is created in.
Note
Upgraded CipherTrust Manager instances can have existing syslog connections through Admin Settings, which continue to be supported. Syslog servers configured as log forwarders can forward client audit records, while syslog servers configured through Admin Settings cannot.
Add a Syslog Connection with Connection Manager
The preferred Syslog configuration is through Connection Manager. Provide the following values:
Host: IP address or hostname of the Syslog server.
Port: port number for connecting to the Syslog server.
Transport Format: select the transport mode for sending data. The TLS mode requires a trusted CA certificate in the PEM format.
Note
If you set the transport format to UDP, log messages are limited to a size of 1024 bytes. After this size, the log message is truncated.
CA Cert: either upload the CA certificate or paste the certificate content. Make sure the server certificate contains the valid IP SANs.
Upload CSR: select and click Upload CSR to upload the trusted CA certificate from your machine.
Text: select and paste the certificate content in the text field.
Message Format: select the log message format.
Add a Syslog Log Forwarder
Once you have added a syslog connection, you can create a syslog log forwarder on CipherTrust Manager to forward KMIP activity logs, NAE activity logs, server audit records, and client audit records to Syslog server.
To add a Syslog log forwarder, you must provide:
a connection ID of the Syslog connection manager (refer to Connection Manager for details)
a connection name for the log forwarder configuration
You can optionally activate/deactivate:
forward logs for activity kmip
forward logs for activity nae
forward logs for client audit records
forward logs for server audit records
Syntax for Syslog
ksctl log-forwarders add syslog --name <name of log forwarder> --connection-id <Syslog ConnectionID/Name> --forward-client-audit-records <true/false> --forward-logs-activity-kmip <true/false> --forward-logs-activity-nae <true/false> --forward-server-audit-records <true/false>]
Log Forwarder Redirection
Log forwarder redirection is a setting to send audit records, NAE activity logs, or KMIP activity logs from a child domain to the log forwarder configured for a higher-level domain.
When an audit record, NAE activity log, or KMIP activity log is created in a child domain with log forwarder redirection, CipherTrust Manager checks the domain's immediate parent for a configured log forwarder. If the immediate parent also has log redirection enabled, CipherTrust Manager also checks its parent, the child domain's grandparent, for a configured log forwarder. CipherTrust Manager continues checking for log forwarders further up the domain hierarchy every time it finds the log redirection setting. Every time CipherTrust Manager finds a configured log forwarder in a domain, it forwards log messages to that log forwarder.
Note
Log forwarder redirection can be enabled even if higher level domains do not have a log forwarder configured. In that situation, logs from the child domain are not forwarded.
If you have log redirection enabled and log forwarders configured at multiple consecutive levels in a domain hierarchy, the same log message can be forwarded to multiple log forwarders. To consolidate messages, we recommend configuring only one log forwarder in a domain hierarchy, at the highest domain level possible.
We recommend that administrators of parent domains are aware of log forwarding settings for child domains. If there is a need to track where logs from a particular domain are forwarded, employees from your organization might need to login to several domains to view log forwarder and log forwarder redirection settings.
Users in the Domain Admins or Application Administrators group, such as admin
can enable or disable log forwarder redirection. When a new child domain is created, log forwarder redirection is enabled by default. Existing child domains which were created in a version lower than 2.16.0 have log forwarder redirection disabled after upgrade.
Enabling or disabling log forwarder redirection in web console UI:
Login to the child domain as a user in the Domain Admins or Application Administrators group, such as
admin
.Navigate to Admin Settings > Logs.
Click the Log Forwarders tab.
Click the Redirect Log Forwarder toggle to enable or disable log forwarder redirection.
Enabling or disabling log forwarder redirection in ksctl CLI:
Login to the child domain as a user in the Domain Admins or Application Administrators group, such as admin
. For example:
ksctl login --user <user_with_domain_admin_permission> --password <user_password> --domain <domain_name_or_id>
The following command disables log forwarder redirection.
ksctl domains log-forwarders-redirection disable
The following command enables log forwarder redirection.
ksctl domains log-forwarders-redirection enable
The following command displays log forwarder redirection status
ksctl domains log-forwarders-redirection status
Modifying Legacy Connection to a Syslog Server
Updating a syslog server connection managed through Connection Manager is described on the Connection Manager page. The following instructions describe how to update legacy syslog server connections managed through admin settings. The table below indicates editable parameters.
Parameter | Description |
---|---|
Hostname or IP address | Hostname or IP address of the Syslog server. |
Port | Port of the Syslog server. The default port is 514. |
Log Format | Format in which the audit records are transferred to the Syslog server. The options are:
The default log format is RFC5424. This format adheres to the Syslog Protocol RFC 5424 guidelines. |
Transport | Transport protocol for the Syslog connection. The options are UDP, TCP, and TLS. The default protocol is UDP. With UDP, log messages are limited to a size of 1024 bytes. After this size, the log message is truncated. |
Certificate | Trusted CA certificate in the PEM format. This field is available when the transport protocol is TLS. |
To modify the connection to a legacy Syslog server:
Log on to the CipherTrust Manager console as administrator.
Click Admin Settings to open the application.
Click Notifications > Syslog. The Syslog Settings section is displayed on the right. This section displays the configured connections to Syslog servers.
Click the ellipsis icon corresponding to the desired connection and click Edit.
Note
To delete a connection, click Delete.
Modify the fields as required.
Save the changes.
Managing Syslog Messages Redirection to Parent Domain (Legacy Syslog) using ksctl
Syslog messages redirection allows you to send the legacy syslog messages of the current domain to the syslog server configured in its parent domain. If the current domain is receiving the syslog messages from its child domain, those syslog messages will also be sent to the syslog server configured in the parent domain of the current domain.