Syslogs
Audit records are logged to a local database and a Loki Grafana microservice by default. This is suitable for production systems and clusters with a limited load. However, for clusters that support a large number of transactions, it is recommended to configure the CipherTrust Manager to disable logging to a local database and enable logging using remote Syslog server(s). This significantly reduces the cluster traffic and disk usage.
Add a new Syslog Server
The preferred Syslog configuration is through Connection Manager and Log Forwarders commands and menus.
Note
Upgraded CipherTrust Manager instances can have existing syslog connections through Admin Settings, which continue to be supported. Syslog servers configured as log forwarders can forward client audit records, while syslog servers configured through Admin Settings cannot.
Add a Syslog Connection with Connection Manager
The preferred Syslog configuration is through Connection Manager. You provide following values:
Host: IP address or hostname of the Syslog server.
Port: port number for connecting to the Syslog server.
Transport Format: select the transport mode for sending data. The TLS mode requires a trusted CA certificate in the PEM format.
CA Cert: either upload the CA certificate or paste the certificate content.
Upload CSR: select and click Upload CSR to upload the trusted CA certificate from your machine.
Text: select and paste the certificate content in the text field.
Message Format: select the log message format.
Note
The CipherTrust Manager logs forwarded to Syslog server are limited to a size of 1024 bytes. After this size, the log message is truncated. However, you can use a Syslog log forwarder instead of the Syslog server to view the complete logs. The log forwarders support log messages larger than 1024 bytes.
Add a Syslog Log Forwarder
Once you have added a syslog connection, you can create a syslog log forwarder on CipherTrust Manager to forward KMIP activity logs, NAE activity logs, server audit records, and client audit records to Syslog server.
To add a Syslog log forwarder, you must provide:
a connection ID of the Syslog connection manager (refer to Connection Manager for details)
a connection name for the log forwarder configuration
You can optionally activate/deactivate:
forward logs for activity kmip
forward logs for activity nae
forward logs for client audit records
forward logs for server audit records
Syntax for Syslog
ksctl log-forwarders add syslog --name <name of log forwarder> --connection-id <Syslog ConnectionID/Name> --forward-client-audit-records <true/false> --forward-logs-activity-kmip <true/false> --forward-logs-activity-nae <true/false> --forward-server-audit-records <true/false>]
Modifying Legacy Connection to a Syslog Server
Updating a syslog server connection managed through Connection Manager is described on the Connection Manager page. The following instructions describe how to update legacy syslog server connections managed through admin settings. The table below indicates editable parameters.
Parameter | Description |
---|---|
Hostname or IP address | Hostname or IP address of the Syslog server. |
Port | Port of the Syslog server. The default port is 514. |
Log Format | Format in which the audit records are transferred to the Syslog server. The options are:
The default log format is RFC5424. This format adheres to the Syslog Protocol RFC 5424 guidelines. |
Transport | Transport protocol for the Syslog connection. The options are UDP, TCP, and TLS. The default protocol is UDP. |
Certificate | Trusted CA certificate in the PEM format. This field is available when the transport protocol is TLS. |
To modify the connection to a legacy Syslog server:
Log on to the CipherTrust Manager console as administrator.
Click Admin Settings to open the application.
Click Notifications > Syslog. The Syslog Settings section is displayed on the right. This section displays the configured connections to Syslog servers.
Click the ellipsis icon corresponding to the desired connection and click Edit.
Note
To delete a connection, click Delete.
Modify the fields as required.
Save the changes.
Managing Syslog Messages Redirection to Parent Domain using ksctl
Syslog messages redirection allows you to send the syslog messages of the current domain to the syslog server configured in its parent domain.
If the current domain is receiving the syslog messages from its child domain, those syslog messages will also be sent to the syslog server configured in the parent domain of the current domain. For more details, refer to Managing Syslog Messages Redirection using ksctl.