Home > |
---|
With SafeNet Network HSM, the audit logs can be sent to one or more remote logging servers. Either UDP or TCP protocol can be specified. The default is UDP and port 514.
Note: You or your network administrator will need to adjust your firewall to pass this traffic (iptables).
If you are using the UDP protocol for logging, the following statements are required in the /etc/rsyslog.conf file:
$ModLoad imudp $InputUDPServerRun (PORT)
Possible approaches include the following:
•With templates:
$template AuditFile,"/var/log/luna/audit_remote.log"
if $syslogfacility-text == 'local3' then ?AuditFile;AuditFormat
•Without templates:
local3.* /var/log/audit.log;AuditFormat
•Dynamic filename:
$template DynFile,"/var/log/luna/%HOSTNAME%.log" if $syslogfacility-text == 'local3' then ?DynFile;AuditFormat
Note: The important thing to remember is that the incoming logs go to local3, and the port/protocol that is set on the SafeNet appliance must be the same that is set on the server running rsyslog.
The following example illustrates how to setup a remote Linux system to receive the audit logs using TCP:
1.Register the remote Linux system IP address or hostname with the SafeNet Network HSM:
lunash:> audit remotehost add -host 192.20.9.160 -protocol tcp -port 1660
2.Modify the remote Linux system /etc/rsyslog.conf file to receive the audit logs:
$ModLoad imtcp
$InputTCPServerRun 514
$template AuditFormat,"%msg:F,94:2%\n"
#save log messages from SafeNet Network HSM local3.* /var/log/luna/audit.log;AuditFormat
3.Modify the remote Linux system /etc/sysconfig/rsyslog file to receive the remote logs:
# Enables logging from remote machines. The listener will listen to the specified port. SYSLOGD_OPTIONS="-r -m 0"
4.Restart the rsyslog daemon on the remote Linux system:
# service rsyslog restart
5.Monitor the audit logs on the remote Linux system:
# tail -f /var/log/luna/audit.log