Remote Audit Logging

With Luna Network HSM, the audit logs can be sent to one or more remote logging servers. Either UDP or TCP protocol can be specified. The default is UDP and port 514.

NOTE   You or your network administrator will need to adjust your firewall to pass this traffic (iptables).

UDP Considerations

If you are using the UDP protocol for logging, the following statements are required in the /etc/rsyslog.conf file:

$ModLoad imudp
$InputUDPServerRun (PORT)

Possible approaches include the following:

>With templates:

$template AuditFile,"/var/log/luna/audit_remote.log"
if $syslogfacility-text == 'local3' then ?AuditFile;AuditFormat

>Without templates:

local3.* /var/log/audit.log;AuditFormat

>Dynamic filename:

$template DynFile,"/var/log/luna/%HOSTNAME%.log"
if $syslogfacility-text == 'local3' then ?DynFile;AuditFormat 

NOTE   The important thing to remember is that the incoming logs go to local3, and the port/protocol that is set on the Luna appliance must be the same that is set on the server running rsyslog.

Example using TCP

The following example illustrates how to setup a remote Linux system to receive the audit logs using TCP:

1.Register the remote Linux system IP address or hostname with the Luna Network HSM:

lunash:> audit remotehost add -host 192.20.9.160 -protocol tcp -port 1660

2.Modify the remote Linux system /etc/rsyslog.conf file to receive the audit logs:

$ModLoad imtcp 
$InputTCPServerRun 514
$template AuditFormat,"%msg:F,94:2%\n"
#save log messages from Luna Network HSM local3.* /var/log/luna/audit.log;AuditFormat

3.Modify the remote Linux system /etc/sysconfig/rsyslog file to receive the remote logs:

# Enables logging from remote machines. The listener will listen to the specified port.
SYSLOGD_OPTIONS="-r -m 0" 

4.Restart the rsyslog daemon on the remote Linux system:

# service rsyslog restart

5.Monitor the audit logs on the remote Linux system:

# tail -f /var/log/luna/audit.log