Syslog, Syslog message format – HP Secure Key Manager User Manual

Description

Value

The date and time when the log file was created.

datetime stamp

The hostname of the SKM.

hostname

For example, the filename audit.log.1.2002-04-04_160146.demo would identify this file as:

•

An Audit Log.

•

The first log file in the log index.

•

A file created on 2002-04-04 at 16:01:46.

•

A log from the SKM with the hostname 'demo'.

This naming convention allows you to transfer log files from multiple SKMs to the same remote log
server while avoiding the problem of overwriting log files due to naming conflicts. These file names
are not visible from the CLI or the Management Console.

Syslog

The syslog protocol is used to transmit event notification messages across networks. Messages that
are recorded in any of the logs can also be sent to an external server that is configured to receive
messages via the syslog protocol. You can configure one or two syslog servers. When you configure
two syslog servers, the SKM sends syslog messages to both.

You should be aware of the following before configuring syslog on SKM.

For more information on rotating log files off of the SKM, see the section titled

Log Rotation

.

•

By default, the SKM transmits messages using syslog facility “local1;” however, this is configurable
on a per–log–basis. Refer to RFC 3164, “The BSD syslog Protocol,” for details about syslog.

•

Syslog is not a secure protocol. Event notification messages that are sent to an external server are
not encrypted or signed. As such, it is not the recommended method for transferring logs from the
SKM.

•

Regardless of whether syslog is enabled or disabled for any particular log, all log messages
continue to be saved to the normal log files on the SKM, and all logs still use the traditional rota-
tion/transfer mechanism.

•

Changes to the syslog configuration take effect immediately for all logs except the Audit Log. With
regard to the Audit Log, all existing CLI sessions continue to abide by the syslog settings that were
in effect when the CLI session began. Once a user ends a CLI session and logs back in, the new
syslog settings take effect for that session.

Syslog message format

When messages on the SKM are syslogged, they appear at the remote syslog server with an additional
prefix of:

<timestamp> <origin_host_or_ip> <LogName>

where <LogName> might be “System,” “Audit,” or “Activity,” depending on which log the message
is from. The format of the timestamp and origin host/IP are determined by the remote syslog server
software. Sometimes, the origin host/IP will be repeated twice in the message prefix. The message
body (the part after “<LogName>”) is the same as the entry in the local log file.

An example from the System Log is shown here:

original log message:

---------------------

Secure Key Manager

243