HP Secure Key Manager User Manual
Page 223
For example, the filename audit.log.1.2002-04-04_160146.demo would identify this file as:
•
An Audit Log.
•
The first log file in the log index.
•
A file created on 2002-04-04 at 16:01:46.
•
A log from the SKM with the hostname ’demo’.
This naming convention allows you to transfer log files from multiple SKMs to the same remote log server
while avoiding the problem of overwriting log files due to naming conflicts. These file names are not
visible from the CLI or the Management Console.
Syslog
The syslog protocol is used to transmit event notification messages across networks. Messages that are
recorded in any of the logs can also be sent to an external server that is configured to receive messages
via the syslog protocol. You can configure one or two syslog servers. When you configure two syslog
servers, the SKM sends syslog messages to both.
You should be aware of the following before configuring syslog on SKM.
For more information on rotating log files off of the SKM, see the section titled
.
•
By default, the SKM transmits messages using syslog facility “local1;” however, this is configurable
on a per–log–basis. Refer to RFC 3164, “The BSD syslog Protocol,” for details about syslog.
•
Syslog is not a secure protocol. Event notification messages that are sent to an external server
are not encrypted or signed. As such, it is not the recommended method for transferring logs
from the SKM.
•
Regardless of whether syslog is enabled or disabled for any particular log, all log messages
continue to be saved to the normal log files on the SKM, and all logs still use the traditional
rotation/transfer mechanism.
•
Changes to the syslog configuration take effect immediately for all logs except the Audit Log.
With regard to the Audit Log, all existing CLI sessions continue to abide by the syslog settings that
were in effect when the CLI session began. Once a user ends a CLI session and logs back in, the
new syslog settings take effect for that session.
Syslog message format
When messages on the SKM are syslogged, they appear at the remote syslog server with an additional
prefix of:
<timestamp> <origin_host_or_ip> <LogName>
where <LogName> might be “System,” “Audit,” or “Activity,” depending on which log the message
is from. The format of the timestamp and origin host/IP are determined by the remote syslog server
software. Sometimes, the origin host/IP will be repeated twice in the message prefix. The message body
(the part after “<LogName>”) is the same as the entry in the local log file.
An example from the System Log is shown here:
original log message:
---------------------
2005-09-12 10:23:47 irwin.company.com KMS Server: Starting KMS Server
log message at syslog server (displays on one line):
-------------------------------------------------------
Sep 12 10:23:48 irwin.company.com demo System: 2005-09-12 10:23:47 irwin.company.com KMS
Server: Starting KMS Server
Secure Key Manager
223