beautypg.com

HP Secure Key Manager User Manual

Page 223

background image

For example, the filename audit.log.1.2002-04-04_160146.demo would identify this file as:

An Audit Log.

The first log file in the log index.

A file created on 2002-04-04 at 16:01:46.

A log from the SKM with the hostname ’demo’.

This naming convention allows you to transfer log files from multiple SKMs to the same remote log server

while avoiding the problem of overwriting log files due to naming conflicts. These file names are not

visible from the CLI or the Management Console.

Syslog

The syslog protocol is used to transmit event notification messages across networks. Messages that are

recorded in any of the logs can also be sent to an external server that is configured to receive messages

via the syslog protocol. You can configure one or two syslog servers. When you configure two syslog

servers, the SKM sends syslog messages to both.
You should be aware of the following before configuring syslog on SKM.
For more information on rotating log files off of the SKM, see the section titled

Log Rotation

.

By default, the SKM transmits messages using syslog facility “local1;” however, this is configurable

on a per–log–basis. Refer to RFC 3164, “The BSD syslog Protocol,” for details about syslog.

Syslog is not a secure protocol. Event notification messages that are sent to an external server

are not encrypted or signed. As such, it is not the recommended method for transferring logs

from the SKM.

Regardless of whether syslog is enabled or disabled for any particular log, all log messages

continue to be saved to the normal log files on the SKM, and all logs still use the traditional

rotation/transfer mechanism.

Changes to the syslog configuration take effect immediately for all logs except the Audit Log.

With regard to the Audit Log, all existing CLI sessions continue to abide by the syslog settings that

were in effect when the CLI session began. Once a user ends a CLI session and logs back in, the

new syslog settings take effect for that session.

Syslog message format

When messages on the SKM are syslogged, they appear at the remote syslog server with an additional

prefix of:

where might be “System,” “Audit,” or “Activity,” depending on which log the message

is from. The format of the timestamp and origin host/IP are determined by the remote syslog server

software. Sometimes, the origin host/IP will be repeated twice in the message prefix. The message body

(the part after “”) is the same as the entry in the local log file.
An example from the System Log is shown here:
original log message:
---------------------
2005-09-12 10:23:47 irwin.company.com KMS Server: Starting KMS Server
log message at syslog server (displays on one line):
-------------------------------------------------------
Sep 12 10:23:48 irwin.company.com demo System: 2005-09-12 10:23:47 irwin.company.com KMS

Server: Starting KMS Server

Secure Key Manager

223

See also other documents in the category HP Storage: