Audit Log Output to a Centralized Logging Solution
Keyfactor Command audit logging supports collecting audit entries in real time, as they are generated, to a separate server for analysis by a centralized logging solution. A variety of solutions can be supported. Typically the logs are either delivered to an rsyslog
daemon on a Linux server, where they are consolidated with other logs and delivered on to a centralized solution, or delivered straight into the receiving pipeline of a centralized solution using a tool such as Splunk or Logstash. Delivery of the logs over a TLS connection is supported for backend solutions that support this option. Configuration of a centralized logging solution for delivery of the audit logs to a backend solution is beyond the scope of this guide. However, a sample rsyslog.conf file showing typical TLS configuration can be found in Prepare for External Log Shipping over TLS (Optional) in the Keyfactor Command Server Installation Guide.
The log output settings can be initially configured during installation and can be updated on the auditing tab of the applications settings page. The application settings that relate to log output are:
- Host Name
Set this to the fully qualified domain name of the server that will be receiving the logs. - Port
Set this to the TCP port on which your log receipt application is listening to receive the logs. The default value is 514 (the default rsyslog port). - Use SysLog Server
This option defaults to False. Set it to True to enable delivery of logs to an outside server. - Use TLS Connection
This option defaults to False. Set it to True to enable delivery of logs to an outside server over TLS.
When you click Save, Keyfactor Command will verify that a connection can be made to the specified server on the specified port.