4.5.1. Procedure – Configuring system logging

Purpose: 

PSM can send its system log messages to remote syslog servers, for example, syslog-ng Premium Edition, syslog-ng Store Box, Splunk, or HPE ArcSight Data Platform. To configure logging to a remote server, complete the following steps.

Note

To send log messages in any custom format, contact the Balabit Support Team at https://support.balabit.com.

Warning

The retention time for local logs of PSM is seven days. To retain them longer, forward them to a remote logserver.

Figure 4.14. Basic Settings > Management > Syslog — Configuring system logging

Basic Settings > Management > Syslog — Configuring system logging

Steps: 

  1. Navigate to Basic Settings > Management.

  2. Click in the Syslog > Syslog receivers field to add a new syslog server.

  3. Enter the IP address and port of the syslog server into the respective fields.

    Use an IPv4 address.

  4. Select the network protocol used to transfer the messages in the Protocol field. The legacy- prefix corresponds to the legacy BSD-syslog protocol described in RFC3164, while the syslog- prefix corresponds to the new IETF-syslog protocol described in RFC5424. Note that not every syslog server supports the IETF protocol yet.

    Select TCP+TLS to send the log messages using a TLS-encrypted connection.

    Tip

    Transferring the syslog messages using TCP ensures that the server receives them.

    Transferring the syslog messages using TLS encryption ensures that third parties cannot read the messages. However, not every syslog server accepts encrypted connections. The syslog-ng Premium Edition and Open Source Edition applications, and the syslog-ng Store Box (which is a log-collector appliance similar to PSM) support both encrypted connections and the new IETF-syslog protocol as well. For details on these products, see syslog-ng Premium Edition and syslog-ng Store Box.

  5. To display separate hostnames for syslog messages sent by the nodes of a PSM HA cluster, select the Include node ID in hostname in boot firmware messages option. The node ID included in the hostname file of the syslog message is the MAC address of the node's HA interface. (Messages of the core firmware are always sent by the master node.)

    The boot firmware boots up PSM, provides high availability support, and starts the core firmware. The core firmware, in turn, handles everything else: provides the web interface, manages the connections, and so on.

  6. If you have selected the TCP+TLS protocol, complete the following steps. Otherwise, click .

    1. If you want PSM to verify the certificate of the syslog server, select Required trusted in the Server key check field and proceed to the next step.

      If you want PSM to simply accept any certificate shown by the server, select Optional untrusted in the Server key check field.

      Note

      Alternatively, you can use the following, less strict options to check the certificate of the server:

      • Optional trusted: If the server sends a certificate, PSM checks if it is valid (not expired) and that the Common Name of the certificate contains the domain name or the IP address of the server. If these checks fail, PSM rejects the connection. However, PSM accepts the connection if the server does not send a certificate.

      • Required untrusted: PSM requests a certificate from the server, and rejects the connection if no certificate is received, if the certificate is not valid (expired), or if the Common Name of the certificate does not contain the domain name or the IP address of the server.

    2. Click the icon in the CA X.509 certificate field. A pop-up window is displayed.

      Click Browse, select the certificate of the Certificate Authority (CA) that issued the certificate of the syslog server, then click Upload. Alternatively, you can paste the certificate into the Copy-paste field and click Upload.

      PSM will use this CA certificate to verify the certificate of the server, and reject the connections if the verification fails.

    3. If the syslog server requires mutual authentication, that is, it expects a certificate from PSM, generate and sign a certificate for PSM, then click the icon in the Client X.509 certificate field to upload the certificate. After that, click the icon in the Client key field and upload the private key corresponding to the certificate.

    4. Click .

  7. Click the and icons to add new servers or delete existing ones.

    Note

    To reduce the risk of the syslog server not receiving log messages from PSM because of a network outage or other problem with the syslog server, PSM buffers up to 10 Megabytes of log messages to its hard disk in case the syslog server becomes unaccessible.