Generating audit records in syslog and LEEF formats

You can use the IBM Security Guardium Key Lifecycle Manager graphical user interface to configure and generate the audit records in syslog or Log Event Extended Format (LEEF) format and send them to a syslog server.

Before you begin

If you want the audit log records that are generated in syslog format to be in Log Event Extended Format (LEEF) format as well, add the enableLeefFormat property to the SKLMConfig.properties file and set it to true. For instructions to set the property, see Changes to configuration properties or database values.

About this task

The audit log messages are written to a configured local audit file in syslog format when:
  • Syslog format is enabled for the audit messages.
  • Syslog format is enabled, and syslog server hostname and the port number are not specified.
  • Syslog format is enabled, syslog server hostname and port number are specified, but the server hostname or port number is not reachable.
For more information about audit messages, see Audit records.

Procedure

  1. Log in to the graphical user interface.
  2. Click IBM Security Guardium Key Lifecycle Manager > Configuration > Audit and Debug.
  3. Select Use syslog server.
  4. Select the log event format such as Syslog or LEEF.
  5. Specify the syslog server hostname and the port number in the respective fields.
  6. You can configure a maximum of two syslog servers for forwarding the audit records. To add and configure the second syslog server, click the Add additional syslog server link and specify the hostname and port number.
  7. If you need the secure transfer of audit information to the syslog server by using the TLS transport protocol, select Use TLS.
  8. Click OK.

What to do next

After you enabled syslog format for audit records with the necessary parameters, you must run the following steps only if you select Use TLS:
  1. If the IBM Security Guardium Key Lifecycle Manager TLS server certificate is not already created, create the certificate. To create a server certificate, see Creating a server certificate.
  2. Export the IBM Security Guardium Key Lifecycle Manager TLS server certificate that is marked for UI access to a file. To export the certificate, see Downloading a server certificate.
  3. Obtain the syslog server certificate as a file, import it, and trust the syslog server certificate in IBM Security Guardium Key Lifecycle Manager server. To import the syslog server certificate, see Importing a system peripheral certificate.
  4. Import the IBM Security Guardium Key Lifecycle Manager server certificate to syslog server. Use the certificate file that is created in Step 2.
  5. Set the IBM Security Guardium Key Lifecycle Manager TLS server certificate alias in the configuration properties file.
    Note: Skip this step if the IBM Security Guardium Key Lifecycle Manager TLS server certificate is created by using the graphical user interface.
    For example,
    PUT https://localhost:port/SKLM/rest/v1/configProperties
    Content-Type: application/json
    Accept : application/json
    Authorization: SKLMAuth userAuthId=139aeh34567m
    Accept-Language : en
    { "config.keystore.ssl.certalias" : "<alias of the server 
    certificate that is created in Step 1>"}