SafeNet KeySecure

SafeNet KeySecure devices are capable of sending their logs to a remote Syslog destination via UDP or TCP. KeySecure has four different logs: System, Audit, Activity, and Client logs. Each one has a slightly different format, and each can be configured with up to two Syslog servers. There is also an option to sign and encrypt the logs before sending them to the remote destination. Configuration for this type of scenario is outside of the scope of this section.

Sample audit log

2017-03-26 18:12:04 [admin] [Login] [CLI]: Logged out from 192.168.15.231 via SSH

In case of a cluster with two or more KeySecure devices, the configuration change on one of them will be replicated to other members. Each member will be sending logs separately. For more details regarding logging configuration on SafeNet KeySecure, refer to the KeySecure Appliance User Guide.

This section covers the configuration for sending logs via UDP. To use TCP instead, just select it instead where appropriate.

Configure NXLog Agent for receiving Syslog logs (see the examples below). Then restart NXLog Agent.
Make sure NXLog Agent is accessible from the KeySecure device.
Configure Syslog logging on KeySecure using either the web interface or the command line. See the following sections.

The steps in the following sections have been tested on KeySecure 460 and should work on other models.

Example 1. Receiving logs from KeySecure

This example shows a KeySecure Audit log message as received and processed by NXLog Agent. Use the im_tcp module instead of im_udp to receive Syslog messages via TCP instead.

nxlog.conf

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Extension _json>
    Module  xm_json
</Extension>

<Input in_syslog_udp>
    Module  im_udp
    Host    0.0.0.0
    Port    514
    Exec    parse_syslog();
</Input>

<Output file>
    Module  om_file
    File    "/var/log/keysecure.log"
    Exec    to_json();
</Output>

Output sample

{
  "MessageSourceAddress": "192.168.5.20",
  "EventReceivedTime": "2017-03-26 18:11:36",
  "SourceModuleName": "in_syslog_udp",
  "SourceModuleType": "im_udp",
  "SyslogFacilityValue": 17,
  "SyslogFacility": "LOCAL1",
  "SyslogSeverityValue": 6,
  "SyslogSeverity": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "Hostname": "p-keysecure1",
  "EventTime": "2017-03-26 18:12:26",
  "SourceName": "IngrianAudit",
  "Message": "2017-03-26 18:12:26 [admin] [Login] [CLI]: Logged in from 192.168.15.231 via SSH"
}

Example 2. Extracting additional fields

Additional field extraction can also be configured. Note that this depends on which particular log the message is coming from, as each has a different format.

nxlog.conf

<Input in_syslog_udp>
    Module  im_udp
    Host    0.0.0.0
    Port    514
    <Exec>
        parse_syslog();
        if $Message =~ /(?x)^\d{4}-\d{2}-\d{2}\ \d{2}:\d{2}:\d{2}\ \[([a-zA-Z]*)\]
                        \ \[([a-zA-Z]*)\]\ \[([a-zA-Z]*)\]:\ (.*)$/
        {
            $KSUsername = $1;
            $KSEvent = $2;
            $KSSubsys = $3;
            $KSMessage = $4;
        }
    </Exec>
</Input>

Output sample

{
  "MessageSourceAddress": "192.168.5.20",
  "EventReceivedTime": "2017-04-15 19:14:59",
  "SourceModuleName": "in_syslog_udp",
  "SourceModuleType": "im_udp",
  "SyslogFacilityValue": 17,
  "SyslogFacility": "LOCAL1",
  "SyslogSeverityValue": 6,
  "SyslogSeverity": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "Hostname": "p-keysecure1",
  "EventTime": "2017-04-15 19:16:29",
  "SourceName": "IngrianAudit",
  "Message": "2017-04-15 19:16:29 [admin] [Login] [CLI]: Logged in from 192.168.15.231 via SSH",
  "KSUsername": "admin",
  "KSEvent": "Login",
  "KSSubsys": "CLI",
  "KSMessage": "Logged in from 192.168.15.231 via SSH"
}

Configuring via the web interface

Log in to the KeySecure Management Console.
Go to Device Logs & Statistics Log Configuration Rotation & Syslog.
Select a log type and click Edit to change the settings.
Select the Enable Syslog option and specify the required IP addresses, ports, protocols, and facility for up to two servers.
Click Save.
Repeat for the other log types as required.

Configuring via the command line

Run the following commands. Follow the prompts to enable remote syslog with the required IP addresses, ports, protocols, and facility for up to two servers.

# configure
# system syslog
# audit syslog
# activity syslog
# clientevent syslog

Example 3. Forwarding system logs

The following commands enable sending System logs to 192.168.6.43 via UDP port 514.

p-keysecure1# configure
p-keysecure1 (config)# system syslog
Enable Syslog [y]:
Syslog Server #1 IP: 192.168.6.143
Syslog Server #1 Port [514]:
Server #1 Proto:
        1: udp
        2: tcp
Enter a number (1 - 2) [1]:
Syslog Server #2 IP:
Syslog Server #2 Port [514]:
Server #2 Proto:
        1: udp
        2: tcp
Enter a number (1 - 2) [1]:
Syslog Facility:
        1: local0
        2: local1
        3: local2
        4: local3
        5: local4
        6: local5
        7: local6
        8: local7
Enter a number (1 - 8) [2]:
System Log syslog settings successfully saved.  Syslog is enabled.
Warning: The syslog protocol insecurely transfers logs in cleartext

Disclaimer

While we endeavor to keep the information in our guides up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

Last revision: 29 January 2021