Send Messages to Remote Syslog Servers

Configure each KMA in the cluster to send messages to one or more remote syslog servers.

If an SNMP Manager is configured and enabled, KMAs will send SNMP informs for particular OKM audit events (such as Error, Server Busy, and Security Violation among others). If an entry for a remote syslog server has been defined for a KMA, then this KMA will also send to the remote syslog server messages for the same set of OKM audit events.

If the Hardware Management Pack feature has been enabled on a SPARC KMA, then hardware faults will also be forwarded.

KMAs running OKM 3.3.2 or later will send the following types of operating system messages:

audit_warn(1M) messages from the Solaris audit service
Operating system messages of the following RFC 5424 facility and severity levels:
- Facility = audit, Severity = notice or lower
- Facility = local0, Severity = alert or lower
- Facility = local7, Severity = info or lower

If KMAs reside in different physical sites, then the Security Officer can choose, for example, to configure KMAs in one site to send messages to a remote syslog server at that site and to configure KMAs in another site to send messages to a remote syslog server in that other site. The Security Officer can configure a KMA to communicate with the remote syslog server(s) using either a TCP connection that is unencrypted or a TCP connection that is secured using Transport Layer Security (TLS). TLS uses certificates to authenticate and encrypt the communication between a KMA and the remote syslog server. The KMA authenticates the remote syslog server by requesting its certificate and public key.

Optionally, you can configure the remote syslog server to use mutual authentication. Mutual authentication ensures that the remote syslog server accepts log messages only from authorized clients. When configured to use mutual authentication, the remote syslog server requests a certificate from the KMA to verify the identity of the KMA.