allowing the administrator to choose which security features to enable or disable from hardening/lockdown checklists.

Bastille can be used to harden a log consolidation server by enabling security tools such as IP filtering. If IP filtering is enabled, the ports described in “clog Network Port Usage” (page 79) must not be blocked.

Additionally, Bastille asks the following questions that impact a log consolidation system:

Do you want to BLOCK incoming Secure Shell connections with IPFilter?

When configuring a log consolidation server, answer No to the question if you plan to support clients using the tcp transport and ssh tunneled connections to the server.

Would you like to restrict the system logging daemon to local connections?

Answering yes to this question adds the -N option to /etc/syslog.conf. When configuring a log consolidation server, this option is required. The clog_wizard adds it automatically; the manual configuration instructions also explain the appropriate edits to /etc/syslog.conf.

3.6 Viewing System and Consolidated Logs

Use the System Management Homepage’s System and Consolidated Log Viewer to filter and view a system’s local syslog log files. For a system that is also a log consolidator, the System and Consolidated Log Viewer also filters and displays the consolidated logs.

3.6.1 Starting System Management Homepage

To log in to the System Management Homepage, navigate to:

http://hostname:2301

Enter a username and password. Root logins are enabled by default. For additional information on starting and logging into the System Management Homepage, refer to the HP System Management Homepage User Guide.

After logging in to System Management Homepage, choose the Logs tab and then System and Consolidated Log Viewer.

3.6.2 Using the System and Consolidated Log Viewer

The System and Consolidated Log Viewer will display the syslog-related logs for the system. By default, this includes the local logs for the system from /var/adm/syslog. If this system is also a log consolidator, the consolidated logs will also be listed.

NOTE: In a Serviceguard cluster configured as a log consolidation server, the consolidated logs are placed on the filesystem associated with the “clog” package. See “Cluster Configuration Notes for clog” (page 52) for additional details. When using LVM and VxVM storage failover configurations, this means that the consolidated logs are only accessible to a single cluster member at a time. When using the http://hostname:2301 technique for starting SMH in a cluster, the administrator needs to know which cluster member is currently hosting the package, and should use that hostname in the URL.

Fortunately, there is a simpler solution: System Management Homepage supports virtual IP addresses such as those used by Serviceguard packages. This allows the administrator to use the package’s virtual IP address or DNS name in the auto-start URL (http://virtual_IP_address:2301) to launch the viewer on the system hosting the consolidated logs. For additional information, refer to the HP System Management Homepage User Guide.

Choose a log to view from the main Select tab. Use the Filter tab to specify filter expressions to search for specific entries, and then choose the Display tab to display the contents of the log. For

80 Consolidated Logging