立即与支持人员聊天
与支持团队交流

KACE Systems Management Appliance 15.0 - Administration Guide

About the KACE Systems Management Appliance Getting started
Configuring the appliance
Requirements and specifications Power-on the appliance and log in to the Administrator Console Access the Command Line Console Tracking configuration changes Configuring System-level and Admin-level General Settings Configure appliance date and time settings Managing user notifications Enable Two-Factor Authentication for all users Verifying port settings, NTP service, and website access Configuring network and security settings Configuring session timeout settings Configuring locale settings Configuring the default theme Configure data sharing preferences About DIACAP compliance requirements Enable API Access for the appliance Disable API Access for the appliance Configuring Mobile Device Access Enable fast switching for organizations and linked appliances Linking Quest KACE appliances Configuring history settings Configuring Content Security Policy
Setting up and using labels to manage groups of items Configuring user accounts, LDAP authentication, and SSO Deploying the KACE Agent to managed devices Using Replication Shares Managing credentials Configuring assets
About the Asset Management component Using the Asset Management Dashboard About managing assets Adding and customizing Asset Types and maintaining asset information Managing Software assets Managing physical and logical assets Maintaining and using manual asset information Managing locations Managing contracts Managing licenses Managing purchase records
Setting up License Compliance Managing License Compliance Setting up Service Desk Configure the Cache Lifetime for Service Desk widgets Creating and managing organizations Importing and exporting appliance resources
Managing inventory
Using the Inventory Dashboard Work with Inventory Dashboard Using Device Discovery Managing device inventory
About managing devices Features available for each device management method About inventory information Tracking changes to inventory settings Managing inventory information Finding and managing devices Registering KACE Agent with the appliance Provisioning the KACE Agent Manually deploying the KACE Agent Using Agentless management Adding devices manually in the Administrator Console or by using the API Forcing inventory updates About Remote Control Managing MIA devices Obtaining Dell warranty information
Managing applications on the Software page Managing Software Catalog inventory
About the Software Catalog Viewing Software Catalog information Adding applications to the Software Catalog Managing License assets for Software Catalog applications Associate Managed Installations with Cataloged Software Using software metering Using Application Control Update or reinstall the Software Catalog
Managing process, startup program, and service inventory Writing custom inventory rules
Deploying packages to managed devices
Distributing software and using Wake-on-LAN Broadcasting alerts to managed devices Running scripts on managed devices Using Task Chains
Patching devices and maintaining security
Using the Security Dashboard About patch management Subscribing to and downloading patches Creating and managing patch schedules Managing patch inventory Managing Windows Feature Updates Managing Dell devices and updates Managing Linux package upgrades Manage quarantined file attachments
Using reports and scheduling notifications Monitoring devices
Getting started with monitoring Working with monitoring profiles Managing monitoring for devices Working with alerts
Using the Service Desk
Configuring Service Desk Using the Service Desk Dashboard Managing Service Desk tickets, processes, and reports
Overview of Service Desk ticket lifecycle Creating tickets from the Administrator Console and User Console Creating and managing tickets by email Viewing tickets and managing comments, work, and attachments Merging tickets Using the ticket escalation process Using Service Desk processes Using Ticket Rules Run Service Desk reports Archiving, restoring, and deleting tickets Managing ticket deletion
Managing Service Desk ticket queues About User Downloads and Knowledge Base articles Customizing Service Desk ticket settings Configuring SMTP email servers
Maintenance and troubleshooting
Maintaining the appliance Troubleshooting the appliance
Appendixes Glossary About us Legal notices

Configure local routing tables

Configure local routing tables

Configure local routing tables to enable the appliance to route traffic through multiple gateways on a network.

Local routing tables are useful when the physical appliance is located in one office, and managed devices are located in a different location. For example, if the appliance is located in Texas, and managed devices are located in California, the appliance would serve devices on the Texas subnet. Using the a local routing table, the appliance could be pointed to the network in California, so that it could host the California devices as well as the Texas devices.

1.
Go to the appliance Control Panel:
If the Organization component is not enabled on the appliance, log in to the appliance Administrator Console, https://appliance_hostname/admin, then select Settings > Control Panel.
If the Organization component is enabled on the appliance, log in to the appliance System Administration Console, https://appliance_hostname/system, or select System in the drop-down list in the top-right corner of the page, then select Settings > Control Panel.
2.
Click Local Routing Table to display the Local Routing Table Settings page.
3.
Click the Add button to add an entry: .
4.
Specify the following settings:

Option

Description

Name

Enter a name for the route.

Destination

Enter the IP address or network for the destination with which you want your appliance to communicate.

Subnet Mask or CIDR

Enter the subnet mask of the specified network. For example: 24, 255.255.240.0. This is applied to the host.

Gateway

Enter the IP address of the router that routes traffic between the appliance and the destination network.

5.
Click Add at the end of the row to save the entry.
6.
Click Save and Reboot at the bottom of the page to save all changes.
A warning appears indicating that the Apache™ service needs to be restarted.
7.
Click OK to continue.

Configure local web server settings and allow access to hosts

Configure local web server settings and allow access to hosts

You can configure local web server settings to specify an allow list of hosts that are allowed to access the Administrator Console, System Administration Console, and the User Console. After you create the allow list, access is restricted to the hosts on the allow list.

* 
NOTE: After an IP address or domain name is added to the Allow List, only that IP address or domain has access. All others are blocked.
1.
Go to the appliance Control Panel:
If the Organization component is not enabled on the appliance, log in to the appliance Administrator Console, https://appliance_hostname/admin, then select Settings > Control Panel.
If the Organization component is enabled on the appliance, log in to the appliance System Administration Console, https://appliance_hostname/system, or select System in the drop-down list in the top-right corner of the page, then select Settings > Control Panel.
2.
In the Access Control List section, click the Limit appliance access to acceptable networks option to display the Access Control List Details page.
3.
Specify the following options:

Option

Description

No access restrictions

Select this option to allow access from any web address.

Restrict access as specified below

Select this option to restrict access to web addresses on the Allow List. To enable access to IP addresses on the appliance’s subnet in addition to the specified destinations, select Allow all IP addresses in the same subnet as the appliance.

4.
In the Allow List section, click the Add button to add an entry: .
5.
Specify the following options.

Option

Description

Destination

Specify the destination:
adminui: This is the Administrator Console, Admin level. An allow list of IP addresses and/or host names who can log in to http://appliance_hostname/admin.
userui: This is the User Console. An allow list of IP addresses and/or host names who can log in to http://appliance_hostname/user.
systemui: This is the System Administration Console (available only if the Organization component is enabled on the appliance). An allow list of IP addresses and/or host names who can log in to http://appliance_hostname/system.
api: This is the appliance API. An allow list of IP addresses and/or host names who can access the appliance using its API, including the KACE GO app.

IP Address/Domain Name

Provide the address to be allowed. This can be either:
A domain or sub-domain name (full or partial)
An IP address (full or partial)

Subnet Mask/CIDR/Prefix Length

Provide a subnet mask/CIDR (Classless Inter-Domain Routing) to be allowed. This enables a finer-grained subnet control.

6.
Click Save at the end of the row to save the entry.
7.
Click Save at the bottom of the page to save all changes.
A warning appears indicating that the Apache service needs to be restarted.
8.
Click OK to continue.
* 
NOTE: After an IP address or domain name is added to the Allow List, only that IP address or domain can access that page. All others are blocked.

Configure security settings for the appliance

Configure security settings for the appliance

You must configure appliance security settings to enable certain capabilities such as Samba share, SSL, SNMP, SSH, database access, and FTP access.

To enable SSL, you need to have the correct SSL private key file and a signed SSL certificate. If your private key has a password, the appliance cannot restart automatically. If you have this issue, contact Quest Support at https://support.quest.com/contact-support.

* 
Saving changes to security settings reboots the appliance.
In some cases, the Firefox® browser does not display the Administrator Console login page correctly after you enable access to port 443 and restart the appliance. If that happens, clear the Firefox browser cache and cookies, then try again.
1.
Go to the appliance Control Panel:
If the Organization component is not enabled on the appliance, log in to the appliance Administrator Console, https://appliance_hostname/admin, then select Settings > Control Panel.
If the Organization component is enabled on the appliance, log in to the appliance System Administration Console, https://appliance_hostname/system, or select System in the drop-down list in the top-right corner of the page, then select Settings > Control Panel.
2.
In the Security Settings section, click Security Options to display the Security Settings page.
3.
In the Security Options tab, specify the following settings:

Option

Description

Enable SSH

Permit SSH logins to the appliance. When SSH is enabled, SSH encrypted communications are permitted over port 22.

Enable backup via FTP

Enable access to the database backup files through a read-only FTP server. This enables you to create a process on another server to access the backup files.

If you do not need this access, clear this option.

Make FTP writable

Enable the upload of backup files using FTP. FTP is useful for backup files that are too large for the default HTTP mechanism and cause browser timeouts.

New FTP user password

Require a password for FTP access to the backup files.

Enable Secure Remote Logging via TLS

Specify server IP and port of the remote syslog-ng or rsyslog. TLS Default port is 6514.

Enabling remote syslog-ng or rsyslog allows you to send server log data to a remote syslog-ng or rsyslog server. For more details, refer Configure Encrypted Remote Logging to an External Syslog-ng Server.

Enable Secure backup files

Require username and password authentication for access to appliance backup files, which are available by entering a URL in a browser.

Clear this option to enable access to backup files through a URL without username or password authentication. This is useful for external process that require access. See About appliance backups.

Enable mDNS

Enable the appliance to respond to multicast Domain Name System (mDNS) and DNS Service Discovery (DNS-SD) requests. This option makes it easier for users and administrators to locate the Administrator Console and User Console. If you do not need the appliance to respond to these requests, clear this option.

Enable Munin access

Enable the appliance to view server usage and metrics over time.

* 
NOTE: This allows unrestricted, unauthenticated access to /munin.

SNMP Community String

The SNMP community string that enables read-only SNMP access. The default value is public.

MIB Files

Upload vendor-specific MIB (management information base) files. A MIB file allows the trap receiver on the appliance to translate SNMP traps into human-readable messages. These files are optional.
To upload a MIB file, on the Security Settings page, under MIB Files, in the Upload MIB area, click Browse, and select a MIB file.
A MIB file must meet certain standards. The appliance validates every MIB file that you upload. If you upload an invalid MIB file, an error message appears along the top of the Security Settings page. If you do not want to validate the contents of the MIB file, select the Skip MIB validation check box.

Secure Service Desk Attachments

Choose whether to add security for files that are attached to Service Desk tickets:
Select the check box to enable security for files attached to tickets. If you choose this option, users can access files attached to tickets only from within the appliance Administrator Console or User Console.
Clear the check box to enable users to access files by clicking ticket links from outside the Administrator Console or User Console.

Enable database access

Enable users to run reports on the appliance database using an external tool, such as Microsoft Access or Excel, over port 3306. If you do not need to expose the database in this way, clear this option.

* 
NOTE: The appliance database can be accessed from any ODBC-compliant third-party tool if you have installed the (32bit) MySQL ODBC driver. You must select this check box if you want to use this feature. In addition, you will need to configure a data source for your MySQL ODBC driver, and provide the appliance connection information. For more information, refer to your MySQL ODBC driver documentation.

Enable secure database access (SSL)

Enable SSL access to the database and access additional SSL options.

Enable API Access

Selecting this allows external tools and applications including the KACE GO mobile application to interact with the System Management Appliance. See Enable API Access for the appliance.

Enable mobile device access

Enable or disable Mobile Device Access to the appliance. Mobile device access enables you to interact with the appliance using the KACE GO app on iOS and Android smart phones and tablets. Administrators can use the app to access Service Desk, inventory, and application deployment features. See Configuring Mobile Device Access.

Enable SNMP READ access

Enable unidirectional (read-only) SNMP access to managed devices on the network through port 199 using SMUX, an SNMP multiplexing protocol. See Verify port settings.

You can query the SMA using SNMP v1, v2, and v3 protocols.
SNMP version 1 or 2: This version only requires a valid community string.
SNMP version 3: This version implements enhanced security and remote configuration features and requires a valid user name and encryption information. To add a security name, open the v3 tab, click , and provide the following information:
Security Name: The name of the User-based Security Model (USM) account that sends the SNMP trap.
Authentication Password: The password associated with the Security Name.
Authentication Protocol: The protocol used for authenticating the user: MD5 or SHA.
Privacy Password: The encryption key for the data packet.
Privacy Protocol: The encryption protocol: AES or DES.
Security Level: Indicates the level of security:
authPriv: The identity of the sender is verified and the information is encrypted.
authNoPriv: The identity of the sender is verified, but the information is not.
noAuthNoPriv: The identity of the sender is not verified and the information is not encrypted.

Enable remote syslog

Enable the appliance to send limited server log data to a remote Syslog server.

* 
NOTE: Log data sent this way is unencrypted and uses UDP (User Datagram Protocol). Before selecting this option, review your organization's guidelines about security and network saturation.

Remote Syslog Server

Specify the fully qualified domain name (FQDN) or IP address and the port number of the remote Syslog server. IPv4 and IPv6 addresses are supported. If you do not provide a port number, the appliance uses 514 (UDP), the default port number for Syslog traffic.

Enable SNMP Trap monitoring

Enable SNMP (Simple Network Management Protocol), a protocol for monitoring managed devices on a network. SNMP is supported by Dell Open Manage and many third-party products. If you do not want to receive SNMP traps from network devices, clear this option.

When you enable this feature on the appliance, and the related devices are also enabled for monitoring, the appliance can receive SNMP traps from the monitored network devices such as printers, projectors, and routers. This feature only applies to network devices managed through the SNMP-managed devices, such as agentless devices using SNMP connections.

For information on how to enable device monitoring, see Enable monitoring for one or more devices.

SNMP traps are messages initiated by network devices and sent to the trap receiver on the appliance. For example, a router can send a message when its power supply fails. Or, a printer initiates a message when it runs out of paper. The appliance receives these traps and generates alerts when certain pre-defined thresholds are reached.
SNMP version 1 or 2: This version only requires a valid community string. A community string is required to allow the appliance to receive SNMP trap messages from monitored network devices. The appliance supports multiple security strings. To add a community string, open the v1/v2 tab, click , type the community string, and click Save.
SNMP version 3: This version implements enhanced security and remote configuration features and requires a valid user name and encryption information. To add a security name, open the v3 tab, click , and provide the following information:
Security Name: The name of the User-based Security Model (USM) account that sends the SNMP trap.
Engine ID: The ID of the SNMP application engine that sends the SNMP trap.
Authentication Password: The password associated with the Security Name.
Authentication Protocol: The protocol used for authenticating the user: MD5 or SHA.
Privacy Password: The encryption key for the data packet.
Privacy Protocol: The encryption protocol: AES or DES.
Security Level: Indicates the level of security:
authPriv: The identity of the sender is verified and the information is encrypted.
authNoPriv: The identity of the sender is verified, but the information is not.
noAuthNoPriv: The identity of the sender is not verified and the information is not encrypted.

Brute Force Prevention

Specify the number of failed login attempts and the time for which the account is disabled.

Brute force prevention restricts a user account from logging in to all user interfaces and the API.

For multi-organization appliances, this behavior is organization specific per user and applies to accounts in the System user interface.

4.
In the Two-Factor Authentication tab, configure the Two-Factor Authentication (2FA) feature. 2FA provides stronger security for users logging into the appliance by adding an extra step to the login process. It relies on the Google Authenticator app to generate verification codes. The app generates a new six-digit code at regular intervals. When enabled, end users will be prompted for the current verification code each time they log in.
* 
NOTE: If you enable this feature, ensure that appliance server's clock is accurate, as well as the device running Google Authenticator. Google Authenticator relies on current time to create the token. If server's clock is not synchronized with those of the devices running Google Authenticator, token validation may fail, which may result in account lockouts.
a.
Specify the following options. They appear listed in the order of precedence, as you enable them from top to bottom. For example you can only enable 2FA for the User Console if you have previously configured 2FA for the Administrator Console.
Enable Two-Factor Authentication for the System Portal: Select this check box if you want to use 2FA for the System Administration Console. To enable 2FA for all users, select Required for all Users.
* 
NOTE: This option is only available on appliances with multiple organizations.
Enable Two-Factor Authentication for the Admin Portal: This option only appears if you enabled 2FA for the System Administration Console, or if your appliance has only one organization. Select this check box if you want to use 2FA for the Administrator Console. Next, specify the users that will require 2FA during login by selecting one of the following options:
Required for all Users: Appliances with one organization only. To enable 2FA for all users, select this option.
Defined by Organization: Appliances with multiple organizations only. Apply the same 2FA configuration to all users in each Organization in the Administrator Console, as applicable.
Required for all Users: Appliances with multiple organizations only. Enable 2FA for all users in the Administrator Console.
Not required: Appliances with multiple organizations only. Disable 2FA for all users in the Administrator Console.
Enable Two-Factor Authentication for the User Portal: This option only appears if you enabled 2FA for the Administrator Console. Select this check box if you want to use 2FA for the User Console. Next, specify the users that will require 2FA during login by selecting one of the following options:
Defined by Organization: Apply the same 2FA configuration to all users in each Organization in the User Console, as applicable.
Required for all Users: Enable 2FA for all users in the User Console.
Not required: Disable 2FA for all users in the User Console.
b.
Under Transition Window, specify the amount of time during which users who require 2FA will be able to bypass the 2FA configuration step.
For example, if a user forgets their phone at home and is therefore unable to generate a new code, they can still access the portal during the period of time specified here.
5.
Use the settings in the Brute Force Prevention area to prevent multiple consecutive attacks from obtaining access to the appliance using false credentials. You can configure the number of failed authentication attempts within a specified time frame, after which the appliance prevents any logins for that user.
The default setting is three attempts during a five-minute period. You can change these values, as needed.
When the appliance disables a user account from logging in, other users are not affected and can log in to the appliance with valid credentials.
6.
Optional: In the Appliance Encryption Key section, click Generate Key to generate a new encryption key. This key is used to enable Quest Support to access your appliance for troubleshooting using a tether. It is not necessary to generate a new key unless you believe that the current key has been compromised. See Enable a tether to Quest KACE Support.
The time stamp shows the time the key was generated.
7.
In the Single Sign On tab, specify authentication settings:

Option

Description

Disabled

Prevent the appliance from using single sign on. Single sign on enables users who are logged on to the domain to access the appliance Administrator Console and User Console without having to re-enter their credentials on the appliance login page.

Active Directory

Use Active Directory for authentication. Active Directory uses the domain to authenticate users on the network. See Using Active Directory for single sign on.

8.
In the Samba tab, specify the following settings:

Option

Description

For appliances with the Organization component enabled:

Enable Organization File Shares

For appliances without the Organization component:

Enable File Sharing

Use the appliance's client share to store files, such as files used to install applications on managed devices.

The appliance’s client share is a built-in Windows file server that can be used by the provisioning service to assist in distributing the Samba client on your network. Quest recommends that this file server only be enabled when you perform application installations on managed devices.

* 
NOTE: If the Organization component is enabled on your appliance, you can select additional file sharing options for each organization. See Enable file sharing at the System level.

Samba minimum protocol, Samba maximum protocol

Select the minimum and maximum Samba protocol, as required. The following options are available in each setting:
SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and later versions of Windows. SMB2 has sub protocols available. By default SMB2 selects the SMB2_10 variant.
SMB2_02: The earliest SMB2 version.
SMB2_10: Windows 7 SMB2 version.
SMB2_22: Early Windows 8 SMB2 version.
SMB2_24: Windows 8 beta SMB2 version.
SMB3: Re-implementation of the SMB2 protocol. Used by Windows 8. SMB3 has sub protocols available. By default SMB3 uses the SMB3_11 variant.
SMB3_00: Windows 8 SMB3 version (similar to SMB2_24).
SMB3_02: Windows 8.1 SMB3 version.
SMB3_10: Early Windows 10 technical preview version.
SMB3_11: Windows 10 technical preview version.

Require signing

Enables signing in for the Samba protocol.

Disable Guest Access

Disables Samba guest access.

Require NTLMv2 to appliance file shares

Enable NTLMv2 authentication for the appliance files shares. When this is enabled, managed devices connecting to the appliance File Shares require support for NTLMv2 and they authenticate to the appliance using NTLMv2. Although NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually turned off. Enabling this option disables lanman auth and ntlm auth on the Samba server. NTLMv2 Levels 1-4 are supported. If you need NTLM v2 Level 5, consider manually provisioning the KACE Agent. See Manually deploying the KACE Agent.

Require NTLMv2 to off-board file shares

Force certain appliance functions that are supported through the Samba client, such as Agent Provisioning, to authenticate to off-board network file shares using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually disabled. Enabling this option enables the client ntlmv2 auth option for Samba client functions.

9.
Optional: In the SSL tab, specify SSL settings:
* 
IMPORTANT: Enabling SSL is a one-way automatic shift for managed devices. Devices must be reconfigured manually if you disable SSL.

Option

Description

Enable Port 80 access

Enable access to the appliance over port 80.

If you disable port 80 access, contact Quest Support to adjust the Agent deployment scripts to handle SSL.

Enable Forward port 80 to port 443

When you verify that SSL is working as expected, you can enable the forwarding of all communication from port 80 to port 443. To do that, select this check box.

Enable SSL

Enable managed devices to connect to the appliance using SSL (HTTPS).

Enable this setting only after you have properly deployed the appliance on your LAN in non-SSL mode.

To enable SSL, you need to load an SSL certificate as described in step 10.

10.
To load an SSL certificate, do one of the following:
If your SSL certificate and private key are in Privacy Enhance Mail (PEM) format, similar to those used by Apache-based web servers:
1.
Select Upload PEM SSL Certificate.
2.
In the SSL Private Key File and SSL Certificate File fields, select the private key and certificate files.
3.
If you want to enable and upload intermediate SSL certificates (also in PEM format), select Enable Intermediate SSL Certificate. Intermediate SSL certificates are signed certificates provided by certificate issuers as proxies for root certificates.
If your certificate is in PKCS-12 format:
1.
Select Upload PKCS-12 SSL Certificate.
2.
In the PKCS-12 File field, select the file.
3.
In the Password for PKCS-12 file field, type the password for the PKCS-12 file.
To use the Let's Encrypt service for SSL certificates:
1.
Click Apply Let's Encrypt SSL Certificate. Let’s Encrypt is a free, automated, and open certificate authority (CA). When you get a certificate from Let’s Encrypt, their servers validate that you control the domain names in that certificate using a challenge.
* 
NOTE: The HTTP-01 challenge can only be done on port 80. Specify arbitrary ports makes the challenge less secure, and it is therefore not allowed by the Automatic Certificate Management Environment (ACME) standard. For that reason, the appliance must run on a public-facing box with port 80 open for inbound communication, and a publicly-resolvable DNS. For more details, visit https://letsencrypt.org/docs/challenge-types/.
2.
In the Email Address field, provide an email address. While Let's Encrypt certificates periodically expire, the appliance uses an automated process to update the certificate before its expiration. The address is used for communication with Let's Encrypt in an unlikely event the certificate expires. You must have a Let's Encrypt account registered using this email address.
3.
Select the check box to agree with the terms of service.
To generate certificate requests or load self-signed certificates:
1.
Click Generate CSR (Certificate Signing Request) or Self-Signed SSL Certificate.
2.
In the area that appears, click SSL Certificate Form. Follow the instructions in Generate an SSL certificate.
11.
In the CSP tab, select the Enable CSP checkbox to enable CSP (Content Security Policy). Enabling the checkbox adds list of KACE trusted domains automatically.
If you want to add domains or URLs in the list, then in the Additional Allowed Domains section, click +, and specify the Directive and the Domain/URL. For more details, Configuring Content Security Policy
12.
In the Secure Attachments in Service Desk section, choose whether to add security for files that are attached to Service Desk tickets:
Select the check box to enable security for files attached to tickets. If you choose this option, users can access files attached to tickets only from within the appliance Administrator Console or User Console.
Clear the check box to enable users to access files by clicking ticket links from outside the Administrator Console or User Console.
13.
Click Save and Restart Services to save changes and restart the appliance.
* 
NOTE: In some cases, the Firefox browser does not display the Administrator Console login page correctly after you enable access to port 443 and restart the appliance. If that happens, clear the Firefox browser cache and cookies, then try again.

Configure Encrypted Remote Logging to an External Server

Configure Encrypted Remote Logging to an External Server

You can now securely forward the system logs from the Systems Management Appliance (SMA) to an external server using the syslog-ng protocol with TLS encryption. This setup enables encrypted one-way communication, ensuring that log data cannot be intercepted or read by unauthorized parties.

The administrators can send all the SMA-generated logs to a remote server over port 6514 using TLS.

Before you begin, you must ensure that-
the SMA must be accessible through a supported browser.
the remote server must have syslog-ng installed and configured.
port 6514 is open for incoming connections on the syslog-ng server.
* 
NOTE: The KACE SMA supports integration with any logging system that can be configured to use TLS. While the document provides examples for integrating with syslog-ng and rsyslog, our support is not limited to these tools.

Configuring Encrypted Remote Logging

1.
Go to the appliance Control Panel:
If the Organization component is not enabled on the appliance, log in to the appliance Administrator Console, https://appliance_hostname/admin, then select Settings > Control Panel.
If the Organization component is enabled on the appliance, log in to the appliance System Administration Console, https://appliance_hostname/system, or select System in the drop-down list in the top-right corner of the page, then select Settings > Control Panel.
2.
In the Security Settings section, click Security Options to display the Security Settings page.
3.
Select the Enable Secure Remote Logging via TLS checkbox.
4.
Enter the IP address of the syslog-ng or rsyslog server.
5.
Specify the destination port (default is 6514). You may use a custom port if required-ensure it is open for incoming connections on the remote server.
6.
Click Save and Restart Services.
When the configuration is enabled, the SMA generates a public certificate and private key. The public certificate remains on the SMA, while the private key must be uploaded to the syslog-ng or rsyslog server.
7.
After the service restarts, download the server TLS files for configuration by clicking the Server key and Server certificate.
The files get downloaded on your machine. The server key file is used to authenticate the server, while the server certificate file is used to encrypt the connection between the SMA and the remote syslog server.
8.
Configure the logging service for syslog-ng or rsyslog.
a.
Configure Syslog server to receive logs from KACE System Management Appliance.
Open the syslog-ng.conf file.
Update the paths to the server key and certificate files. Add the following configuration at the end of the file:
source tls_source {
tcp(
ip(0.0.0.0)
port(6514)
tls(
key_file(" ("/usr/local/etc/syslogng/serverkey.pem")
cert_file("/usr/local/etc/syslogng/servercert.pem")
peer-verify(optional-untrusted)
)
);
};
Configure the log path
log { source(tls_source); destination(messages); };
* 
NOTE: Sometimes you may see the HOSTNAME twice in a log statement. If this is an issue, you can use a custom destination to fix it.
destination d_custom {
file("/var/log/syslog"
template("${DATE} ${HOST} ${MESSAGE}\n")
);
};

log {source(tls_source); destination(d_custom);};
* 
NOTE: Sometimes you might notice duplicate logs appearing on your syslog-ng server. This can happen when the same destination is specified in multiple log paths. To fix this, it's recommended to consolidate all sources into a single log path statement, as shown in the example below:
log { source(tls_source);source(s_src);
filter(f_messages); destination(d_messages); };
Restart the syslog-ng service.
b.
Configure rsyslog remote server to version v8.2504.0 or later. The below configuration works with v8.2504.0.
Upgrade to rsyslog latest version.
sudo add-apt-repository ppa:adiscon/v8-stable
sudo apt-get upgrade rsyslog
Add package > sudo apt-get install rsyslog-gnutls
Locate and open the rsyslog.conf file, then add the following configuration at the end of the file.
global(
defaultNetstreamDriver="gtls"
)
module(load="imtcp")
# Input for the first certificate
input(
type="imtcp"
port="6514"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.AuthMode="anon"
StreamDriver.CertFile="/etc/rsyslog.d/servercert.pem"
StreamDriver.KeyFile="/etc/rsyslog.d/serverkey.pem"
)
Restart rsyslog service.
9.
Go to KACE System Management Appliance System UI > Security Settings, and click the Test button to ensure a secure connection is established.
If the connection is successful, a confirmation message appears.
* 
NOTE: The servercert.pem and serverkey.pem files are generated by the SMA and can be downloaded from the Security Settings page. The server key file is used to authenticate the server, while the server certificate file is used to encrypt the connection between the SMA and the remote syslog server. You should update the configuration file names "servercert.pem" and "serverkey.pem" with the actual file names you downloaded from the SMA.
Certificate Renewal Notification
A certificate expiration check runs periodically.
If a certificate is due to expire within 30 days, users receive a notification in the SMA UI.
Users can renew the certificate using the Renew Certificate option and must repeat the process of uploading it to the server and verifying the connection.
* 
The configuration supports both Linux and Windows as syslog-ng servers, as long as syslog-ng is installed and properly configured.
The administrators are responsible for managing the certificates.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级