Services | Keyfactor Docs

The Services page configures external log forwarding for Signum event data. Signum supports two destinations: Syslog and Splunk. Both receive the same event data that appears in the Events log: signing operations, policy decisions, agent connections, and system events.

Configuring an external log destination does not affect what is stored in the Signum Events log. Both destinations receive events independently.

SysLog

Signum can forward events to any Syslog-compatible server using TCP or UDP, with optional TLS encryption.

Setting	Description
SysLog	Enable to activate SysLog forwarding.
Protocol	The transport protocol to use: TCP (recommended for reliability) or UDP.
Server	The hostname or IP address of your Syslog server.
Port	The port to connect to. If left empty, the standard Syslog port is used (514 for UDP/plain TCP, 6514 for TLS).
TLS	Enable to encrypt the connection using TLS. Recommended for any Syslog server reachable over a network you do not fully control.
TLS Certificate	The PEM-encoded public certificate of the Syslog server, used to verify its identity. Required when TLS is enabled. If your Syslog server uses a certificate issued by a private CA, contact support@keyfactor.com to have the CA certificate added to Signum's trust store.

Splunk HTTP Event Collector

Signum can send event and system log data to Splunk using the HTTP Event Collector (HEC) framework.

For information on setting up the HTTP Event Collector in Splunk, see the Splunk documentation.

The Signum Server must be running version 4.20 or later before enabling this feature.

Setting	Description
Splunk logs enabled	Enable to activate log forwarding to Splunk.
Validate service connection certificate enabled	When enabled, Signum validates the Splunk server's TLS certificate before sending data. Recommended for production. If your Splunk server uses a private CA certificate, contact support@keyfactor.com to have the CA certificate added to Signum's trust store before enabling this.
Splunk HEC URL	The full URL of your Splunk HTTP Event Collector endpoint, including port. For Splunk Cloud, note that the `http-inputs` prefix is not needed as Signum is hosted in Azure. Example: `https://<host>.splunkcloud.com:8088/services/collector/event`. For configuration guidance, see the Splunk HEC documentation.
Splunk HEC Token	The HEC access token from Splunk, used to authenticate log submissions.