Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CipherTrust Manager System Monitoring

Debug Logs

search

Please Note:

Debug Logs

The CipherTrust Manager maintains a variety of debug logs to record administrative actions, network activity, cryptography requests, and more. These logs can be useful for debugging, error handling, troubleshooting, and for chronologically tracing failures and system events with Thales customer support. Server Audit Records are recommended for more routine monitoring.

All of these logs are specific to the node, and are not clustered or included in backup files. High access permissions are required. The user must be part of the System Admins and Admin groups, and the user must be logged into the root domain.

The following types of logs are recorded:

  • Connection request received

  • Configuration changes

  • Client requests

  • Service starts, stops, and restarts

  • System and user input errors

  • Successful and failed operations

The debug logs can be downloaded using the CipherTrust Manager CLI, API, and web console.

The downloaded file contains following debug log files in .gzip format:

  • auth.log

  • cloud-init.log

  • hostd.log

  • kern.log

  • keysecure.system.log

  • syslog

The extracted file type is LTSV. The ksadmin user can also forward a subset of these logs, called host logs, to an external syslog server.

Activity Logs

In addition to the debug logs, various activity logs can be extracted in a .gzip package. As with the debug logs, they are only available in the root domain to users who are part of the System Admins and Admin groups.

Web activity logs are always included are part of the web console download. In the CLI and API, these logs are available individually or as part of the all-logs option.

As well, KMIP and NAE Crypto Activity logs can be enabled. They are then included in the web console download. In the CLI and API, these logs are then available individually or as part of the all-logs option.

Downloading Logs using ksctl

To download CipherTrust Manager logs as a gzipped tarball, run:

Syntax

ksctl logs download --file <filename> --ca-id <Local-CA-ID> --type <Type-of-Logs>

Valid values for type parameter are:

  • all-logs: Includes all types of logs available to the current user and domain.

  • debug-logs: Includes the debug logs on the CipherTrust Manager.

  • kmip-activity-logs: Includes the KMIP activity logs on the CipherTrust Manager

  • nae-activity-logs: Includes the NAE activity logs on the CipherTrust Manager.

  • web-activity-logs: Includes the web activity logs on the CipherTrust Manager.

For every case, both current and rotated logs are downloaded. You can optionally provide a Certificate Authority (CA) for issuing a signing certificate. If no CA is provided, the CipherTrust Root CA issues the certificate.

To download the NAE Crypto Activity logs

ksctl logs download --file <filename> --type "nae-activity-logs"

To download all debug logs

ksctl logs download --file <filename> --type "debug-logs"

To download all logs

ksctl logs download --file <filename> --type "all-logs"

Downloading Logs from the Web Console

activity.kmip.log and activity.nae.log files can be present in the downloaded package if KMIP and NAE Crypto activity logs are also enabled. activity.web.log is always present.

Perform the following steps to download these logs using the GUI:

  1. Navigate to Admin Settings > Logs.

  2. Change the CA to issue a signing certificate, if desired. By default, the CipherTrust Root CA issues the certificate.

  3. Download the logs:

    • To download the current Debug Logs, click Download.

    • To download all logs, enable the Download all logs option and then click Download. The downloaded log file will contain all logs that are up to 4 weeks old.

Preserving integrity of downloaded logs

CipherTrust Manager preserves integrity of downloaded logs by performing following steps:

  • SHA512 hash of downloaded zip file is calculated, which is then signed by a dynamically generated asymmetric key pair.

  • Certificate is issued by the CipherTrust Manager CA. This CA is selected while downloading the logs. By default, the CipherTrust Root CA issues the certificate.

  • Certificate to verify the signed hash is contained in the downloaded content.

Verifying and viewing the downloaded logs

You must have installed OpenSSL on your machine to verify the log file. You can use the procedure in both Windows and UNIX/Linux environments.

Perform the following steps on the downloaded log file to verify its integrity:

  1. Unzip (extract) the log file.

  2. View the downloaded logs. The steps to view the logs depend on operating system.

    Caution

    Do not change, add, or delete any file in the extracted logs directory before verification. These actions will cause signature verification to fail.

    • For Windows users

      Note

      Do not use WinRAR for extracting the log files. Use of 7-Zip is recommended.

      1. Extract the tar.gz file using 7-Zip.

      2. Open files ending with the .log extension in a reader to view the logs. The available logs depend on download options.

    • For UNIX/Linux users

      Use the following commands in the Terminal:

      1. Decompress the tar.gz using this command: gzip -d keySecureLogs.tar.gz

        You will get keySecureLogs.tar.

      2. Extract the log files using this command: tar xvf keySecureLogs.tar

        The available logs depend on download options.

  3. Run the verify-logs.sh script in the extracted logs directory.

    ./verify-logs.sh

    The response for a successful verification is There is no difference in log files digest.

    The response for a failed verification is There are differences in log files digest.

Managing KMIP/NAE Activity Log Settings

The CipherTrust Manager logs:

  • All KMIP activities and operations

  • All NAE crypto activities and operations

Note

Logging both KMIP and NAE activities is memory-intensive due to the high volume of cryptographic operations performed every second. As a result, enabling this setting can significantly degrade the performance of KMIP and NAE operations. For this reason, it is not recommended to enable these logging settings in a production environment.

These activity logs are output in JSON format. You can also send these logs to log forwarders.

Enabling/Disabling KMIP or NAE Crypto Activity Logs through the Web Console

The CipherTrust Manager logs all KMIP and NAE crypto activities and operations. You can configure CipherTrust Manager to keep a record of various KMIP and NAE crypto activities and operations.

To record KMIP or NAE crypto activities and operations:

  1. Go to Admin Settings > Properties.

  2. Under Activity Log Settings, select the KMIP Activity Logs toggle button to enable/disable KMIP activity logs.

  3. Under Activity Log Settings, select the NAE Crypto Activity Logs toggle button to enable/disable NAE crypto activity logs.

These logs are now available for download through the web console, CLI, and API, in the root domain for users who are part of System Admins and Admin groups.

As well, these logs can now be sent to Elasticsearch or Loki log forwarders.

Enabling/Disabling KMIP or NAE Crypto Activity Logs through ksctl

To enable KMIP activity logs, run:

ksctl properties modify --name ENABLE_KMIP_ACTIVITY_LOGS --value true

To disable KMIP activity logs, run:

ksctl properties modify --name ENABLE_KMIP_ACTIVITY_LOGS --value false

To enable NAE crypto activity logs, run:

ksctl properties modify --name ENABLE_NAE_ACTIVITY_LOGS --value true

To disable NAE crypto activity logs, run:

ksctl properties modify --name ENABLE_NAE_ACTIVITY_LOGS --value false

On this page