Logging
Data Discovery and Classification prints out its log messages to the CipherTrust Manager logs. DDC logs are located in the /opt/keysecure/logs
directory. The CipherTrust Manager System Administrator ksadmin
can log in using ssh to retrieve CipherTrust Manager logs. Also the DDC Application Administrators have access to the logs.
For more details on collecting DDC logs, see Troubleshooting Issues in Conjunction with Customer Support in the CipherTrust Manager Administrator page.
Default Logging Level
By default, log level setting for DDC is INFO. With this log level set DDC prints out the INFO and ERROR level messages to the log. Among the various messages that DDC prints to the logs, the error messages and security audit messages are the most useful for troubleshooting DDC issues and securing the deployment.
Identifying DDC Log Messages
The microservices behind DDC are oleander
and sundew
and the messages coming to the CipherTrust Manager log from DDC can be identified by those names.
Additionally, oleander
has these three modules:
- Clustering
- Agent_Selection
- Scan_watcher
Each of these modules will generate its own error messages, each in its separate log.[ ] log file.
The logging service responsible for collecting and processing these messages is FLUENTD. It is capable of displaying those messages to the terminal through the log command. Here's an example of such a command:
log | grep oleander | grep "clustering"
This command would display all messages coming from the oleander
's Clustering module.
For a complete list of error messages that DDC sends to the CM log, see the appendix Error Log Messages.
Security Audit Log Messages
The DDC security audit messages can be identified by the Oleander | INFO [security]
bit that they contain. The full format of such a log message (or log line) is:
<date> | Oleander | INFO [security] <event> <error (if any)> <details (if any)>
For example:
2020-06-29 | Oleander | INFO | [security] DDCScanClientUnexpectedErrorProbe “error: error probing scan client” “details: [scan_id:5432-5432-543254-2-5432]”
Usually, only the event type is printed out to the log (in the example above, it would be DCScanClientUnexpectedErrorProbe
).
Enabling Syslog Logging
Audit records are logged to a local database by default. This is suitable for production systems and clusters with a limited load. However, for clusters that support a large number of transactions, it is recommended to configure the CM to disable logging to a local database and enable logging using a remote Syslog server. This significantly reduces cluster traffic and disk usage. For more information, refer to the following sections in the Thales CipherTrust Manager Administrator Guide:
“Disabling local database audit logging”
“Configuring remote Syslog server”