Log Forwarding
Warning
After upgrading from 2.8 or below, the old connections of Loki and Elasticsearch created using the log forwarders API will be deleted.
Users who belong to the System Admins
group can forward server and client audit records and KMIP and NAE activity logs to Elasticsearch, Loki, or a syslog server.
Elasticsearch and Loki are part of logging stacks — Elastic Stack or Grafana Loki — which provide powerful tools for querying, analyzing and visualizing CipherTrust Manager log entries. See Elastic Stack documentation and Grafana Loki documentation for full details on logging system operations and capabilities.
CipherTrust Manager always stores logs locally in addition to forwarding to configured log forwarders.
In a clustered environment, log forwarder configuration is replicated across the cluster. The currently active node sends log forwarder messages. This means that if you perform a logged operation on a node, that node sends the log record to the log forwarder.
Note
Currently, the log forwarders are not configured to use the system's proxy configuration. If proxy is configured, the log forwarders bypass the proxy servers.
High-Level Workflow
To configure CipherTrust Manager to forward to a logging system, there are two phases.
Create a log forwarder connection in Connection Manager. This establishes communication between CipherTrust Manager and the external logging system.
Note
CipherTrust Manager can have a total of 64 log forwarder connections. Each Elasticsearch, Loki, and Syslog connection is counted towards the 64 connection total.
Create a log forwarder resource on CipherTrust Manager. This object controls additional CipherTrust Manager-specific settings for the logs and records before sending them to the external logging system.
Configuring Elasticsearch Log Forwarder
Controls which index names are applied to the different CipherTrust Manager log and record types.
Configuring Loki Log Forwarder
Controls which labels are applied to the different CipherTrust Manager log and record types.
Configuring Syslog Log Forwarder
Controls which CipherTrust Manager log and record types are forwarded to syslog.
Timezone Configuration
CipherTrust Manager server audit records and client audit records are always recorded in UTC time zone, in keeping with RFC 3339. This is important to note when you configure any external logging system such as a log forwarder or legacy syslog connection.
Configuring Elasticsearch Log Forwarder
The CipherTrust Manager log forwarder is compatible with Elasticsearch version 7 and 8.
You can add an index name to KMIP activity logs, NAE activity logs, server audit records, and client audit records to help with queries in the Elasticsearch environment.
To add an Elasticsearch connection you need to provide the following values:
a connection ID of the Elasticsearch connection manager (refer to Connection Manager for details)
a connection name for the log forwarder configuration
You can optionally provide:
an index name for KMIP activity logs
an index name for NAE activity logs
an index name for server audit records
an index name for client audit records
Syntax for Elasticsearch
ksctl log-forwarders add elasticsearch --name <name of log forwarder> --connection-id <ES connectionID/Name> --index-activity-kmip <kmip_index_name> --index-activity-nae <nae_index_name> --index-server-audit-records <server_audit_records_index_name> --index-client-audit-records <client_audit_records_index_name>
Configuring Loki Log Forwarder
You can add labels to KMIP activity logs, NAE activity logs, server audit records, and client audit records to help with queries in the Loki Grafana environment.
To add a Loki log forwarder, you must provide the following values:
a connection ID of the Loki connection manager (refer to Connection Manager for details)
a connection name for the log forwarder configuration
You can optionally provide:
labels field for KMIP activity logs
labels field for NAE activity logs
labels field for server audit records
labels field for client audit records
Syntax for Loki
ksctl log-forwarders add loki --name <name of log forwarder> --connection-id <Loki ConnectionID/Name> --labels-activity-kmip <kmip_label> --labels-activity-nae <nae_label> --labels-server-audit-records <server_audit_records_label> --labels-client-audit-records <client_audit_records_label>
Configuring Syslog Log Forwarder
Note
Upgraded CipherTrust Manager instances can have existing syslog connections through Admin Settings, which continue to be supported. Syslog servers configured as log forwarders can forward client audit records, while syslog servers configured through Admin Settings cannot.
The Syslog message redirection is not supported in Syslog log-forwarders.
Once you have added a syslog connection, you can create a syslog log forwarder on CipherTrust Manager to forward KMIP activity logs, NAE activity logs, server audit records, and client audit records to Syslog server.
To add a Syslog log forwarder, you must provide:
a connection ID of the Syslog connection manager (refer to Connection Manager for details)
a connection name for the log forwarder configuration
You can optionally activate/deactivate:
forward logs for activity kmip
forward logs for activity nae
forward logs for client audit records
forward logs for server audit records
Syntax for Syslog
ksctl log-forwarders add syslog --name <name of log forwarder> --connection-id <Syslog ConnectionID/Name> --forward-client-audit-records <true/false> --forward-logs-activity-kmip <true/false> --forward-logs-activity-nae <true/false> --forward-server-audit-records <true/false>]
Viewing Log Forwarders
You can use ksctl log-forwarders get --id <log-forwarder-identifier>
to view details for a particular log forwarder.
You can use ksctl log-forwarders list
to view details for all log forwarders.
The returned details include ID, name, type (Loki or Elasticsearch), CipherTrust Manager user account, hostname, port, ElasticSearch indicies, and Loki labels.
Updating Elasticsearch Log Forwarder
For Elasticsearch log forwarder, you can modify:
a name for the log forwarder configuration
a connection ID of the Elasticsearch connection manager
an index name for KMIP activity logs
an index name for NAE activity logs
an index name for server audit records
an index name for server client records
Syntax for Updating Elasticsearch Log Forwarder
ksctl log-forwarders modify elasticsearch --id <LogForwarder ID/Name> --name <name of log forwarder> --connection-id <ES connectionID/Name> --index-activity-kmip <kmip_index_name> --index-activity-nae <nae_index_name> --index-server-audit-records <server_audit_records_index_name> --index-client-audit-records <client_audit_records_index_name>
Updating Loki Log Forwarder
For Loki log forwarder, you can modify:
a connection name for the log forwarder configuration
a connection ID of the Loki connection manager
Labels field for KMIP activity logs
Labels field for NAE activity logs
Labels field for server audit records
Labels field for client audit records
Syntax for Updating Loki Log Forwarder
ksctl log-forwarders modify loki --id <LogForwarder ID/Name> --name <name of log forwarder> --connection-id <Loki ConnectionID/Name> --labels-activity-kmip <kmip_label> --labels-activity-nae <nae_label> --labels-server-audit-records <server_audit_records_label> --labels-client-audit-records <client_audit_records_label>
Updating Syslog Log Forwarder
For Syslog log forwarder, you can modify:
a connection name for the log forwarder configuration
a connection ID of the Syslog connection manager
forward logs for KMIP activity logs
forward logs for NAE activity logs
forward logs for server audit records
forward logs for client audit records
Syntax for Updating Syslog Log Forwarder
ksctl log-forwarders modify syslog --id <LogForwarder ID/Name> --name <name of log forwarder> --connection-id <Syslog ConnectionID/Name> --forward-client-audit-records <true/false> --forward-logs-activity-kmip <true/false> --forward-logs-activity-nae <true/false> --forward-server-audit-records <true/false>
Deleting a Log Forwarder
To delete a log forwarder, use ksctl log-forwarders delete --id <log-forwarder-unique-identifier>
.