Debug Logs
The CipherTrust Manager maintains a variety of debug logs to record administrative actions, network activity, cryptography requests, and more. These logs can be useful for debugging, error handling, troubleshooting, and for chronologically tracing failures and system events with Thales customer support. Server Audit Records are recommended for more routine monitoring.
All of these logs are specific to the node, and are not clustered or included in backup files. High access permissions are required to download these logs. The user must be part of the System Admins and Admin groups, and the user must be logged into the root domain.
The following types of logs are recorded:
Connection request received
Configuration changes
Client requests
Service starts, stops, and restarts
System and user input errors
Successful and failed operations
The debug logs can be downloaded using the CipherTrust Manager CLI, API, and web console.
The downloaded file contains following debug log files in .gzip format:
auth.log
cloud-init.log
hostd.log
kern.log
keysecure.system.log
syslog
The extracted file type is LTSV. The ksadmin
user can also forward a subset of these logs, called host logs, to an external syslog server.
Activity Logs
In addition to the debug logs, various activity logs can be extracted in a .gzip package. As with the debug logs, they are only available to download in the root domain to users who are part of the System Admins and Admin groups. The downloaded logs include activity from every domain. Log forwarders allow finer control, forwarding activity logs from specific domains.
Web activity logs are always included are part of the web console download. In the CLI and API, these logs are available individually or as part of the all-logs
option.
As well, KMIP and NAE Crypto Activity logs can be enabled as a system property. They are then included in the web console download. In the CLI and API, these logs are then available individually or as part of the all-logs
option.
Downloading Logs using ksctl
To download CipherTrust Manager logs as a gzipped tarball, run:
Syntax
ksctl logs download --file <filename> --ca-id <Local-CA-ID> --type <Type-of-Logs> --start-datetime <start-date-time-of-logs> --end-datetime <end-date-time-of-logs>
file - file path where the gzipped tarball is saved (for example, logs.tar.gz).
ca-id - ID of the trusted local CA to issue a certificate and sign the log file. You can optionally provide a Certificate Authority (CA) for issuing a signing certificate. If no CA is provided, the CipherTrust Root CA issues the certificate.
type - type of logs to download. For every log type, both current and rotated logs are downloaded. Valid values for
type
parameter are:all-logs
: Includes all types of logs available to the current user and domain.debug-logs
: Includes the debug logs on the CipherTrust Manager.kmip-activity-logs
: Includes the KMIP activity logs on the CipherTrust Managernae-activity-logs
: Includes the NAE activity logs on the CipherTrust Manager.web-activity-logs
: Includes the web activity logs on the CipherTrust Manager.
start-datetime - filters results based on the start date and time of logs. The timestamp should be in the UTC format. For example, 2023-09-11 11:24:22. This is an optional parameter.
end-datetime - filters results based on the end date and time of logs. The timestamp should be in the UTC format. For example, 2023-09-11 11:24:22. This is an optional parameter.
To download the NAE Crypto Activity logs
ksctl logs download --file <filename> --type "nae-activity-logs"
To download all debug logs
ksctl logs download --file <filename> --type "debug-logs"
To download all logs
ksctl logs download --file <filename> --type "all-logs"
To download the logs that are within specified start date and end date
ksctl logs download --file <filename> --type "all-logs" --start-datetime '2023-09-11 11:24:22' --end-datetime '2023-10-30 12:24:22'
Downloading Logs from the Web Console
activity.kmip.log
and activity.nae.log
files can be present in the downloaded package if KMIP and NAE Crypto activity logs are also enabled. activity.web.log
is always present.
Perform the following steps to download these logs using the GUI:
Navigate to Admin Settings > Logs.
Change the CA to issue a signing certificate, if desired. By default, the CipherTrust Root CA issues the certificate.
Download the logs:
To download the current Debug Logs, click Download.
To download all logs, enable the Download all logs option and then click Download. The downloaded log file will contain all logs that are up to 4 weeks old.
Preserving integrity of downloaded logs
CipherTrust Manager preserves integrity of downloaded logs by performing following steps:
SHA512 hash of downloaded zip file is calculated, which is then signed by a dynamically generated asymmetric key pair.
Certificate is issued by the CipherTrust Manager CA. This CA is selected while downloading the logs. By default, the CipherTrust Root CA issues the certificate.
Certificate to verify the signed hash is contained in the downloaded content.
Verifying and viewing the downloaded logs
You must have installed OpenSSL on your machine to verify the log file. You can use the procedure in both Windows and UNIX/Linux environments.
Perform the following steps on the downloaded log file to verify its integrity:
Unzip (extract) the log file.
View the downloaded logs. The steps to view the logs depend on operating system.
Caution
Do not change, add, or delete any file in the extracted logs directory before verification. These actions will cause signature verification to fail.
For Windows users
Note
Do not use WinRAR for extracting the log files. Use of 7-Zip is recommended.
Extract the
tar.gz
file using 7-Zip.Open files ending with the
.log
extension in a reader to view the logs. The available logs depend on download options.
For UNIX/Linux users
Use the following commands in the Terminal:
Decompress the
tar.gz
using this command:gzip -d keySecureLogs.tar.gz
You will get
keySecureLogs.tar
.Extract the log files using this command:
tar xvf keySecureLogs.tar
The available logs depend on download options.
Run the
verify-logs.sh
script in the extracted logs directory../verify-logs.sh
The response for a successful verification is
There is no difference in log files digest
.The response for a failed verification is
There are differences in log files digest
.
Managing KMIP/NAE Activity Log Settings
The CipherTrust Manager logs:
All KMIP activities and operations
All NAE crypto activities and operations
Note
Logging both KMIP and NAE activities is memory-intensive due to the high volume of cryptographic operations performed every second. As a result, enabling this setting can significantly degrade the performance of KMIP and NAE operations. For this reason, it is not recommended to enable these logging settings in a production environment.
These activity logs are output in JSON format. You can also send these logs to log forwarders.
Enabling/Disabling KMIP or NAE Crypto Activity Logs through the Web Console
The CipherTrust Manager logs all KMIP and NAE crypto activities and operations. You can configure CipherTrust Manager to keep a record of various KMIP and NAE crypto activities and operations. Application Administrators, such as the admin
user, can enable and disable these logs in the root domain.
To record KMIP or NAE crypto activities and operations:
Login to the root domain as an Application Administrator.
Navigate to Admin Settings > Properties.
In LOGS PROPERTIES, select the KMIP Activity Logs toggle button to enable/disable KMIP activity logs.
In LOGS PROPERTIES, select the NAE Crypto Activity Logs toggle button to enable/disable NAE crypto activity logs.
These logs are now available for download through the web console, CLI, and API, in the root domain for users who are part of System Admins and Admin groups.
As well, these logs can now be sent to log forwarders.
Enabling/Disabling KMIP or NAE Crypto Activity Logs through ksctl
To enable KMIP activity logs, run:
ksctl properties modify --name ENABLE_KMIP_ACTIVITY_LOGS --value true
To disable KMIP activity logs, run:
ksctl properties modify --name ENABLE_KMIP_ACTIVITY_LOGS --value false
To enable NAE crypto activity logs, run:
ksctl properties modify --name ENABLE_NAE_ACTIVITY_LOGS --value true
To disable NAE crypto activity logs, run:
ksctl properties modify --name ENABLE_NAE_ACTIVITY_LOGS --value false