System Logs
The CipherTrust Manager maintains a variety of logs to record administrative actions, network activity, cryptography requests, and more.
The following types of logs are recorded:
Connection request received
Configuration changes
Client requests
Service starts, stops, and restarts
System and user input errors
Successful and failed operations
These logs can be useful for debugging, error handling, troubleshooting, and for chronologically tracing failures and system events with Thales customer support. Server Audit Records are recommended for more routine monitoring.
The logs can be downloaded using the CipherTrust Manager GUI. The downloaded file contains following files in .gzip format:
hostd.log
cloud-init.log
keysecuresystem.log
The extracted file type is LTSV.
Downloading Logs
Perform the following steps to download these logs using the GUI:
Navigate to Admin Settings > Logs.
Select a CA for signing the logs.
Download the logs:
To download the System Logs, click Download.
To download all logs, enable the Download all logs option and then click Download. The downloaded log file will contain all logs that are up to 4 weeks old.
Note
Only the users who are part of System Admins and Admin groups can download the logs from the root domain.
Preserving integrity of downloaded logs
CipherTrust Manager preserves integrity of downloaded logs by performing following steps:
SHA256 hash of downloaded zip file is calculated, which is then signed by a dynamically generated asymmetric key pair.
Certificate is issued by the CipherTrust Manager CA. This CA is selected while downloading the logs, as explained here.
Certificate to verify the signed hash is contained in the downloaded content.
Verifying and viewing the downloaded logs
You must have installed OpenSSL on your machine to verify the log file. You can use the procedure in both Windows and UNIX/Linux environments.
activity.kmip.log and activity.nae.log files will be present in the downloaded package if activity logs are also selected.
Perform the following steps on the downloaded log file to verify its integrity:
Unzip (extract) the log file.
Use the following commands:
openssl x509 -pubkey -noout -in keySecure.cert > pubkey.pem
openssl dgst -sha256 -verify pubkey.pem -keyform PEM -sha256 -signature keySecure.signature keySecureLogs.tar.gz
Depending on your operating system, use following steps to view the downloaded logs:
For Windows users
Note
Do not use WinRAR for extracting the log files. Use of 7-Zip is recommended.
Extract the
keySecureLogs.tar.gz
file using 7-Zip.You will get three logs file:
cloud-init.log
,hostd.log
,keysecure.system.log
.Open these files in a reader to view the logs.
For UNIX/Linux users
Use the following commands in the Terminal:
Decompress the
keySecureLogs.tar.gz
using this command:gzip -d keySecureLogs.tar.gz
You will get
keySecureLogs.tar
.Extract the log files using this command:
tar xvf keySecureLogs.tar
You will get three logs file:
cloud-init.log
,hostd.log
,keysecure.system.log
.
Note
If activity logs are selected, then activity.kmip.log
and activity.nae.log
files will be present in the downloaded package.
Managing KMIP/NAE Activity Log Settings
The CipherTrust Manager logs:
All KMIP activities and operations
All NAE crypto activities and operations
Note
Logging both KMIP and NAE activities is a memory-intensive task as thousands of cryptographic operations are performed every second. Thus, enabling this setting causes a significant drop in the performance of KMIP and NAE operations.
These activity logs are output in JSON format. You can also send these logs to Elasticsearch or Loki log forwarders.
Enabling/Disabling NAE Crypto Activity Logs
The CipherTrust Manager logs all NAE crypto activities and operations. You can configure CipherTrust Manager to keep a record of various NAE crypto activities and operations.
To record NAE crypto activities and operations:
Go to Admin Settings > System Properties.
Under Activity Log Settings, select the NAE Crypto Activity Logs toggle button to enable/disable NAE crypto activity logs.
Enabling/Disabling KMIP Activity Logs
The CipherTrust Manager logs all KMIP related operations and activities. You can configure CipherTrust Manager to keep a record of various KMIP activities and operations.
To record KMIP activities and operations:
Go to Admin Settings > System Properties.
Under Activity Log Settings, select the KMIP Activity Logs toggle button to enable/disable KMIP activity logs.
Accessing KMIP/NAE Logs
To access logs through GUI, refer to the section Downloading Logs.
Enabling/Disabling KMIP Activity Logs through ksctl
To enable KMIP activity logs, run:
ksctl properties modify --name ENABLE_KMIP_ACTIVITY_LOGS --value true
To disable KMIP activity logs, run:
ksctl properties modify --name ENABLE_KMIP_ACTIVITY_LOGS --value false
Enabling/Disabling NAE Crypto Activity Logs through ksctl
To enable NAE crypto activity logs, run:
ksctl properties modify --name ENABLE_NAE_ACTIVITY_LOGS --value true
To disable NAE crpto activity logs, run:
ksctl properties modify --name ENABLE_NAE_ACTIVITY_LOGS --value false
Downloading Logs using ksctl
To download CipherTrust Manager logs as a gzipped tarball, run:
Syntax
ksctl logs download --file <filename> --ca-id <Local-CA-ID> --include-logs <Type-of-Logs>
Valid values for include_logs
parameter are:
system
: Includes the current system logs on the CipherTrust Manager.activity
: Includes the current NAE and KMIP activity logs on the CipherTrust Manager.all
: Includes both current and rotated logs on the CipherTrust Manager.
You can provide multiple values separated by commas. Default value is system
and activity
.
To download logs (Default: current system and activity logs)
Syntax
ksctl logs download --file <filename>
To download only current system logs
Syntax
ksctl logs download --file <filename> --include-logs "system"
To download all system logs
Syntax
ksctl logs download --file <filename> --include-logs "system, all"
To download all logs
ksctl logs download --file <filename> --include-logs "all"