Log Forwarding
Caution
This feature is a technical preview for evaluation in non-production environments. A technical preview introduces new, incomplete functionality for customer feedback as we work on the feature. Details and functionality are subject to change. This includes API endpoints, UI elements, and CLI commands. We cannot guarantee that data created as part of a technical preview will be retained after the feature is finalized.
Users who belong to the System Admins group can forward server and client audit records and KMIP and NAE activity logs to Elasticsearch or Loki or both. These log forwarders are part of log stacks — Elastic Stack or Grafana Loki — which provide powerful tools for querying, analyzing and visualizing CipherTrust Manager log entries. See Elastic Stack documentation and Grafana Loki documentation for full details on log forwarder operations and capabilities.
CipherTrust Manager always stores logs locally in addition to forwarding to configured log forwarders.
In a clustered environment, log forwarder configuration is replicated across the cluster. The currently active node sends log forwarder messages. This means that if you perform a logged operation on a node, that node sends the log record to the log forwarder.
Configuring Elasticsearch Connection
Elasticsearch connections can be authenticated with username and password or unauthenticated. Check the Elasticsearch deployment for the authentication required for incoming data.
These connections can additionally use TLS for an added layer of protection, indicated by providing a Certificate Authority (CA) certificate during connection configuration. By default, CipherTrust Manager attempts to validate Elasticsearch's server certificate using the provided CA. The external CAs already present on CipherTrust Manager are not used. You can disable certificate validation for TLS if desired.
You can add an index name to KMIP activity logs, NAE activity logs, server audit records, and client audit records to help with queries in the Elasticsearch environment.
To add an Elasticsearch connection you need to provide the following values:
A name for the log forwarder configuration
The hostname for connecting to Elasticsearch
The port for Elasticsearch to listen on
You can optionally provide the following values:
An index name for KMIP activity logs
An index name for NAE activity logs
An index name for server audit records
An index name for client audit records
A trusted CA certificate. This can be provided as a file or as text. Providing a certificate indicates that the connection uses TLS. If you intend to have CipherTrust Manager validate Elasticsearch's server certificate, which is the default behavior, provide a CA which directly or indirectly signs the server certificate.
A setting for CipherTrust Manager to skip certificate verification when using TLS. Use the
insecure-tls-skip-verifyflag to indicate that CipherTrust Manager does not verify Elasticsearch's presented server certificate.An HTTP username for authentication.
An HTTP password for authentication.
Syntax for Elasticsearch With TLS
ksctl log-forwarders add elasticsearch --host <elasticsearch_hostname_or_IP> --port <listening_port> {--ca-cert <trusted_ca_certificate_text>|--ca-cert-file <trusted_ca_certificate_file>} [--insecure-tls-skip-verify] [--index-activity-kmip <kmip_index_name>] [--index-activity-nae <nae_index_name>] [--index-server-audit-records <server_audit_records_index_name>] [--index-client-audit-records <client_audit_records_index_name>]
Syntax for ElasticSearch with Password Authentication
ksctl log-forwarders add elasticsearch --host <elasticsearch_hostname_or_IP> --port <listening_port> --http-user <username_for_http_authentication> --http-passwd <password_for_http_authentication> [--index-activity-kmip <kmip_index_name>] [--index-activity-nae <nae_index_name>] [--index-server-audit-records <server_audit_records_index_name>] [--index-client-audit-records <client_audit_records_index_name>]
Configuring Loki Connection
Loki connections can be unauthenticated or authenticated with username and password. Check the Loki Grafana deployment for the authentication required for incoming data. You can add labels to KMIP activity logs, NAE activity logs, server audit records, and client audit records to help with queries in the Loki Grafana environment.
To add a Loki log forwarder, you must provide the following values:
A name for the log forwarder configuration
The hostname for connecting to Loki
The port for Loki to listen on
You can optionally provide the following values:
a user name for HTTP authentication
a password for HTTP authentication
labels field for KMIP activity logs
labels field for NAE activity logs
labels field for server audit records
labels field for client audit records
Syntax for Loki With Password Authentication
ksctl log-forwarders add loki --host <loki_hostname_or_IP> --port <listening_port> --http-user <username_for_http_authentication> --http-passwd <password_for_http_authentication> [--labels-activity-kmip <kmip_label>] [--labels-activity-nae <nae_label>] [--labels-server-audit-records <server_audit_records_label>] [--labels-client-audit-records <client_audit_records_label>]
Syntax for Loki with No Authentication
ksctl log-forwarders add loki --host <loki_hostname_or_IP> --port <listening_port> [--labels-activity-kmip <kmip_label>] [--labels-activity-nae <nae_label>] [--labels-server-audit-records <server_audit_records_label>] [--labels-client-audit-records <client_audit_records_label>]
Viewing Log Forwarders
You can use ksctl log-forwarders get --id <log-forwarder-identifier> to view details for a particular log forwarder.
You can use ksctl log-forwarders list to view details for all log forwarders.
The returned details include ID, name, type (Loki or Elasticsearch), CipherTrust Manager user account, hostname, port, ElasticSearch indicies, and Loki labels.
Updating Elasticsearch Log Forwarder
The following values can be modified for an Elasticsearch log forwarder:
A name for the log forwarder configuration
The hostname for connecting to Elasticsearch
The port for Elasticsearch to listen on
An index name for KMIP activity logs
An index name for NAE activity logs
An index name for server audit records
An index name for server client records
A trusted CA certificate. This can be provided as a file or as text. Providing a certificate indicates that the connection uses TLS. If you intend to have CipherTrust Manager validate Elasticsearch's server certificate, which is the default behavior, provide a CA which directly or indirectly signs the server certificate.
A setting for CipherTrust Manager to skip certificate verification when using TLS. Use the
insecure-tls-skip-verifyflag to indicate that CipherTrust Manager does not verify Elasticsearch's presented server certificate.HTTP username and password for authentication. There is an option to provide the authentication password after a prompt for the modify command, for improved security. CipherTrust Manager stores these values and sends them along with log forwarding requests.
Syntax for Updating Elasticsearch Log Forwarder for TLS
ksctl log-forwarders modify elasticsearch --id <elasticsearch-resource-id> --host <elasticsearch_hostname_or_IP> --port <listening_port> {--ca-cert <trusted_ca_certificate_text>|--ca-cert-file <trusted_ca_certificate_file>} [--insecure-tls-skip-verify] [--index-activity-kmip <kmip_index_name>] [--index-activity-nae <nae_index_name>] [--index-server-audit-records <server_audit_records_index_name>] [--index-client-audit-records <client_audit_records_index_name>]
Syntax for Updating ElasticSearch for Password Authentication
ksctl log-forwarders modify elasticsearch --id <elasticsearch-resource-id> --host <elasticsearch_hostname_or_IP> --port <listening_port> --http-user <username_for_http_authentication> --http-passwd <password_for_http_authentication> [--index-activity-kmip <kmip_index_name>] [--index-activity-nae <nae_index_name>] [--index-server-audit-records <server_audit_records_index_name>] [--index-client-audit-records <client_audit_records_index_name>]
Updating Loki Log Forwarder
The following values can be modified for a Loki log forwarder:
A name for the log forwarder configuration
The hostname for connecting to Loki
The port for Loki to listen on
Labels field for KMIP activity logs
Labels field for NAE activity logs
Labels field for server audit records
Labels field for client audit records
A user name and password for HTTP authentication. There is an option to provide the authentication password after a prompt for the modify command, for improved security. CipherTrust Manager stores these values and sends them along with log forwarding requests.
Syntax for Updating Loki With Password Authentication
ksctl log-forwarders modify loki --id <loki_resource_id> --host <loki_hostname_or_IP> --port <listening_port> --http-user <username_for_http_authentication> {--http-passwd <password_for_http_authentication>|--http-passwd-interactive}[--labels-activity-kmip <kmip_label>] [--labels-activity-nae <nae_label>] [--labels-server-audit-records <server_audit_records_label>] [--labels-client-audit-records <client_audit_records_label>]
Syntax for Updating Loki with No Authentication
ksctl log-forwarders modify loki --id <loki_resource_id> --host <loki_hostname_or_IP> --port <listening_port> [--labels-activity-kmip <kmip_label>] [--labels-activity-nae <nae_label>] [--labels-server-audit-records <server_records_label>] [--labels-client-audit-records <client_records_label>]
Deleting a Log Forwarder
To delete a log forwarder, use ksctl log-forwarders delete --id <log-forwarder-unique-identifier>.
