Debug Logs
The CipherTrust Manager maintains a variety of debug logs to record administrative actions, network activity, cryptography requests, and more. These logs can be useful for debugging, error handling, troubleshooting, and for chronologically tracing failures and system events with Thales customer support. Server Audit Records are recommended for more routine monitoring.
All of these logs are specific to the node, and are not clustered or included in backup files. High access permissions are required. The user must be part of the System Admins and Admin groups, and the user must be logged into the root domain.
The following types of logs are recorded:
Connection request received
Configuration changes
Client requests
Service starts, stops, and restarts
System and user input errors
Successful and failed operations
The debug logs can be downloaded using the CipherTrust Manager CLI, API, and web console.
The downloaded file contains following debug log files in .gzip format:
auth.log
cloud-init.log
hostd.log
kern.log
keysecure.system.log
syslog
The extracted file type is LTSV. The ksadmin
user can also forward a subset of these logs, called host logs, to an external syslog server.
Activity Logs
In addition to the debug logs, various activity logs can be extracted in a .gzip package. As with the debug logs, they are only available in the root domain to users who are part of the System Admins and Admin groups.
Web activity logs are always included are part of the web console download. In the CLI and API, these logs are available individually or as part of the all-logs
option.
As well, KMIP and NAE Crypto Activity logs can be enabled. They are then included in the web console download. In the CLI and API, these logs are then available individually or as part of the all-logs
option.
Downloading Logs using ksctl
To download CipherTrust Manager logs as a gzipped tarball, run:
Syntax
ksctl logs download --file <filename> --ca-id <Local-CA-ID> --type <Type-of-Logs>
Valid values for type
parameter are:
all-logs
: Includes all types of logs available to the current user and domain.debug-logs
: Includes the debug logs on the CipherTrust Manager.kmip-activity-logs
: Includes the KMIP activity logs on the CipherTrust Managernae-activity-logs
: Includes the NAE activity logs on the CipherTrust Manager.web-activity-logs
: Includes the web activity logs on the CipherTrust Manager.
For every case, both current and rotated logs are downloaded. You can optionally provide a Certificate Authority (CA) for issuing a signing certificate. If no CA is provided, the CipherTrust Root CA issues the certificate.
To download the NAE Crypto Activity logs
ksctl logs download --file <filename> --type "nae-activity-logs"
To download all debug logs
ksctl logs download --file <filename> --type "debug-logs"
To download all logs
ksctl logs download --file <filename> --type "all-logs"
Downloading Logs from the Web Console
activity.kmip.log
and activity.nae.log
files can be present in the downloaded package if KMIP and NAE Crypto activity logs are also enabled. activity.web.log
is always present.
Perform the following steps to download these logs using the GUI:
Navigate to Admin Settings > Logs.
Change the CA to issue a signing certificate, if desired. By default, the CipherTrust Root CA issues the certificate.
Download the logs:
To download the current Debug Logs, click Download.
To download all logs, enable the Download all logs option and then click Download. The downloaded log file will contain all logs that are up to 4 weeks old.
Preserving integrity of downloaded logs
CipherTrust Manager preserves integrity of downloaded logs by performing following steps:
SHA512 hash of downloaded zip file is calculated, which is then signed by a dynamically generated asymmetric key pair.
Certificate is issued by the CipherTrust Manager CA. This CA is selected while downloading the logs. By default, the CipherTrust Root CA issues the certificate.
Certificate to verify the signed hash is contained in the downloaded content.
Verifying and viewing the downloaded logs
You must have installed OpenSSL on your machine to verify the log file. You can use the procedure in both Windows and UNIX/Linux environments.
Perform the following steps on the downloaded log file to verify its integrity:
Unzip (extract) the log file.
View the downloaded logs. The steps to view the logs depend on operating system.
Caution
Do not change, add, or delete any file in the extracted logs directory before verification. These actions will cause signature verification to fail.
For Windows users
Note
Do not use WinRAR for extracting the log files. Use of 7-Zip is recommended.
Extract the
tar.gz
file using 7-Zip.Open files ending with the
.log
extension in a reader to view the logs. The available logs depend on download options.
For UNIX/Linux users
Use the following commands in the Terminal:
Decompress the
tar.gz
using this command:gzip -d keySecureLogs.tar.gz
You will get
keySecureLogs.tar
.Extract the log files using this command:
tar xvf keySecureLogs.tar
The available logs depend on download options.
Run the
verify-logs.sh
script in the extracted logs directory../verify-logs.sh
The response for a successful verification is
There is no difference in log files digest
.The response for a failed verification is
There are differences in log files digest
.
Managing KMIP/NAE Activity Log Settings
The CipherTrust Manager logs:
All KMIP activities and operations
All NAE crypto activities and operations
Note
Logging both KMIP and NAE activities is a memory-intensive task as thousands of cryptographic operations are performed every second. Thus, enabling this setting causes a significant drop in the performance of KMIP and NAE operations.
These activity logs are output in JSON format. You can also send these logs to Elasticsearch or Loki log forwarders.
Enabling/Disabling KMIP or NAE Crypto Activity Logs through the Web Console
The CipherTrust Manager logs all KMIP and NAE crypto activities and operations. You can configure CipherTrust Manager to keep a record of various KMIP and NAE crypto activities and operations.
To record KMIP or NAE crypto activities and operations:
Go to Admin Settings > Properties.
Under Activity Log Settings, select the KMIP Activity Logs toggle button to enable/disable KMIP activity logs.
Under Activity Log Settings, select the NAE Crypto Activity Logs toggle button to enable/disable NAE crypto activity logs.
These logs are now available for download through the web console, CLI, and API, in the root domain for users who are part of System Admins and Admin groups.
As well, these logs can now be sent to Elasticsearch or Loki log forwarders.
Enabling/Disabling KMIP or NAE Crypto Activity Logs through ksctl
To enable KMIP activity logs, run:
ksctl properties modify --name ENABLE_KMIP_ACTIVITY_LOGS --value true
To disable KMIP activity logs, run:
ksctl properties modify --name ENABLE_KMIP_ACTIVITY_LOGS --value false
To enable NAE crypto activity logs, run:
ksctl properties modify --name ENABLE_NAE_ACTIVITY_LOGS --value true
To disable NAE crypto activity logs, run:
ksctl properties modify --name ENABLE_NAE_ACTIVITY_LOGS --value false