The CipherTrust Manager maintains a variety of debug logs to record administrative actions, network activity, cryptography requests, and more. These logs can be useful for debugging, error handling, troubleshooting, and for chronologically tracing failures and system events with Thales customer support. Server Audit Records are recommended for more routine monitoring.
All of these logs are specific to the node, and are not clustered or included in backup files. High access permissions are required. The user must be part of the System Admins and Admin groups, and the user must be logged into the root domain.
The following types of logs are recorded:
Connection request received
Service starts, stops, and restarts
System and user input errors
Successful and failed operations
The debug logs can be downloaded using the CipherTrust Manager CLI, API, and web console.
The downloaded file contains following debug log files in .gzip format:
The extracted file type is LTSV. The
ksadmin user can also forward a subset of these logs, called host logs, to an external syslog server.
In addition to the debug logs, various activity logs can be extracted in a .gzip package. As with the debug logs, they are only available in the root domain to users who are part of the System Admins and Admin groups.
Web activity logs are always included are part of the web console download. In the CLI and API, these logs are available individually or as part of the
As well, KMIP and NAE Crypto Activity logs can be enabled. They are then included in the web console download. In the CLI and API, these logs are then available individually or as part of the
Downloading Logs using ksctl
To download CipherTrust Manager logs as a gzipped tarball, run:
ksctl logs download --file <filename> --ca-id <Local-CA-ID> --type <Type-of-Logs>
Valid values for
type parameter are:
all-logs: Includes all types of logs available to the current user and domain.
debug-logs: Includes the debug logs on the CipherTrust Manager.
kmip-activity-logs: Includes the KMIP activity logs on the CipherTrust Manager
nae-activity-logs: Includes the NAE activity logs on the CipherTrust Manager.
web-activity-logs: Includes the web activity logs on the CipherTrust Manager.
For every case, both current and rotated logs are downloaded. You can optionally provide a Certificate Authority (CA) for issuing a signing certificate. If no CA is provided, the CipherTrust Root CA issues the certificate.
To download the NAE Crypto Activity logs
ksctl logs download --file <filename> --type "nae-activity-logs"
To download all debug logs
ksctl logs download --file <filename> --type "debug-logs"
To download all logs
ksctl logs download --file <filename> --type "all-logs"
Downloading Logs from the Web Console
activity.nae.log files can be present in the downloaded package if KMIP and NAE Crypto activity logs are also enabled.
activity.web.log is always present.
Perform the following steps to download these logs using the GUI:
Navigate to Admin Settings > Logs.
Change the CA to issue a signing certificate, if desired. By default, the CipherTrust Root CA issues the certificate.
Download the logs:
To download the current Debug Logs, click Download.
To download all logs, enable the Download all logs option and then click Download. The downloaded log file will contain all logs that are up to 4 weeks old.
Preserving integrity of downloaded logs
CipherTrust Manager preserves integrity of downloaded logs by performing following steps:
SHA512 hash of downloaded zip file is calculated, which is then signed by a dynamically generated asymmetric key pair.
Certificate is issued by the CipherTrust Manager CA. This CA is selected while downloading the logs. By default, the CipherTrust Root CA issues the certificate.
Certificate to verify the signed hash is contained in the downloaded content.
Verifying and viewing the downloaded logs
You must have installed OpenSSL on your machine to verify the log file. You can use the procedure in both Windows and UNIX/Linux environments.
Perform the following steps on the downloaded log file to verify its integrity:
Unzip (extract) the log file.
View the downloaded logs. The steps to view the logs depend on operating system.
Do not change, add, or delete any file in the extracted logs directory before verification. These actions will cause signature verification to fail.
For Windows users
Do not use WinRAR for extracting the log files. Use of 7-Zip is recommended.
tar.gzfile using 7-Zip.
Open files ending with the
.logextension in a reader to view the logs. The available logs depend on download options.
For UNIX/Linux users
Use the following commands in the Terminal:
tar.gzusing this command:
gzip -d keySecureLogs.tar.gz
You will get
Extract the log files using this command:
tar xvf keySecureLogs.tar
The available logs depend on download options.
verify-logs.shscript in the extracted logs directory.
The response for a successful verification is
There is no difference in log files digest.
The response for a failed verification is
There are differences in log files digest.
Managing KMIP/NAE Activity Log Settings
The CipherTrust Manager logs:
All KMIP activities and operations
All NAE crypto activities and operations
Logging both KMIP and NAE activities is a memory-intensive task as thousands of cryptographic operations are performed every second. Thus, enabling this setting causes a significant drop in the performance of KMIP and NAE operations.
These activity logs are output in JSON format. You can also send these logs to Elasticsearch or Loki log forwarders.
Enabling/Disabling KMIP or NAE Crypto Activity Logs through the Web Console
The CipherTrust Manager logs all KMIP and NAE crypto activities and operations. You can configure CipherTrust Manager to keep a record of various KMIP and NAE crypto activities and operations.
To record KMIP or NAE crypto activities and operations:
Go to Admin Settings > Properties.
Under Activity Log Settings, select the KMIP Activity Logs toggle button to enable/disable KMIP activity logs.
Under Activity Log Settings, select the NAE Crypto Activity Logs toggle button to enable/disable NAE crypto activity logs.
As well, these logs can now be sent to Elasticsearch or Loki log forwarders.
Enabling/Disabling KMIP or NAE Crypto Activity Logs through ksctl
To enable KMIP activity logs, run:
ksctl properties modify --name ENABLE_KMIP_ACTIVITY_LOGS --value true
To disable KMIP activity logs, run:
ksctl properties modify --name ENABLE_KMIP_ACTIVITY_LOGS --value false
To enable NAE crypto activity logs, run:
ksctl properties modify --name ENABLE_NAE_ACTIVITY_LOGS --value true
To disable NAE crypto activity logs, run:
ksctl properties modify --name ENABLE_NAE_ACTIVITY_LOGS --value false