Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

CipherTrust Manager System Monitoring

Debug Logs

search

Please Note:

printsuggest an editpdf paneldownload

Debug Logs

The CipherTrust Manager maintains a variety of debug logs to record administrative actions, network activity, cryptography requests, and more. These logs can be useful for debugging, error handling, troubleshooting, and for chronologically tracing failures and system events with Thales customer support. Server Audit Records are recommended for more routine monitoring.

All of these logs are specific to the node, and are not clustered or included in backup files. High access permissions are required to download these logs. The user must be part of the System Admins and Admin groups, and the user must be logged into the root domain.

The following types of logs are recorded:

  • Connection request received

  • Configuration changes

  • Client requests

  • Service starts, stops, and restarts

  • System and user input errors

  • Successful and failed operations

The debug logs can be downloaded using the CipherTrust Manager CLI, API, and web console.

The downloaded file contains following debug log files in .gzip format:

  • auth.log

  • cloud-init.log

  • hostd.log

  • kern.log

  • keysecure.system.log

  • syslog

The extracted file type is LTSV. The ksadmin user can also forward a subset of these logs, called host logs, to an external syslog server.

copy link to clipboardActivity Logs

In addition to the debug logs, various activity logs can be extracted in a .gzip package. As with the debug logs, they are only available to download in the root domain to users who are part of the System Admins and Admin groups. The downloaded logs include activity from every domain. Log forwarders allow finer control, forwarding activity logs from specific domains.

Web activity logs are always included are part of the web console download. In the CLI and API, these logs are available individually or as part of the all-logs option.

As well, KMIP and NAE Crypto Activity logs can be enabled as a system property. They are then included in the web console download. In the CLI and API, these logs are then available individually or as part of the all-logs option.

copy link to clipboardDownloading Logs using ksctl

To download CipherTrust Manager logs as a gzipped tarball, run:

Syntax

ksctl logs download --file <filename> --ca-id <Local-CA-ID> --type <Type-of-Logs> --start-datetime <start-date-time-of-logs> --end-datetime <end-date-time-of-logs>

  • file - file path where the gzipped tarball is saved (for example, logs.tar.gz).

  • ca-id - ID of the trusted local CA to issue a certificate and sign the log file. You can optionally provide a Certificate Authority (CA) for issuing a signing certificate. If no CA is provided, the CipherTrust Root CA issues the certificate.

  • type - type of logs to download. For every log type, both current and rotated logs are downloaded. Valid values for type parameter are:

    • all-logs: Includes all types of logs available to the current user and domain.

    • debug-logs: Includes the debug logs on the CipherTrust Manager.

    • kmip-activity-logs: Includes the KMIP activity logs on the CipherTrust Manager

    • nae-activity-logs: Includes the NAE activity logs on the CipherTrust Manager.

    • web-activity-logs: Includes the web activity logs on the CipherTrust Manager.

  • start-datetime - filters results based on the start date and time of logs. The timestamp should be in the UTC format. For example, 2023-09-11 11:24:22. This is an optional parameter.

  • end-datetime - filters results based on the end date and time of logs. The timestamp should be in the UTC format. For example, 2023-09-11 11:24:22. This is an optional parameter.

To download the NAE Crypto Activity logs

ksctl logs download --file <filename> --type "nae-activity-logs"

To download all debug logs

ksctl logs download --file <filename> --type "debug-logs"

To download all logs

ksctl logs download --file <filename> --type "all-logs"

To download the logs that are within specified start date and end date

ksctl logs download --file <filename> --type "all-logs" --start-datetime '2023-09-11 11:24:22' --end-datetime '2023-10-30 12:24:22'

copy link to clipboardDownloading Logs from the Web Console

activity.kmip.log and activity.nae.log files can be present in the downloaded package if KMIP and NAE Crypto activity logs are also enabled. activity.web.log is always present.

Perform the following steps to download these logs using the GUI:

  1. Navigate to Admin Settings > Logs.

  2. Change the CA to issue a signing certificate, if desired. By default, the CipherTrust Root CA issues the certificate.

  3. Download the logs:

    • To download the current Debug Logs, click Download.

    • To download all logs, enable the Download all logs option and then click Download. The downloaded log file will contain all logs that are up to 4 weeks old.

copy link to clipboardPreserving integrity of downloaded logs

CipherTrust Manager preserves integrity of downloaded logs by performing following steps:

  • SHA512 hash of downloaded zip file is calculated, which is then signed by a dynamically generated asymmetric key pair.

  • Certificate is issued by the CipherTrust Manager CA. This CA is selected while downloading the logs. By default, the CipherTrust Root CA issues the certificate.

  • Certificate to verify the signed hash is contained in the downloaded content.

copy link to clipboardVerifying and viewing the downloaded logs

You must have installed OpenSSL on your machine to verify the log file. You can use the procedure in both Windows and UNIX/Linux environments.

Perform the following steps on the downloaded log file to verify its integrity:

  1. Unzip (extract) the log file.

  2. View the downloaded logs. The steps to view the logs depend on operating system.

    Caution

    Do not change, add, or delete any file in the extracted logs directory before verification. These actions will cause signature verification to fail.

    • For Windows users

      Note

      Do not use WinRAR for extracting the log files. Use of 7-Zip is recommended.

      1. Extract the tar.gz file using 7-Zip.

      2. Open files ending with the .log extension in a reader to view the logs. The available logs depend on download options.

    • For UNIX/Linux users

      Use the following commands in the Terminal:

      1. Decompress the tar.gz using this command: gzip -d keySecureLogs.tar.gz

        You will get keySecureLogs.tar.

      2. Extract the log files using this command: tar xvf keySecureLogs.tar

        The available logs depend on download options.

  3. Run the verify-logs.sh script in the extracted logs directory.

    ./verify-logs.sh

    The response for a successful verification is There is no difference in log files digest.

    The response for a failed verification is There are differences in log files digest.

copy link to clipboardManaging KMIP/NAE Activity Log Settings

The CipherTrust Manager logs:

  • All KMIP activities and operations

  • All NAE crypto activities and operations

Note

Logging both KMIP and NAE activities is memory-intensive due to the high volume of cryptographic operations performed every second. As a result, enabling this setting can significantly degrade the performance of KMIP and NAE operations. For this reason, it is not recommended to enable these logging settings in a production environment.

These activity logs are output in JSON format. You can also send these logs to log forwarders.

copy link to clipboardEnabling/Disabling KMIP or NAE Crypto Activity Logs through the Web Console

The CipherTrust Manager logs all KMIP and NAE crypto activities and operations. You can configure CipherTrust Manager to keep a record of various KMIP and NAE crypto activities and operations. Application Administrators, such as the admin user, can enable and disable these logs in the root domain.

To record KMIP or NAE crypto activities and operations:

  1. Login to the root domain as an Application Administrator.

  2. Navigate to Admin Settings > Properties.

  3. In LOGS PROPERTIES, select the KMIP Activity Logs toggle button to enable/disable KMIP activity logs.

  4. In LOGS PROPERTIES, select the NAE Crypto Activity Logs toggle button to enable/disable NAE crypto activity logs.

These logs are now available for download through the web console, CLI, and API, in the root domain for users who are part of System Admins and Admin groups.

As well, these logs can now be sent to log forwarders.

copy link to clipboardEnabling/Disabling KMIP or NAE Crypto Activity Logs through ksctl

To enable KMIP activity logs, run:

ksctl properties modify --name ENABLE_KMIP_ACTIVITY_LOGS --value true

To disable KMIP activity logs, run:

ksctl properties modify --name ENABLE_KMIP_ACTIVITY_LOGS --value false

To enable NAE crypto activity logs, run:

ksctl properties modify --name ENABLE_NAE_ACTIVITY_LOGS --value true

To disable NAE crypto activity logs, run:

ksctl properties modify --name ENABLE_NAE_ACTIVITY_LOGS --value false

On this page