Server Audit Record Reference

You can access CipherTrust Data Security Platform Service (CDSPaaS) server audit records, including errors, through the Data Protection on Demand (DPoD) audit query API.

Accessing CipherTrust Data Security Platform Service Server Audit Record Messages from DPoD

1. Login to your DPoD tenant as a Tenant Administrator or Application Owner.

2. Create platform credentials.

3. Generate a JSON Web Token (JWT) from the platform credentials. This token is needed for all further DPoD API requests, and is valid for 1 hour.

   curl -X POST https://<tenant>.<authentication_domain> \
   -H "Content-Type: application/x-www-form-urlencoded" \ 
   -d "grant_type=client_credentials&client_id=<insert_clientId>&client_secret=<insert_client_secret>"
   

   Note

   The authentication domain is https://<tenant>.uaa.system.snakefly.dpsas.io/oauth/token for DPoD tenants in the North American region and https://<tenant>.uaa.system.pegasus.dpsas.io/oauth/token for DPoD tenants in the European region.

4. If desired, obtain the id value for your CDSPaaS service by listing the provisioned services for the DPoD tenant. This value is useful to filter logs to your specific service. By default, the audit query API returns logs for every service on the DPoD tenant.

   curl -X GET https://<tenant>.<region>.market.dpondemand.io/v1/service_instances \
   -H "Authorization: Bearer <bearer_access_token>"
   

5. Generate the Audit Log file. At minimum, you must provide a from and to value.

   The command returns a jobId which is needed to retrieve the generated audit log file.

   curl -X POST https://<tenant>.<region>.market.dpondemand.io/v1/audit-log-exports \
   -H "Authorization: Bearer <bearer_access_token>" \
   -H "Content-Type: application/json" \
   -d '{
       "from":"2023-05-14T00:00:00Z",
       "to":"2023-05-14T16:00:00Z"
       "resourceId":"<service_id>"
       "source":"cdsp"
   }'
   

   Tip

   Provide the service id value as the resourceId, to restrict results to one CDSPaaS service. Include "source":"cdsp" to restrict results to every CDSPaaS service on the DPoD tenant.

6. Retrieve the audit log file. You require the jobId returned by the Generate Audit Log File request in the previous step.

   The request returns a signed URL that you can access to download the audit log file. The signed URL expires after 24 hours. The audit log file is a .ZIP file that contains a JSON list of audit logs.

   curl -X GET https://<tenant>.<region>.market.dpondemand.io/v1/audit-log-exports/<jobId> \
   -H "Authorization: Bearer <bearer_access_token>" \
   

Audit Query Log Field Values

Each log contains some values common to all DPoD audit logs, and some values specific to CDSPaaS.

Common DPoD Audit Log Values

• time - The time of the action. A timestamp in RFC3339 format. The timestamp takes the format <YYYY>-<MM>-<DD> <hour>:<minute>:<second>.<microsecond> UTC.

• tenantID- The GUID of the DPoD tenant that owns the log.

• traceID - An internal correlation ID. Provide this ID when contacting customer support about a log entry.

Values Specific to CDSPaaS

• source - This value is always cdsp for CDSPaaS services.

• resourceid- The id of the CDSPaaS service.

  Tip

  You can use GET /v1/service_instances to list your service ids. See List Provisioned Services in DPoD documentation for more information.

• actorid - The CDSPaaS user associated with the action.

• action - The action taken on the service.

• status - The outcome of the action taken on the service. Possible values are failed or success.

• meta- Detailed information about the user, resources, and clients involved in the action. Also includes internal system fields useful for customer support. The "errorMessage" field provided for failed operations is documented, and important for troubleshooting.

List of Errors

Error messages gathered on the Syslog server are categorized into:

• Key Errors

• Certificate Errors

• Authentication Errors

• General Errors