Verify the audit log records.
User Privileges
Only specialized Audit users can access audit commands.
Syntax
audit log verify -file <filename> [-serialtarget <serialnum>] [-serialsource <serialnum>] [-start <number>] [-end <number>] [-external]
| Argument(s) | Shortcut | Description |
|---|---|---|
| -end <number> | -en |
Specifies the final record of the subset of records to be verified from the file. |
| -external | -ex |
Specifies that the file from which log entries are to be verified is from an external HSM. In this case, the audit secret for that HSM must either be the same secret (white PED Key) as is used on the current HSM, or must have been imported to the current HSM. The current HSM's own audit secret cannot verify log files from other HSMs if those were created using independent secrets. The HSM holds only one audit secret at a time, so the secret for the relevant HSM's logs must be brought into the HSM when needed for log verification, if it is not already present. |
| -file <filename> | -f | Specifies the name of the log file to verify. |
| -serialsource <serialnum> | -serials |
Specifies the serial number of the HSM that generated the log file that is being verified. |
| -serialtarget <serialnum> | -serialt |
Specifies the serial number of the HSM that is performing the verification. |
| -start <number> | -st |
Specifies the starting record of the subset of records to be verified from the file. |
Example
Verification of local log file, with local secret
lunash:>audit log verify -file hsm_66331_00000002.log Log file being verified ready_for_archive/hsm_66331_00000002.log. Verifying log on HSM with serial 66331 Verified messages 270723 to 271699 Command Result : 0 (Success)
Verification of external log with external secret:
In this example, we show the process from both HSMs.
[myluna72] lunash:> audit secret export The encrypted log secret file 153593.lws now available for scp. Now that you have exported your log secret, if you wish to verify your logs on another HSM see the 'audit secret import' command. If you wish to verify your logs on another SafeNet Luna Network HSM see the 'audit log tar' command. Command Result : 0 (Success) [myluna72] lunash:>audit log tar Compressing log files: 153593/ 153593/hsm_153593_00000019.log 153593/153593.lws 153593/ready_for_archive/ 153593/ready_for_archive/hsm_153593_0000000b.log 153593/ready_for_archive/hsm_153593_00000003.log 153593/ready_for_archive/hsm_153593_00000002.log 153593/ready_for_archive/hsm_153593_00000006.log 153593/ready_for_archive/hsm_153593_00000001.log The tar file containing logs is now available as file 'audit-153593.tgz'. If you wish to verify your logs on another SA, scp them to another SA's audit directory then use the 'audit log untar' command. Command Result : 0 (Success)
Here is where we scp the secret file and the .tgz file to a different SafeNet Luna Network HSM
lunash:> audit secret import -serialtarget 150825 -file 153593.lws -serialsource 153593 Successfully imported the encrypted log secret 153593.lws Now that you have imported a log secret if you wish to verify your logs please see the 'audit log verify' command. Command Result : 0 (Success) [myluna73] lunash:> audit log untarlogs -file audit-153593.tgz Extracting logs to audit home: 153593/ 153593/hsm_153593_00000019.log 153593/153593.lws 153593/ready_for_archive/ 153593/ready_for_archive/hsm_153593_0000000b.log 153593/ready_for_archive/hsm_153593_00000003.log 153593/ready_for_archive/hsm_153593_00000002.log 153593/ready_for_archive/hsm_153593_00000006.log 153593/ready_for_archive/hsm_153593_00000001.log To verify these logs see the 'audit secret import' command to import the HSM's log secret. Command Result : 0 (Success) [myluna73] lunash:> audit log verify -serialtarget 150825 -file hsm_153593_00000001.log -serialsource 153593 Log file being verified /home/audit/lush_files/153593/ready_for_archive/hsm_153593_00000001.log. Verifying log from HSM with serial 153593 on HSM with serial 150825 Make sure that you have already imported the audit log secret. Verified messages 39638 to 39641 Command Result : 0 (Success)
On the verifying HSM ([myluna73] in the example), you just imported a secret (displacing the native secret of the local HSM) and used it to verify logs that were transported from a different HSM ([myluna72] in the example).
If you now wished to verify the second HSM's ([myluna73]) own log files, you would need to re-import that HSM's secret, having replaced it with the other HSM's ([myluna72]'s0 secret for the example operation.
That is, [myluna72]'s log secret that was imported into [myluna73] to allow [myluna73] to verify logs received from [myluna72], is not useful to verify [myluna73]'s own logs. An HSM can have only one log secret at a time, so [myluna73] needs its own secret back if it is to verify its own logs, rather than the logs it received from [myluna72].
