audit config

Open topic with navigation

Home >	LunaCM Command Reference Guide > LunaCM Commands > audit > audit config

audit config

Set the audit logging configuration parameters. This command allows you to configure the following:

•which events are captured in the log.

•the log rotation interval.

Syntax

audit config -parameter <parameter> -value <value> -serial <serialnum>

Parameter	Shortcut	Description
- parameter	-p	The parameter you want to configure. Valid parameters are as follows. The value enclosed in [ ] indicates the shortcut character for the parameter: [e]vent. Follow this parameter with the values for the events you want to include in the log, as described below. [r]otation. Follow this parameter with the value for the log rotation interval you want to use, as described below.
- value	-v	The value you want to configure for the specified parameter. Valid values for the event parameter Enter a comma-separated list of events to log. In addition to specifying an event category, you must also specify the conditions under which those events are to be logged - either 'f' for failures, or 's' for successes, or both.Any or all of the following may be specified: •[f]ailure: log command failures •[s]uccess: log command successes •[a]ccess: log access attempts (logins) •[m]anage: log HSM management (init/reset/etc) •[k]eymanage: key management events (key create/delete) •[u]sage: key usage (enc/dec/sig/ver) •fi[r]st: first key usage only (enc/dec/sig/ver) •e[x]ternal: log messages from CA_LogExternal •lo[g]manage: log events relating to log configuration •a[l]l: log everything (user will be warned) •[n]one: turn logging off Note: When specifying an event class to log, you must specify whether successful or failed events are to be logged. For example, to log all key management events you would use the command 'audit config -p e -v u,s,f'. Valid values for the rotation parameter Enter one of the following options for the log rotation interval: •[h]ourly •[d]aily •[w]eekly •[m]onthly •[n]ever
- serial		Specify that the HSM Audit configuration is to be set for the appliance's onboard HSM, or for a USB-connected Luna G5 or Luna Backup HSM. Enter the serial number for the HSM you want to configure.

Parameter

Shortcut

Description

- parameter

-p

The parameter you want to configure. Valid parameters are as follows. The value enclosed in [ ] indicates the shortcut character for the parameter:

[e]vent. Follow this parameter with the values for the events you want to include in the log, as described below.

[r]otation. Follow this parameter with the value for the log rotation interval you want to use, as described below.

- value

-v

The value you want to configure for the specified parameter.

Valid values for the event parameter

Enter a comma-separated list of events to log. In addition to specifying an event category, you must also specify the conditions under which those events are to be logged - either 'f' for failures, or 's' for successes, or both.Any or all of the following may be specified:

•[f]ailure: log command failures

•[s]uccess: log command successes

•[a]ccess: log access attempts (logins)

•[m]anage: log HSM management (init/reset/etc)

•[k]eymanage: key management events (key create/delete)

•[u]sage: key usage (enc/dec/sig/ver)

•fi[r]st: first key usage only (enc/dec/sig/ver)

•e[x]ternal: log messages from CA_LogExternal

•lo[g]manage: log events relating to log configuration

•a[l]l: log everything (user will be warned)

•[n]one: turn logging off

Note: When specifying an event class to log, you must

specify whether successful or failed events are to be logged. For example, to log all key management events you would use the command 'audit config -p e -v u,s,f'.

Valid values for the rotation parameter

Enter one of the following options for the log rotation interval:

•[h]ourly

•[d]aily

•[w]eekly

•[m]onthly

•[n]ever

- serial

Specify that the HSM Audit configuration is to be set for the appliance's onboard HSM, or for a USB-connected Luna G5 or Luna Backup HSM. Enter the serial number for the HSM you want to configure.

Example

audit config -p e -v all        log everything

audit config -p e -v none       log nothing

audit config -p e -v f          log all command failures

audit config -p e -v u,f,s      log all key usage requests, both success and failure

audit config -p r -v daily      rotate log daily

audit config -p r -v w          rotate log weekly

lunacm:>audit config -p e -v all

Warning:: You have chosen to log all successful key usage events.

This can result in an extremely high volume of log messages, which

will significantly degrade the overall performance of the HSM.

Open topic with navigation