Home >

Administration Guide > Audit Logging > Appliance-side Audit Logging Compared with Secure Audit Logging

Appliance-side Audit Logging Compared with Secure Audit Logging

The following list summarizes the functionality of the audit logging to appliance feature (compare against the equivalent list for secure audit logging in the Administration Guide of the main Luna SA documentation):

Log entries originate from the SafeNet HSM within the appliance

The appliance-side audit logging feature is applicable to password-authenticated (FIPS 140-2 level 2) and to PED-authenticated (FIPS 140-2 level 3) product configurations

Logging direct to external file minimizes demand on HSM resources, enabling greater HSM performance

Each entry includes the following:

when the event occurred (YYYY MMM DD hh:mm:ss)

HSM serial number

session number

access ID - this is an AppID if you specified one, otherwise, by default, is a process number

partition number (HSM serial number plus suffix identifying the partition within that HSM) *

what the event was (operation) *

returned value from the operation (success = 0; specific failures identified by non-zero codes) *

object handle *

* Partition, operation, return value, and object handle are not returned for LogExternal calls

Multiple categories of audit logging are supported, configured by the audit role

Audit management is a separate role - the role creation does not require the presence or co-operation of the SafeNet HSM SO

The category of audit logging is configurable by (and only by) the audit role

Audit-logging direct to the appliance file system bypasses the computational load of creating an HMAC of each record and chaining records for verification.
The following table compares the record verification between Secure Audit Logging and Appliance-side Audit Logging:

Type of record verification   HSM Secure
Audit Logging  		 Appliance-side
Audit Logging  
The record is valid   Yes   No  
The record has not been truncated   Yes   No  
The record has not been modified/edited   Yes   No  
The record is in sequence (no records have been added or deleted)   Yes   No  

Where the above assurances are not requirements in your logging (for example, where your record-handling procedures are deemed sufficient to ensure security of logs), then use appliance-side audit logging for greater HSM performance. If rigorous log security is mandated, then use secure audit logging instead, and expect reduced performance for the additional security.
The following table compares additional aspects of Secure Audit Logging versus Appliance-side Audit Logging:

Attribute  

Secure HSM Audit log  

Appliance-side HSM logging  
Logs are signed   Yes   Yes  
Logs are chained   Yes   No  
Rsyslog facility   local3   local4 (*)  
Performance of HSM   lower   higher  

(* If you have trouble with the local4 configuration at your rsyslog server, try redirecting the logs via IP,
like :fromhost-ip,isequal,"192.20.11.50" /var/log/luna/myAppLogging.log )

The default protocol is UDP, on port 514/

 

SafeNet Network HSM 6.3 Product Documentation
007-011136-015 Rev. A 14 July 2017 Copyright 2001-2017 Gemalto All rights reserved.