Home >

Administration Guide > Audit Logging > Appliance-side HSM Audit Logging

Appliance-side HSM Audit Logging

Appliance-side logging of HSM activity moves HSM logging directly into the appliance file system. The purpose is to record HSM operations while bypassing the resource-heavy in-HSM log-security features. If you need to be able to prove that each and every log entry is valid, is in sequence, has not been edited/trimmed/tampered in any way, then you should activate secure audit logging and accept that the HSM operations performance hit is a cost of doing that kind of business.

If, on the other hand,

you have applications that perform high volumes of crypto operations on the HSM,

AND

you wish to have a record of each key usage (creation, deletion, encryption, decryption, sign, verify...) telling you

what the action was,

who performed the action, and

when they did it...

AND

you do not require extreme rigor in validating those records,

Then, you should forgo secure audit logging and instead just send your audit logging records to the SafeNet Network HSM appliance's file system as plain log records and file entries, without the HMACing and record chaining that consumes HSM processing resource. In that case, you can use the audit log logappliance commands that were added to SafeNet Network HSM 5.3.10, and to SafeNet Network HSM 6.3 and all following versions.