Home >

LunaSH Command Reference Guide > LunaSH Commands > audit > audit log verify

audit log verify

Verify the audit log records.

Syntax

audit log verify -file <filename> [-serialtarget <serialnum>] [-serialsource <serialnum>] [-start <number>] [-end <number>] [-external]

Parameter Shortcut Description
-end -en

Specifies the final record of the subset of records to be verified from the file.

-external -ex

Specifies that the file from which log entries are to be verified is from an external HSM. In this case, the audit secret for that HSM must either be the same secret (white PED Key) as is used on the current HSM, or must have been imported to the current HSM.

The current HSM's own audit secret cannot verify log files from other HSMs if those were created using independent secrets. The HSM holds only one audit secret at a time, so the secret for the relevant HSM's logs must be brought into the HSM when needed for log verification, if it is not already present.

-file -f Specifies the name of the log file to verify.
-serialsource -serials

Specifies the serial number of the HSM that generated the log file that is being verified.

-serialtarget -serialt

Specifies the serial number of the HSM that is performing the verification.

-start -st

Specifies the starting record of the subset of records to be verified from the file.   

Example

Verification of my own log file, with my own secret
lunash:>audit log verify -f hsm_150073_00000011.log

Log file being verified hsm_150073_00000011.log.

Verifying log on HSM with serial 150073

Verified messages 236 to 236

Command Result : 0 (Success)
  
Attempted verification of external log, with my own secret
lunash:>audit log verify -f hsm_100548_000004a3.log

Log file being verified /home/audit/lush_files/hsm_100548_000004a3.log.

Verifying log from HSM with serial 150073 on HSM with serial 150073
Make sure that you have already imported the audit log secret.

Verify failed on record 10760271

If you have imported a log secret from another HSM please export then re-import
your own log secret. For security reasons it is not possible to verify logs
using two difference secrets at the same time. One or more messages did not verify.

The audit sub-command failed. (LUNA_RET_LOG_BAD_RECORD_HMAC)

Command Result : 65535 (Luna Shell execution)
Verification of external log with external secret:

In this example, we show the process from both HSMs.

[myluna72] lunash:> audit secret export

The encrypted log secret file 153593.lws now available for scp.

Now that you have exported your log secret, if you wish to verify your logs
on another HSM see the 'audit secret import' command. If you wish to verify
your logs on another SafeNet Network HSM see the 'audit log tar' command.

Command Result : 0 (Success)
[myluna72] lunash:>audit log tar


Compressing log files:



The tar file containing logs is now available as file 'audit-153593.tgz'.
If you wish to verify your logs on another SA, scp them to another SA's audit
directory then use the 'audit log untar' command.

Command Result : 0 (Success)


Here is where we scp the secret file and the .tgz file to a different SafeNet Network HSM

lunash:> audit secret import -serialtarget 150825 -file 153593.lws -serialsource 153593

Successfully imported the encrypted log secret 153593.lws

Now that you have imported a log secret if you wish to verify
your logs please see the 'audit log verify' command.

Command Result : 0 (Success)
[myluna73] lunash:> audit log untarlogs -file audit-153593.tgz

Extracting logs to audit home:




To verify these logs see the 'audit secret import' command to import the HSM's
log secret.

Command Result : 0 (Success)
[myluna73] lunash:> audit log verify -serialtarget 150825 -file hsm_153593_00000001.log -serialsource 153593


Log file being verified /home/audit/lush_files/153593/ready_for_archive/hsm_153593_00000001.log.

Verifying log from HSM with serial 153593 on HSM with serial 150825
 Make sure that you have already imported the audit log secret.

Verified messages 39638 to 39641

Command Result : 0 (Success)
[myluna73] 

 

On the verifying HSM ([myluna73] in the example), you just imported a secret (displacing the native secret of the local HSM) and used it to verify logs that were transported from a different HSM ([myluna72] in the example).

If you now wished to verify the second HSM's ([myluna73]) own log files, you would need to re-import that HSM's secret, having replaced it with the other HSM's ([myluna72]'s0 secret for the example operation.

That is, [myluna72]'s log secret that was imported into [myluna73] to allow [myluna73] to verify logs received from [myluna72], is not useful to verify [myluna73]'s own logs. An HSM can have only one log secret at a time, so [myluna73] needs its own secret back if it is to verify its own logs, rather than the logs it received from [myluna72].

Attempted Verification of local log with external secret:
[myluna] lunash:>audit log verify -f hsm_150073_00000011.log

Log file being verified hsm_150073_00000011.log.

Verifying log on HSM with serial 150073

Verify failed on record 236

If you have imported a log secret from another HSM please export then re-import
your own log secret. For security reasons it is not possible to verify logs
using two difference secrets at the same time. One or more messages did not verify.
The log file you specified was either open by the logger daemon, or was
improperly terminated.  If the file was open by the logger daemon, the
content of it may have changed as the result of new messages being logged.
In this case, running the query again will succeed.

The audit sub-command failed. (LUNA_RET_LOG_BAD_RECORD_HMAC)


Command Result : 65535 (Luna Shell execution)
[myluna] lunash:>