audit export
Export the audit logging secret to the user local directory for import to another HSM. The audit export command reads the log secret from the HSM, wrapped with the KCV which was used when the audit container was initialized. The blob of data is then stored in a file on the HOST. The audit officer then imports this wrapped secret into another HSM in the same domain, where it is unwrapped. This allows one HSM to verify logs that have been generated on another.
NOTE After initializing the Audit role on a password-authenticated HSM, log in as the Auditor and set the domain (see role setdomain for the command syntax). This step is required before setting logging parameters or the log filepath, or importing/exporting audit logs.
Syntax
audit export [file <filename>] [overwrite] [list]
Option | Shortcut | Description |
---|---|---|
file <filename> | f |
Enter this parameter followed by an optional filename for the file to receive wrapped log secret. If a file name is not specified, the file will be given a default name with the following structure: LogSecret_YYMMDDhhmmss_N.lws where YYMMDD = year/month/date hhmmss = hours/mins/secs N = HSM serial number This file will be written to the subdirectory which was set by a previous audit config p [path] command. If this path does not exist, or the configuration was not set for any reason, an error will be returned. If name was specified, it is examined to see if it contains subdirectories. If it does, then the path is treated as a fully qualified path name. If not the file is stored in the default log path. |
overwrite | o | Overwrite the file if it already exists. |
list | l | List the files which reside in the log path. |
Example
lunacm:>audit export
Successfully exported wrapped log secret to file '/var/audit/LogSecret_170222131119_532018.lws'.
Command Result : No Error