Audit Logs

By default, the audit log is enabled. The recent CORE logs are stored in the ekm.log file. Logs from the previous days are archived to ekm.YYYY-MM-DD.log.gz files.

  • On Linux, these files are located in /opt/ekm/logs/.
  • On Windows, these files are located in
    C:\Program Files\Dyadic\ekm\tomcat\logs\
    .

Archives from the previous months are grouped in the YYYY-MM subfolders.

To control the level of info in the ekm.log file and an optional redirection to a Syslog server, refer to Format.

Format

An audit log is comprised of the following 14 fields:

Num Name value Max chars Note
1 Date YYYY-MM-DD 10  
2 Time HH:MM:SS,uuu 12 2
3 Type < INFO | WARN > 4  
4 Origin < hostname | IP address > 16  
5 Username < username > @ < partition name > 12  
6 CN < client's name > @ < partition name > 12 3
7 Session ID < hexstring> 30 4
8 Partition < partition name> 24  
9 Operation < operation name> 32 5
10 UID <UID | Quorum Id | Name> 20 6
11 Result 0 - success, 1 - error 4  
12 ErrorReason < number > (0, if the Result is success) 4  
13 Execution Time <milliseconds> 6  
14 Message < request arguments | OK | error message> up to EOS  

Notes:

  1. The N/A value is used in a log's field when its value is not relevant.
  2. Time is presented according to the Zero timezone (GMT) clock.
  3. The CN ("Common Name") shows the partition name as retrieved from the certificate used in the operation. Presented in the < client's name > @ < partition name > format.
  4. Session ID - identifies all logs in a single session.
  5. For the complete list of Operations, refer to Names of Operations in Audit Logs.
  6. The UID field presents the object ID. For items without an ID, it may present a different identification value, such as its name.

Example:

2018-09-03 09:41:45,005 INFO 192.168.0.88 user@part1 agent1@part1 D72966471CC8CBF30401A91D674138BA part1 CreateKeyPair 0x00ea63075b3b4eeee1 0 0 459 OK

Interpretation:

Num Name value Comment
1 Date 2018-09-03  
2 Time 09:41:45,005  
3 Type INFO  
4 Origin 192.168.0.88 The request originated from 192.168.0.88
5 Username user@part1 The user's full name is "user@part1"
6 CN agent1@part1 The client's full name is "agent1@part1"
7 Session ID D72966471CC8CBF30401A91D674138BA  
8 Partition part1 The partition's name is "part1"
9 Operation CreateKeyPair  
10 UID 0x00ea63075b3b4eeee1 UID of the created key
11 Result 0 Success
12 ErrorReason 0  
13 Duration 159 milliseconds
14 Message OK  

Controlling Sensitive Info

The details of command handled by the CORE client are logged in the report identified by Operation: Connect. The Message field in this type of log is a JSON structure that contains the following fields:

Name Value

id

The 64bit unique CORE appliance ID

user

User login name

domain

User OS domain of the client appliance

host

The hostname of the client appliance

command

Name of the application used by the user. The command's arguments may be stripped, censored, or presented as-is. Refer to Controlling Sensitive Info.

Example: The Connect-log of the ucl import command. Note: the -- file-pass argument is replaced by a string of asterisks:

INFO 192.168.0.88 N/A N/A 19F0D750AC8C2A7B2C27882DD8C350F6 N/A Connect N/A 0 0 N/A
{"id":"852fe5d5a1f41332349ce92d19b44a56b8bf54f31201757da5caf64b2440b67f",
"user":"tester1", "domain":"client1", "host":"client1",
"command":"ucl import -i ant.pfx --name ant-jarsigner -p part1 --file-pass ******"}

Command Arguments in Log

Arguments in the Connect > Message > Command field of the Connect log are either partially censored or completely stripped:

  • Censored arguments.
  • Sensitive info (passwords) in the following commands: ucl, openssl, keytool, jarsigner, and signcode are replaced by asterisks. Example:

    INFO 192.168.0.88 N/A N/A EC9CF32619FF2D82DFCB27919BF9A6FB N/A Connect N/A 0 0 N/A {
    "command":"openssl rsautl -oaep -encrypt -passin ****** -inkey public.pem
    -pubin -in sign.txt -out rsa_1_file.ssl"}

  • Stripped arguments.
  • In the other commands, all arguments are omitted. For example, a command java <arguments> appears in the Connect log's message as "command":"java" without any arguments.

    INFO 192.168.0.168 N/A N/A 5C498120A7387860E499A457A1BF8DC7 part1 Connect N/A 0 0 N/A {
    "command":"java"}

Troubleshooting - Capturing Arguments As-Is

To troubleshoot CORE service requests originating from a specific CORE appliance and, in particular, to examine all arguments of the specific command, add the command name to the app_arg_full allow-list. Refer to The App_arg_full Setting. Multiple commands are separated by the "|" character. For example, app_arg_full = java|openssl setting results in the following:

  • All Java command arguments in the logs of this client's requests are presented as-is.
  • OpenSSL passwords in the logs of this client's requests are not replaced by asterisks.

The following capture shows settings of Windows client whose signtool, certmgr, PowerShell, and MMC requests shall be logged with the complete arguments.

Presenting all parameters in the log report

Customization

The Audit-log management is based on the Apache Log4j framework. On each CORE server, the log is controlled by settings in the log4j.xml file. By default, this file is located as follows:

  • Linux: /opt/ekm/conf/log4j.xml.
  • Windows: C:\Program Files\Dyadic\ekm\tomcat\conf\log4j.xml.

Customization includes controlling the level of detail and redirection to Syslog Server.

To activate a change in the log4j.xml file, restart the EKMClosedEnterprise Key Management - previous name of the product. service. Refer to EKM Service Management.

The Level of Detail

To control the granularity of info provided by the logs or to disable logs, use the level setting.

  1. Edit the log4j.xml file
    1. Navigate to the default settings:

      <Loggers>
      Logger name="AUDIT" level="info"
      Logger name="TRACE" level="off"
      Logger name="CONFIG" level="info"
      </Loggers>

    2. Update the level.
  2. Restart the EKMClosedEnterprise Key Management - previous name of the product. Service. Refer to EKM Service Management.

The same applies to controlling CORE Trace and Config ("Bootstrap") logs.

Redirection to Syslog Server

To forward the Audit logs to the Syslog server (see Audit Logs):

  1. Edit the log4j.xml file
    1. Uncomment the following lines:

      <!--Syslog name="bsd" host="syslog.server.ip" protocol="TCP" port="514" newLine="true"/--> <!--AppenderRef ref="bsd"/-->

    2. Replace the "syslog.server.ip" with the IP of the Syslog server.
    3. As needed, modify the protocol and the port values.
  2. Restart the EKMClosedEnterprise Key Management - previous name of the product. Service. Refer to EKM Service Management.
  3. Examine the catalina.out log file in the Tomcat Log Files folder.
  4. Failure to handshake with the syslog server is logged as ERROR TcpSocketManager (TCP:192.168.0.242:514): Connection refused.

To configure a Syslog server follow the instructions here.

Names of Operations in Audit Logs

This appendix clarifies the names of operations that appear in the audit log.