Alert Management

1.0 Introduction

This article provides an overview of the Fortanix-Data-Security-Manager (DSM) Alert Management feature, allowing you to set up alerts for key expirations and other important events. You can integrate these alerts with Security Information and Event Management (SIEM) tools, such as Splunk and Syslog.

2.0 Set Up Key Expiry Alerts

Perform the following steps to configure alerts for expiring keys:

1. Log in to the Fortanix DSM user interface (UI).

2. Click the Settings → ALERT MANAGEMENT menu item in the DSM left navigation panel.

   

3. Click SETUP ALERT to select how many days in advance you want to be notified before the keys expire.

   • 1 day: Receive an alert 1 day before the key expiration date.

   • 7 days: Receive an alert 7 days before the key expiration date.

   • 30 days: Receive an alert 30 days before the key expiration date.  

4. Click SAVE to enable the alert.

3.0 Configure the Expiring Keys Alerts for SIEM Tools

This section describes how to configure Fortanix DSM to send alerts for expiring keys to external logging systems such as Splunk and Syslog, enabling better monitoring and log management.

3.1 Configuring Expiring Keys Alert for Splunk

You can configure Fortanix DSM to send audit log entries to a Splunk server using the HTTP Event Collector (HEC).

Perform the following steps to configure logging events to Splunk:

1. Navigate to the Settings → LOG MANAGEMENT tab.

2. In the Custom Log Management Integrations section, click CONFIGURE for Splunk.

3. On the Splunk Log Management Integration form:

   • Host: Enter the hostname or IP address of the Splunk server.

   • Enable HTTPS: Select this check box to communicate with the Splunk server over HTTPS (recommended). Also, select the Enable SSL check box in the Splunk Global Settings. Refer to Section 5.0: Appendix for a sample screenshot.

     NOTE

     If you are using an HTTP connection, then clear the Enable HTTPS check box in the Fortanix DSM Log Management screen for Splunk and clear the Enable SSL check box in the Splunk Global Settings. Refer to Section 5.0: Appendix for the screenshot.

     When you select the Enable HTTPS option for alert integrations, the following settings are displayed and are enabled by default:

     • Host validation: The Validate host option, if selected, ensures that the hostname or IP address you entered matches the hostname on the server certificate, verifying that the connection is securely directed to the intended server.

     • Validate certificate:

       • Global Root CAs: Use this certificate if you are using a certificate that is signed by a well-known public Certificate Authority (CA).

       • Custom CA Certificate: Use this certificate if you, as an enterprise, want to self-sign the certificate using your own internal CA.

         Click UPLOAD A FILE to upload the CA certificate. When Fortanix DSM, as a client, connects to the Splunk server and is presented with the server’s certificate, it validates the connection using the enrolled custom CA Certificate.

         Run the following command to generate the CA certificate:

         openssl s_client -connect <endpoint/ipaddress>:port -showcerts

         Where,

         • ipaddress : Defines the IP address of the Splunk server.

         • port : Defines the value of the Management port, under Server settings → General settings in the Splunk Server. Refer to Section 5.0: Appendix section for the screenshot.

         NOTE

         In case the Custom CA Certificate has a Common Name (CN) that does not match the server on which Splunk is deployed, clear the Validate host check box, which prompts Fortanix DSM to ignore the hostname of the Splunk deployment instance. Only the certificate chain will be validated in this case.

   • Port: Enter the port number for the Splunk service. The default is port 80, or if HTTPS was enabled above, the default is port 443. If a different port is in use, enter the applicable port number.

   • Index: Enter the name of the Splunk index to submit events. Use the same index name configured in your Splunk instance. When you push the logs to Splunk, you must push them to a specific index. Fortanix DSM sends this value to the Splunk server. You can set the index name as needed to differentiate logs from various sources. For example, you can push Fortanix DSM logs to a Splunk index named SDKMS. Refer to Section 5.0: Appendix for a sample screenshot.

   • Authentication token: Enter a valid authentication token to authenticate Fortanix DSM with the HTTP Event Collector (HEC) of your Splunk instance. This token allows Fortanix DSM to push events to Splunk. For example, the logs from Fortanix Data Security Manager (DSM) can be pushed to the Index source name fortanix_cloud. For more information about generating HEC authentication tokens, refer to the Splunk official documentation.  

     NOTE

     For security reasons, the authentication token is not displayed in the interface when editing an existing configuration.

   • Use FQDN hostname: This check box is selected by default. When enabled, the DSM cluster’s fully qualified domain name (FQDN) is used as the hostname in Splunk log entries, enabling identification of the source cluster in multi-cluster environments.

   

4. Click SAVE to add the Splunk integration.

3.2 Configuring Expiring Keys Alert for Syslog

You can configure Fortanix DSM to send audit log entries to the Syslog server.

Perform the following steps to configure logging events to the Syslog:

1. In the Custom Log Management Integrations section, click CONFIGURE for Syslog.

2. On the Syslog Log Management Integration form:

   • Host: Enter the hostname or IP address of your Syslog server.

   • Enable TLS: Select this check box to communicate with the Syslog server over a secure connection using TLS.

     • Host validation: The Validate host option, if selected, ensures that the hostname or IP address you entered matches the hostname on the server certificate, verifying that the connection is securely directed to the intended server.

     • Validate certificate: You can connect to the Syslog server over a non-secure connection or a secure TLS connection.

       • Global Root CAs: Use this certificate if you are using a certificate that is signed by a well-known public Certificate Authority (CA).

       • Custom CA Certificate: Use this certificate if you, as an enterprise, want to self-sign the certificate using your own internal CA.

         Click UPLOAD A FILE to upload the CA certificate. When Fortanix DSM, as a client, connects to the Splunk server and is presented with the server’s certificate, it validates the connection using the enrolled custom CA Certificate.

   • Port (TCP): Enter the port number for the Syslog service. The default is port 514, or if you are using a different port, update the port number accordingly.

   • Facility: When you log an event in Syslog, you can choose to log it in different facilities. Use this setting to filter logs by a specific facility, such as User, Local0, Local1, and others that are well-defined in the Syslog protocol. For example, configure Fortanix DSM to use the Local0 facility to easily filter logs from a specific appliance.

   • Use FQDN hostname: This check box is selected by default. When enabled, the DSM cluster’s FQDN is used as the hostname in Syslog log entries, enabling identification of the source cluster in multi-cluster environments.

   

3. Click SAVE to add the Syslog integration.

4.0 Edit the Configuration for SIEM Tools

Perform the following steps to edit the alert:

1. Click EDIT corresponding to Splunk.

   

2. On the Splunk Alert Management Integration page, update the information as required.

3. Click SAVE to update the alert.

Similarly, you can edit the expiring key alert configuration for Syslog.

5.0 Monitor the Alerts

After configuring the required alert integration, you can view or monitor the expiring keys alerts directly within the Splunk UI.

Open the Splunk UI and monitor the alerts as shown in the following figure. Ensure to view this index frequently to stay informed about any upcoming key expirations.

6.0 Key Expiry Alert Threshold

This section outlines the rules for key expiry alerts on how many keys can be listed in each alert message and the total number of alert messages you can receive.

• Each alert message  can contain notifications for up to 50 expiring keys.

• For each configured alert, up to 11 alert messages will be sent for expiring keys.

  • The first 10 messages will each contain information about 50 expiring keys, totalling 500 keys.

  • The 11th message will include information about any remaining expiring keys.      

For example, if you select 1 day and 30 days option, then at maximum 11 x 2 = 22 alert messages will be sent.

7.0 Key Expiration Timezone Considertion

You must note that all key expiration alerts are based on GMT (Greenwich Mean Time), regardless of the user’s location or local timezone. This means that, even if you are in a different timezone, the alerts for key expiration will follow GMT for consistency across all Fortanix DSM environments. Alerts will be sent out starting from 2:00 AM GMT.

This standardized approach ensures uniform alert timing and helps users manage expirations accurately, no matter their location.

8.0 Appendix

This section describes the Splunk Server configuration steps with corresponding screenshots:

If you are using an HTTPS connection, update the Global Settings as follows:

• Select the Enable SSL check box.

• Select the Default Source Type as dsm_audit.

  

• Set the Port Number on the Splunk server used to generate the Custom CA Certificate.

  

• Ensure that the Index value in the Fortanix DSM Splunk Log Management Integration form matches the Default Index value in Splunk.