User's Guide: Alert Management

1.0 Introduction

This article provides an overview of the Fortanix-Data-Security-Manager (DSM) Alert Management feature, allowing you to set up alerts for key expirations and other important events. You can integrate these alerts with Security Information and Event Management (SIEM) tools, such as Splunk and Syslog.

For detailed information on how to integrate Splunk and Syslog, refer to the System Administration - Log Management.

2.0 Set Up Key Expiry Alerts

Perform the following steps to configure alerts for expiring keys:

1. Log in to the Fortanix DSM user interface (UI).

2. Click the Settings → ALERT MANAGEMENT menu item in the DSM left navigation panel.

   

3. Click SETUP ALERT to select how many days in advance you want to be notified before the keys expire.

   • 1 day: Receive an alert 1 day before the key expiration date.

   • 7 days: Receive an alert 7 days before the key expiration date.

   • 30 days: Receive an alert 30 days before the key expiration date.  

4. Click SAVE to enable the alert.

3.0 Configure the Expiring Keys Alerts for SIEM Tools

This section describes how to configure Fortanix DSM to send alerts for expiring keys to external logging systems such as Splunk and Syslog, enabling better monitoring and log management.

3.1 Configuring Expiring Keys Alert for Splunk

Perform the following steps to send expiring key alerts from Fortanix DSM to Splunk:

1. Click CONFIGURE next to Splunk to enable Fortanix DSM alerts to be sent to your Splunk environment for centralized monitoring.

2. On the Splunk Alert Management Integration page, provide the following details to connect to your Splunk server:

   • Host: Enter the hostname or IP address of the Splunk server.

   • Enable HTTPS: Select this check box to communicate with the Splunk server over HTTPS (recommended).

     When you select the Enable HTTPS option for alert integrations, the following settings are displayed and are enabled by default:

     NOTE

     If you are using an HTTP connection, then clear the Enable HTTPS checkbox in the Fortanix CCM Log Management screen for Splunk, and also clear the Enable SSL checkbox in the Splunk Global Settings. Refer to the Appendix section for the screenshot.

     • Host validation: The Validate host option, if selected, ensures that the host name or IP address you entered matches the host name on the server certificate, verifying that the connection is securely directed to the intended server.

     • Validate certificate:

       • Global Root CAs: Use this certificate if you are using a certificate that is signed by a well-known public Certificate Authority (CA).

       • Custom CA Certificate: Use this certificate if you, as an enterprise, want to self-sign the certificate using your own internal CA.

         Click UPLOAD A FILE to upload the CA certificate. When Fortanix DSM, as a client, connects to the Splunk server and is presented with the server’s certificate, it validates the connection using the enrolled custom CA Certificate.

         Run the following command to generate the CA certificate:

         openssl s_client -connect <endpoint/ipaddress>:port -showcerts

         Where,

         • ipaddress refers to the IP address of the Splunk server.

         • port refers to the value of the Management port, under Server settings → General settings in the Splunk Server. Refer to the Appendix section for the screenshot.

         NOTE

         In case the Custom CA Certificate has a Common Name (CN) that does not match the server on which Splunk is deployed, clear the Validate host check box, which prompts Fortanix DSM to ignore the hostname of the Splunk deployment instance. Only the certificate chain will be validated in this case.

   • Port: Enter the port number for the Splunk service. The default is port 80, or if HTTPS was enabled above, the default is port 443. If a different port is in use, enter the applicable port number.

   • Index: Enter the name of the Splunk index to submit events. This value should match the index in Splunk and is used to distinguish logs from different sources. For example, Fortanix DSM logs can be pushed to the index named DSM. Refer to the Appendix section for the screenshot.

   • Authentication token: Enter a valid authentication token to authenticate Fortanix DSM with the HTTP Event Collector (HEC) of your Splunk instance. This token allows Fortanix DSM to push events to Splunk. For example, the logs from Fortanix Confidential Computing Manager (CCM) can be pushed to the Index source name fortanix_cloud. For more details about generating HEC authentication tokens, refer to Splunk documentation.  

     NOTE

     For security reasons, the authentication token is not displayed in the interface when editing an existing configuration.

   

3. Click SAVE to enable the alert.

3.2 Configuring Expiring Keys Alert for Syslog

Perform the following steps to integrate Fortanix DSM with Syslog:

1. Click  CONFIGURE next to Syslog to allow Fortanix DSM to send alerts to your Syslog server for streamlined log management.

2. In the Syslog Alert Management Integration form, enter the following details to connect to your Syslog server:

   • Host: Enter the hostname or IP address of your Syslog server.

   • Enable TLS: Select this check box to communicate with the Syslog server over a secure connection using TLS.
     Depending on the type of TLS certificate used by the Syslog server:

     • Host validation: When TLS is enabled, Fortanix DSM validates the Syslog server hostname against the certificate. To disable this validation, clear the Validate host check box.

     • Validate certificate: You can connect to the Syslog server over a non-secure connection or a secure TLS connection.
       Depending on the type of TLS certificate used by the Syslog server:

       • If you are using a certificate signed by a well-known public CA, select Global Root CAs.

       • If your organization uses a self-signed certificate issued by an internal Certificate Authority (CA), select Custom CA Certificate. Click UPLOAD A FILE to upload your CA certificate. When Fortanix DSM, acting as a client, connects to the Syslog server and receives the server’s certificate, it validates the certificate using the uploaded custom CA certificate.

   • Port (TCP): The default port for the Syslog server is 514. If you are using a different port, update the port number accordingly.

   • Facility: When you log an event in Syslog, you can choose from different facilities. Use this setting to filter logs by a specific facility, such as User, Local0, Local1, and others defined by the Syslog protocol. For example, you can configure Fortanix DSM to use the Local0 facility to easily filter logs from a specific appliance.

   

3. Click SAVE to enable the alert.

4.0 Edit the Configuration for SIEM Tools

Perform the following steps to edit the alert:

1. Click EDIT corresponding to Splunk.

   

2. On the Splunk Alert Management Integration page, update the information as required.

3. Click SAVE to update the alert.

Similarly, you can edit the expiring key alert configuration for Syslog.

5.0 Monitor the Alerts

After configuring the required alert integration, you can view or monitor the expiring keys alerts directly within the Splunk UI.

Open the Splunk UI and monitor the alerts as shown in the following figure. Ensure to view this index frequently to stay informed about any upcoming key expirations.

6.0 Key Expiry Alert Threshold

This section outlines the rules for key expiry alerts on how many keys can be listed in each alert message and the total number of alert messages you can receive.

• Each alert message  can contain notifications for up to 50 expiring keys.

• For each configured alert, up to 11 alert messages will be sent for expiring keys.

  • The first 10 messages will each contain information about 50 expiring keys, totalling 500 keys.

  • The 11th message will include information about any remaining expiring keys.      

For example, if you select 1 day and 30 days option, then at maximum 11 x 2 = 22 alert messages will be sent.

7.0 Key Expiration Timezone Considertion

You must note that all key expiration alerts are based on GMT (Greenwich Mean Time), regardless of the user’s location or local timezone. This means that, even if you are in a different timezone, the alerts for key expiration will follow GMT for consistency across all Fortanix DSM environments. Alerts will be sent out starting from 2:00 AM GMT.

This standardized approach ensures uniform alert timing and helps users manage expirations accurately, no matter their location.

8.0 Appendix

This section describes the Splunk Server configuration steps with corresponding screenshots:

If you are using an HTTPS connection, update the Global Settings as follows:

• Select the Enable SSL check box.

• Select the Default Source Type as dsm_audit.

  

• Set the Port Number on the Splunk server used to generate the Custom CA Certificate.

  

• Ensure that the Index value in the Fortanix DSM Splunk Log Management Integration form matches the Default Index value in Splunk.