User's Guide: Alert Management

1.0 Introduction

Welcome to the Fortanix Data Security Manager (DSM) Alert Management User Guide. This document provides an overview of the Alert Management feature in Fortanix DSM, allowing you to set up alerts for key expirations and other important events. You can integrate these alerts with Security Information and Event Management (SIEM) tools, such as Splunk and Syslog.

For detailed information on how to integrate Splunk and Syslog, refer to the System Administration - Log Management.

2.0 Set Up Key Expiry Alerts

Perform the following steps to configure alerts for expiring keys:

1. Log in to the Fortanix DSM user interface (UI).

2. Click the Settings → ALERT MANAGEMENT menu item in the DSM left navigation bar.

   

3. Click the SETUP ALERT button to select how many days  in advance you want to be notified before the keys expire.

   • 1 day: Receive an alert 1 day before the key expiration date .

   • 7 days: Receive an alert 7 days before the key expiration date .

   • 30 days: Receive an alert 30 days before the key expiration date.  

4. Click the SAVE button to enable the alert.

3.0 Configure the Expiring Keys Alerts for SIEM Tools

This section describes how to configure sending alerts for expiring keys in Fortanix DSM to external logging systems such as Splunk and Syslog for better monitoring and log management.

3.1 Configuring Expiring Keys Alert for Splunk

Perform the following steps to send Fortanix DSM expiring key alerts  to Splunk:

1. Click the CONFIGURE button corresponding to Splunk to allow Fortanix alerts to be sent to your Splunk environment for centralized monitoring.

2. On the Splunk Alert Management Integration page, fill in the following information to connect to your Splunk server:

   • Host: Enter the hostname or IP address of the Splunk server.

   • Enable HTTPS: Select this check box to communicate with the Splunk server over HTTPS (recommended).

     When you select the Enable HTTPS option for alert integrations, the following settings are displayed and are enabled by default:

     NOTE

     If you are using an HTTP connection, then clear the Enable HTTPS checkbox in the Fortanix CCM Log Management screen for Splunk and also clear the Enable SSL checkbox in the Splunk Global Settings. Refer to the Appendix section for the screenshot.

     • Host validation: This option ensures that the host name or IP address you entered matches the host name on the server certificate, verifying that the connection is securely directed to the intended server.

     • Validate certificate:

       • Global Root CAs: Use this certificate if you are using a certificate that is signed by a well-known public Certificate Authority (CA).

       • Custom CA Certificate: Use this certificate if you as an enterprise want to self-sign the certificate using your own internal CA.

         Click the UPLOAD A FILE button to upload the CA certificate. When Fortanix DSM as a client connects to the Splunk server and is presented the server’s certificate, it validates the connection using the enrolled custom CA Certificate.

         Run the following command to generate the CA certificate:

         openssl s_client -connect <endpoint/ipaddress>:port -showcerts

         Where,

         • ipaddress refers to the IP address of the Splunk server.

         • port refers to the value of the Management port, under Server settings → General settings in the Splunk Server. Refer to the Appendix section for the screenshot.

         NOTE

         In case the Custom CA Certificate has a Common Name (CN) that does not match with the server in which Splunk is deployed, clear the Validate host check box which prompts Fortanix DSM to ignore the hostname of the Splunk deployment instance. Only the certificate chain will be validated in this case.

   • Port: Enter the port number for the Splunk service. The default is port 80, or if HTTPS was enabled above, the default is port 443. If a different port is in use, enter the applicable port number.

   • Index: Enter the name of the Splunk index to submit events. This value should match the index in Splunk and is used to distinguish logs from different sources. For example, Fortanix DSM logs can be pushed to the index named DSM. Refer to the Appendix section the screenshot.

   • Authentication token: Enter a valid authentication token to authenticate Fortanix DSM with the HTTP Event Collector (HEC) of your Splunk instance. This token allows Fortanix DSM to push events to Splunk. For example, the logs from Fortanix CCM can be pushed to the Index source name fortanix_cloud. For more details about generating HEC authentication tokens, refer to Splunk documentation.  

     NOTE

     For security reasons, the authentication token is not displayed in the interface when editing an existing configuration.

   

3. Click the SAVE button to enable the alert.

3.2 Configuring Expiring Keys Alert for Syslog

Perform the following steps to integrate Fortanix DSM with Syslog:

1. Click the CONFIGURE button corresponding to Syslog allow Fortanix DSM to send alerts to your Syslog server for streamlined log management.

2. In the Syslog Alert Management Integration section, enter the following information to connect to your Syslog server:

   • Host: Enter the hostname or IP address of the Syslog server.

   • Enable TLS: Select this check box to verify that the host mentioned in the previous field matches the hostname in the server certificate.

     When you select the Enable TLS option for alert integrations, the following settings are displayed and are enabled by default:

     • Global Root CAs: Use this certificate if you are using a certificate that is signed by a well-known public CA.

     • Custom CA Certificate: Use this certificate if you as an enterprise want to self-sign the certificate using your own internal CA.

       Click the UPLOAD A FILE button to upload the CA certificate. When Fortanix DSM as a client connects to the Syslog server and is presented the server’s certificate, it validates the connection using the enrolled custom CA Certificate.

       Run the command to generate the CA certificate as mentioned in the previous section.

   • Port (TCP): Enter the port number of the Syslog server. By default, this is TCP 514, which is the port the server uses to receive Syslog messages. If using a different port, enter the appropriate port number.

   • Facility: Select the required well-defined facility from the drop-down menu to categorize the log under a specific Syslog facility for targeted filtering. The Facility list includes standard options such as User, Local0, Local1, and so on. For example, you can configure Fortanix DSM to use the Local0 facility to help filter logs from a particular appliance by facility.

   

3. Click the SAVE button to enable the alert.

4.0 Edit the Configuration for SIEM Tools

Perform the following steps to edit the alert:

1. Click the EDIT button corresponding to Splunk.

   

2. On the Splunk Alert Management Integration page, update the following information as required.

3. Click the SAVE button to update the alert.

Similarly, you can edit the expiring key alert configuration for Syslog.

5.0 Monitor the Alerts  

After configuring the required alert integration, you can view or monitor the expiring keys alerts directly within the Splunk user interface (UI).  

Open the Splunk UI and monitor the alerts as shown in the following figure. Ensure to view this index frequently to stay informed about any upcoming key expirations.

6.0 Key Expiry Alert Threshold

This section outlines the rules for key expiry alerts on how many keys can be listed in each alert message  and the total number of alert messages  you can receive.

• Each alert message  can contain notifications for up to 50 expiring keys.

• For each configured alert, up to 11 alert messages will be sent for expiring keys.

  • The first 10 messages will each contain information about 50 expiring keys, totalling 500 keys.

  • The 11th message will include information about any remaining expiring keys.      

For example, if you select 1 day and 30 days option, then at maximum 11 x 2 = 22 alert messages will be sent.

7.0 Key Expiration Timezone Considertion

You must note that all key expiration alerts  are based on GMT (Greenwich Mean Time), regardless of the user’s location or local timezone. This means that, even if you are in a different timezone, the alerts for key expiration will follow GMT for consistency across all Fortanix DSM environments. Alerts will be sent out starting from 2:00 AM GMT.

This standardized approach ensures uniform alert timing and helps users manage expirations accurately, no matter their location.

8.0 Appendix

This section describes the Splunk Server configuration steps with corresponding screenshots:

If you are using an HTTPS connection, update the Global Settings as follows:

• Select the Enable SSL check box.

• Select the Default Source Type as dsm_audit.

  

• Set the Port Number on the Splunk server used to generate the Custom CA Certificate.

  

• Ensure that the Index value in the Fortanix DSM Splunk Log Management Integration form matches the Default Index value in Splunk.