1.0 Introduction
This article describes the system level log management settings that are configured by the Fortanix-Data-Security-Manager (DSM) system administrator.
The settings configured here are applicable to every object of the entire cluster.
The Fortanix DSM supports policies that can be set on the cluster that restrict what kind of operations can be permitted on accounts.
2.0 Log Management
Fortanix DSM automatically maintains an internal audit log of system operations. You can configure Fortanix DSM to send these audit log entries to an external logging system. This section illustrates how to log invalid API requests and send Fortanix DSM audit logs to the Syslog server.
Navigate to System Administration → Settings → LOG MANAGEMENT tab.
.png?sv=2022-11-02&spr=https&st=2025-06-04T04%3A43%3A41Z&se=2025-06-04T04%3A55%3A41Z&sr=c&sp=r&sig=T7ZwENlZMzacOsx4iUjJ8xHaKYWoeQXO6geVb4UX4%2BE%3D)
Figure 1: Log management page
2.1 Setting Retention Policy for Audit Logs
Perform the following steps to set the retention policy for the audit logs:
In the Log management page, click EDIT to set Retention period for Audit Logs.
Figure 2: Retention period for audit logs
Update the retention period as required. Select the Keep log entries forever option or specify a future date to retain the audit logs permanently.
Figure 3: Update the retention period
Click SAVE to save the configuration.
2.2 Log Invalid API Requests
Applications may sometimes send invalid API requests that result in 4XX errors, such as a 400 (Bad Request) error. To help debug these errors, Fortanix DSM logs them through the LOG MANAGEMENT feature.
To do this, enable the Logging invalid API requests toggle in the Log management page.
.png?sv=2022-11-02&spr=https&st=2025-06-04T04%3A43%3A41Z&se=2025-06-04T04%3A55%3A41Z&sr=c&sp=r&sig=T7ZwENlZMzacOsx4iUjJ8xHaKYWoeQXO6geVb4UX4%2BE%3D)
Figure 4: Logging invalid API requests
2.3 Sending Audit Logs to Syslog
Perform the following steps to configure Fortanix DSM to send audit log entries to the Syslog server:
In the Custom Log Management Integrations section, click the ADD CONFIGURATION button for Syslog.
On the Log management form, enter the following details:
Host: Enter the hostname or IP address of your Syslog server.
Enable TLS: Select this check box to communicate with the Syslog server over a secure connection using TLS. Depending on the type of TLS certificate that the Syslog server is using.
Host validation: When TLS is enabled, Fortanix DSM also validates the Syslog server hostname against the certificate. To disable this, clear the Validate host check box.
Validate certificate:
If you are using a certificate signed by a well-known public CA, select Global Root CAs.
If your organization uses a self-signed certificate issued by an internal Certificate Authority (CA), select Custom CA Certificate. Click UPLOAD A FILE to upload your CA certificate. When Fortanix DSM, acting as a client, connects to the Syslog server and receives the server’s certificate, it validates the certificate using the uploaded custom CA certificate.
Post (TCP): The default port for the Syslog server is 514. If you are using a different port, update the configuration accordingly.
Facility: When you log an event in Syslog, you can choose to log it in different facilities. Use this setting to filter logs by a specific facility, such as User, Local0, Local1, and others that are well-defined in the Syslog protocol. For example, configure Fortanix DSM to use the Local0 facility to easily filter logs from a specific appliance.
Figure 5: Fill syslog integration form
Click SAVE to save the configuration.