See more

User's Guide: Logging

  • Last updated:
  • access_time Reading time:

1.0  Introduction: Audit Log

This article describes how to integrate Fortanix Self-Defending Key Management Service (KMS) with External logging systems. Fortanix Self-Defending KMS automatically maintains an internal audit log of system operations. You can configure Fortanix Self-Defending KMS to send these audit log entries to an external logging system. In this article you will learn how to send Fortanix Self-Defending KMS audit logs to the following external logging systems:

  • Splunk
  • Google Stackdriver
  • Syslog Server

A typical enterprise might have a requirement to collect and maintain a log of all the systems including Fortanix Self-Defending KMS in a single place. These enterprises can write rules using external logging systems such as Splunk, Google Stackdriver, and Syslog to generate actions like alerts, emails, and so on when a log or event occurs. Fortanix Self-Defending KMS supports the mechanism to push all its logs/system events to these third-party servers to enable external logging of events.

2.0  Fortanix Self-Defending KMS External Logging

NOTE
To set up integration with external logging systems, you must be an administrator of the account.

Fortanix Self-Defending KMS Audit Log

The Fortanix Self-Defending KMS external event logging is configured on a per-account basis. Logs/events of an account are not visible to another account within an enterprise. Fortanix Self-Defending KMS automatically maintains an internal audit log of system operations. To view the audit log:

  1. Click the Events tab in the Fortanix Self-Defending KMS UI.

1.1.png
                                    Figure 1: Fortanix Self-Defending KMS Audit Logging

For convenience, when viewing the details of a security object and other Fortanix Self-Defending KMS objects, the most recent audit log entries applicable to the object are shown in the right-hand pane.

2.1.png
                                                           Figure 2: Log of Security Object

Log Invalid API Requests

Sometimes applications encounter invalid API requests that lead to 4XX errors, such as 400 (bad request) type error. To debug an application against 4XX errors, the Fortanix Self-Defending KMS enables audit logging for such errors using the Log Management feature. To enable this:

  1. In the Fortanix Self-Defending KMS UI, go to LOG MANAGEMENT option in the Account Settings
  2. Enable the toggle for Logging invalid API requests. 11.png
                                                         Figure 3: Enable logging for invalid API request
     
  3. To see the 4XX logs, click the Events tab in the Fortanix Self-Defending KMS UI. 4XX_0.png
                                                            Figure 4: Event logs for 4XX error

Log Management

Currently, Fortanix Self-Defending KMS supports the following logging systems:

  • Splunk
  • Google Stackdriver
  • Syslog
NOTE
  • Only an Account Administrator in Fortanix Self-Defending KMS can add the log management integrations with Splunk, Google Stackdriver, and Syslog.
  • A System Administrator in Fortanix Self-Defending KMS will only be able to configure the Syslog integration. The Splunk and Google Stackdriver integration is not currently implemented for a system administrator (but can be supported in the future releases of Fortanix Self-Defending KMS).
      AccountAdmin.png
                        Figure 5: Account Administrator with all the permissions for log integrations
      SysAdmin.png
                       Figure 6: System Administrator with the ability to configure Syslog integration  

To integrate with the above logging systems, click the Settings tab in the Fortanix Self-Defending KMS UI left pane, and then click Log Management. It will give you three options for integration: Splunk, Google Stackdriver, and Syslog. The User can choose to have more than one integration active at the same time. So, logs will be pushed to all the systems that are configured in parallel.

3.1.png
                                                                Figure 7: Log Management

Sending Audit Logs to Splunk

You can configure Fortanix Self-Defending KMS to send audit log entries to a Splunk server via the HTTP Event Collector (HEC).

 To configure logging events to Splunk,

  1. Click the Settings icon in the Fortanix Self-Defending KMS UI.
  2. Click the Log Management tab from the left panel.
  3. In the Custom Log Management Integrations section, click the Add Integration button for Splunk. 4.1.png
                                                             Figure 8: Add Splunk Integration
  4. Configuring a Splunk integration requires the following information:
    1. Enter the IP Address or the hostname of your Splunk server.
      1. Select Enable HTTPS to communicate with the Splunk server over HTTPS (recommended) and also select the Enable SSL checkbox in the Splunk Global Settings. Refer to the Appendix for the screenshot. 
        NOTE
        If you are using an HTTP connection, then clear the Enable HTTPS checkbox in the Fortanix Self-Defending KMS Log Management screen and also clear the Enable SSL checkbox in the Splunk Global Settings. Refer to the Appendix for the screenshot.
        Depending on the type of TLS certificate the Splunk server is using:
         
      2. Select Global Root CAs if you are using a certificate that is signed by a well-known public CA.
      3. Select Custom CA Certificate, if you as an enterprise want to self-sign the certificate using your own internal CA. To do this, upload the CA certificate using the UPLOAD A FILE button. When Fortanix Self-Defending KMS as a client connects to the Splunk server and is presented the server’s certificate, it will be able to validate it using the enrolled custom CA Certificate. To generate the CA certificate, run the following command: 
         openssl s_client -connect <endoint/ipaddress>:port -showcerts
        Where,
        • ipaddress: is the IP address of the Splunk server.
        • port: is the value of the Management port, under Server settings->General settings in the Splunk Server. Refer to the Appendix for the screenshot.
      4. In case the Custom CA Certificate has a Common Name (CN) that does not match with the server in which Splunk is deployed, clear the Validate Hostname checkbox which prompts Fortanix Self-Defending KMS to ignore the hostname of the Splunk deployment instance. Only the certificate chain will be validated in this case.
    2. The default Port number is 80. If you are running on a different port, add the applicable port number. If you enable HTTPS in "Step a" above, then the default port number is 443.
    3. Add the name of the Splunk index in the Index field to submit events. The index value should be the same as the index in Splunk. Refer to the Appendix for the screenshot. When you push the logs to Splunk, you need to push it to a specific index. This value is sent to the Splunk server and can be set to whatever you like. This will allow distinguishing logs from different sources. For example, the logs from Fortanix Self-Defending KMS can be pushed to the Index source name SDKMS.
    4. Enter a valid Authentication token to authenticate to the HTTP Event Collector of your Splunk instance. The Authentication token will authenticate Fortanix Self-Defending KMS as a client to Splunk and allows it to push the events to Splunk. See the Splunk documentation for detail about generating HEC authentication tokens.  Splunk.png
                                             Figure 9: Splunk Log Management Integration Form
       
      NOTE
      For security reasons, the authentication token is not displayed in the interface when editing an existing configuration.
    5.  
  5. Click ADD INTEGRATION to save the Splunk integration.

Sending Audit Logs to Google Stackdriver

You can configure Fortanix Self-Defending KMS to send audit log entries to Google Stackdriver.

  1. To configure logging events to Google Stackdriver, in the Custom Log Management Integrations section, click the Add Integration button for Google Stackdriver. 6.1.png
                                                       Figure 10: Add google Stackdriver Integration
     
    1. Log ID is the ID of the log to write to. Log ID must be a URL-encoded within the Log Name. Log Name is the resource name of the log to which this log entry belongs. For example, organizations/1234567890/logs/cloudresourcemanager.googleapis.com%2Factivity
      For more information, see Google Stackdriver reference URL.
    2. Upload Service account key or configuration file. To connect to the Google Stackdriver, you will need a configuration file that contains the Service account key and other information. Upload this configuration file using the UPLOAD A FILE button. 7.1.png
                                       Figure 11: Google Stackdriver Log Management Integration Form

Sending Audit Logs to Syslog

You can configure Fortanix Self-Defending KMS to send audit log entries to the Syslog server.

To configure logging events to Syslog, in the Custom Log Management Integrations section, click the ADD INTEGRATION button for Syslog.

8.1.png
                                                                    Figure 12: Add Syslog Integration

  1. Configuring a Syslog management integration requires the following information:
    1. Select Global Root CAs, if you are using a certificate that is signed by a well-known public CA.
    2. Select Custom CA Certificate, if you as an enterprise want to self-sign the certificate using your own internal CA. To do this, upload the CA certificate using the UPLOAD A FILE button. When Fortanix Self-Defending KMS as a client connects to the Syslog server and is presented with the server’s certificate, it will be able to validate it using the enrolled custom CA Certificate.
    1. Enter the Host name or IP address of your Syslog server.
    2. You can communicate with a Syslog server either over a non-secure connection or a secure connection using TLS. Depending on the type of TLS certificate that the Syslog server is using,
    3. The default Port number is 514 at which the server must listen for Syslog messages. If you are running on a different port, change to the applicable port number.
    4. When you log an event in Syslog, you can choose to log it in different facilities. This allows you to filter your log for a specific facility. The facilities appearing in the Facility list are well-defined facilities in the Syslog protocol. For example: User, Local0, Local1, and so on. You can configure the Fortanix Self-Defending KMS system to use Local0 facility for instance. This will help in filtering logs from a particular appliance using a facility. 9.png
                                                     Figure 13: Syslog Integration Form

Log Structure

A system event in Fortanix Self-Defending KMS generates a log that has the following components:

  1. Log Severity – Severity of the message (Critical issues, Errors, Warnings, and Info). As of today, the backend for Logging only supports the Severities – “Info” and “Errors”. A severity is logged as “Error” when logging requests have failed for some reason such as client error or internal server error. For all the other cases where the audit logs describe crypto operations, object updates and so on the severity is logged as “Info”.
  2. Groups – The Fortanix Self-Defending KMS group that the event belongs to.
  3. IP-Address – This is the IP address of the client/user whose request triggered the log message. The client IP is recorded whenever it is available. For some logs, the IP-Address field might appear empty due to one of the following reasons:
    • When Kubernetes is used for load balancing instead of an external load balancer, the Kubernetes reroutes requests and does not preserve the original client IP address. This is something Fortanix will address in the future.
    • Since this was a new field introduced recently the older logs would have the IP_Address field empty.
  4. Apps/Users – The log message can be a user event or application event.
  5. Time – Timestamp of when the event occurred.
  6. Type – Type of event (Administrative, Auth, and Crypto Operations).
    • Administrative - Operations that users can perform such as generating/importing/updating/deleting keys and other objects are classified as “Administrative” events.
    • Crypto Operation – Operations such as encryption/decryption/signing/ and so on are classified as “Crypto Operation” events.
    • Auth – Operations such as logging in or logging out, applications authenticating to get a session, or terminating their session are classified as “Auth” events.

When a log is pushed to a third-party external logging system, the log structure with all the log components above are sent to the server.

Log_Structure.png
                                                 Figure 14: Fortanix Self-Defending KMS System Events

The format of a message logged on any external logging system is as follows:

<message string> acct_id=<corresponding account id> groups=[corresponding group ids] actor=<Actor type>:<Actor Id> obj=<Object Id> action=<Action Type>

Where,

  • All the ids are UUID of the respective object
  • Actor types can be User or App
  • Action types can be Administrative, Auth, or Crypto Operation

For Example,

User "bob@company.com" created key "key_test" acct_id=8fb9b132-0b68-4d33-aba2-f1f9db3ab0e9 groups=[5f1d12e9-614a-4f5b-a4ed-837d9fb001b8] actor=User:9dbd5192-ee09-46f6-89fd-812e96863aa4 obj=3da3bf54-610b-4e89-816d-d4931f59f102 action=CRYPTOOPERATION
NOTE
Time and severity are set based on the logging system and they are not included in the actual message logged.

Appendix

Following are the Splunk Server screenshots-

  • If you are using an HTTPS connection, then select the Enable SSL check box below in the Global Settings. Sp1.png
                                                            Figure 15: Enable SSL
  • Port number on the Splunk server used for generating Custom CA Certificate.
    Sp2.png
                                                       Figure 16: Management Port Number
  • The index value in the Fortanix Self-Defending KMS Splunk Log Management Integration form should be the same as the Default Index value.
    Sp3.png
                                              Figure 17: Fortanix Self-Defending KMS System Events