1.0 Introduction: Audit Log
This article describes how to integrate Fortanix Self-Defending Key Management Service (SDKMS) with External logging systems. SDKMS automatically maintains an internal audit log of system operations. You can configure SDKMS to send these audit log entries to an external logging system. In this article you will learn how to send SDKMS audit logs to the following external logging systems:
- Google Stackdriver
- Syslog Server
A typical enterprise might have a requirement to collect and maintain a log of all the systems including SDKMS in a single place. These enterprises can write rules using external logging systems such as Splunk, Google Stackdriver, and Syslog to generate actions like alerts, emails and so on when a log or event occurs. SDKMS supports the mechanism to push all its logs/system events to these third-party servers to enable external logging of events.
2.0 SDKMS External Logging
NOTE: To set up integration with external logging systems, you must be an administrator of the account.
SDKMS Audit Log
The SDKMS external event logging is configured on a per account basis. Logs/events of an account is not visible to another account within an enterprise. SDKMS automatically maintains an internal audit log of system operations. To view the audit log:
- Click the Events tab in the SDKMS UI.
For convenience, when viewing the details of a security object and other SDKMS objects, the most recent audit log entries applicable to the object are shown in the right-hand pane.
Currently, SDKMS supports the following logging systems:
- Google Stackdriver
To integrate with the above logging systems, click the Settings tab in the SDKMS UI left pane, and then click Log Management. It will give you three options for integration: Splunk, Google Stackdriver and Syslog. The User can choose to have more than one integration active at the same time. So, logs will be pushed to all the systems that are configured in parallel.
Sending audit logs to Splunk
You can configure SDKMS to send audit log entries to a Splunk server via the HTTP Event Collector (HEC).
To configure logging events to Splunk,
- Click the Settings icon in the SDKMS UI.
- Click the Log Management tab from the left panel.
- In the Custom Log Management Integrations section, click the Add Integration button for Splunk.
- Configuring a Splunk integration requires the following information:
- Enter the IP Address or the hostname of your Splunk server.
- Select Enable HTTPS to communicate with the Splunk server over HTTPS (recommended). Depending on the type of TLS certificate the Splunk server is using,
- Select Global Root CAs if you are using a certificate that is signed by a well-known public CA.
- Select Custom CA Certificate, if you as an enterprise want to self-sign the certificate using your own internal CA. To do this, upload the CA certificate using the UPLOAD A FILE button. When SDKMS as a client connects to Splunk server and is presented server’s certificate, it will be able to validate it using the enrolled custom CA Certificate.
- The default Port number is 80. If you are running on a different port, add the applicable port number. If you enable HTTPS in Step b above, then the default port number is 443.
- Add the name of the Splunk index in the Index field to submit events. When you push the logs to Splunk, you need to push it to a specific index. This value is sent to the Splunk sever and can be set to whatever you like. This will allow to distinguish logs from different sources. For example, the logs from SDKMS can be pushed to the Index source name SDKMS.
- Enter a valid Authentication token to authenticate to the HTTP Event Collector of your Splunk instance. The Authentication token will authenticate SDKMS as a client to Splunk and allows it to push the events to Splunk. See the Splunk documentation for detail about generating HEC authentication tokens. NOTE: For security reasons, the authentication token is not displayed in the interface when editing an existing configuration.
- Click SAVE CHANGES to save the Splunk integration.
Sending audit logs to Google Stackdriver
You can configure SDKMS to send audit log entries to Google Stackdriver.
- To configure logging events to Google Stackdriver, in the Custom Log Management Integrations section, click the Add Integration button for Google Stackdriver.
- Log ID is the ID of the log to write to. Log ID must be a URL-encoded within the Log Name. Log Name is the resource name of the log to which this log entry belongs. For example, organizations/1234567890/logs/cloudresourcemanager.googleapis.com%2Factivity
For more information, see Google Stackdriver reference URL.
- Upload Service account key or configuration file. To connect to the Google Stackdriver, you will need a configuration file that contains the Service account key and other information. Upload this configuration file using the UPLOAD A FILE button.
Sending Audit Logs to Syslog
You can configure SDKMS to send audit log entries to Syslog server
To configure logging events to Syslog, in the Custom Log Management Integrations section, click the ADD INTEGRATION button for Syslog.
- Configuring a Syslog management integration requires the following information:
- Enter the Host name or IP address of your Syslog server.
- You can communicate with a Syslog server either over a non-secure connection or a secure connection using TLS. Depending on the type of TLS certificate that the Syslog server is using,
- Select Global Root CAs, if you are using a certificate that is signed by a well-known public CA.
- Select Custom CA Certificate, if you as an enterprise want to self-sign the certificate using your own internal CA. To do this, upload the CA certificate using the UPLOAD A FILE button. When SDKMS as a client connects to Syslog server and is presented server’s certificate, it will be able to validate it using the enrolled custom CA Certificate.
- The default Port number is 514 at which the server must listen for syslog messages. If you are running on a different port, change to the applicable port number.
- When you log an event in Syslog, you can choose to log it in different facilities. This allows you to filter your log for a specific facility. The facilities appearing in the Facility list are well defined facilities in the Syslog protocol. For example: User, Local0, Local1 and so on. You can configure the SDKMS system to use Local0 facility for instance. This will help in filtering logs from a particular appliance using a facility.
A system event in SDKMS generates a log that has the following components:
- Log Severity – Severity of the message (Critical issues, Errors, Warnings and Info).
- Groups – The SDKMS group that the event belongs to.
- Apps/Users – The log message which can be user event or application event.
- Time – Timestamp of when the event occurred.
- Type – Type of event (Administrative, Auth and Crypto Operations).
When a log is pushed to a third-party external logging system, the log structure with all the log components above are sent to the server.
The format of a message logged on any external logging system is as follows:
<message string> acct_id=<corresponding account id> groups=[corresponding group ids] actor=<Actor type>:<Actor Id> obj=<Object Id> action=<Action Type>
- All the ids are UUID of the respective object
- Actor types can be User or App
- Action types can be Administrative, Auth or Crypto Operation
User "firstname.lastname@example.org" created key "key_test" acct_id=8fb9b132-0b68-4d33-aba2-f1f9db3ab0e9 groups=[5f1d12e9-614a-4f5b-a4ed-837d9fb001b8] actor=User:9dbd5192-ee09-46f6-89fd-812e96863aa4 obj=3da3bf54-610b-4e89-816d-d4931f59f102 action=CRYPTOOPERATION
NOTE: Time and severity are set based on the logging system and they are not included in the actual message logged.