User's Guide: Logging

Introduction

This article describes how to integrate Fortanix Confidential Computing Manager (CCM) with External logging systems.

Fortanix CCM automatically maintains an internal audit log of system operations from different applications and services, and actions related to accounts, users, and sessions.

The following events are logged:

  • App Created
  • App Updated
  • App Updation Failed
  • App Deleted
  • App Certificate Downloaded
  • App Creation Failed
  • Node Enrolled
  • Node Attested
  • Node Attestation Failed
  • Node Enrollment Failed
  • Node Deactivated
  • Node Certificate Downloaded
  • Approve Domain
  • Decline Domain
  • Approve Image
  • Decline Image
  • Create Image
  • Delete Image
  • Image Conversion Succeeded
  • Image Conversion Failed
  • Certificate Requested by Application
  • Create Registry
  • Delete Registry
  • Update Registry

You can configure Fortanix CCM to send these audit log entries to an external logging system. In this article you will learn how to send Fortanix CCM audit logs to the following external logging systems:

  • Splunk
  • Azure Log Analytics
  • Syslog Server

Audit Logging in Confidential Computing Manager

NOTE
Only an Account Administrator can set up integration with external logging systems.

Log Management

Currently, Fortanix CCM supports the following logging systems:

  • Splunk
  • Azure Log Analytics
  • Syslog
NOTE
Only an Account Administrator in Fortanix CCM can set up integration with external logging systems like Splunk, Azure Log Analytics, and Syslog.

To integrate with the above logging systems, click the Settings tab in the Fortanix CCM UI left pane, and then click Log Management. It will give you three options for integration: Splunk, Azure Log Analytics, and Syslog. It is possible to have more than one integration active at the same time.  Logs will be pushed from Fortanix CCM to all logging facilities that are configured.

AzureLog4.png
Figure 1: Log management

Sending Audit Logs to Splunk

You can configure Fortanix CCM to send audit log entries to a Splunk server using the HTTP Event Collector (HEC).

To configure logging events to Splunk,

  1. Click the Settings icon in the Fortanix CCM UI.
  2. Click the Log Management tab from the left panel.
  3. In the Custom Log Management Integrations section, click the ADD INTEGRATION button for Splunk. AzureLog5.png
    Figure 2: Add Splunk Integration
  4. Configuring a Splunk integration requires the following information:
    1. Enter the IP Address or the hostname of your Splunk server.
      1. Select Enable HTTPS to communicate with the Splunk server over HTTPS (recommended) and also select the Enable SSL checkbox in the Splunk Global Settings. Refer to the Appendix for the screenshot. 
        NOTE
        If you are using an HTTP connection, then clear the Enable HTTPS checkbox in the Fortanix CCM Log Management screen and also clear the Enable SSL checkbox in the Splunk Global Settings. Refer to the Appendix for the screenshot.
        Depending on the type of TLS certificate the Splunk server is using:
      2. Select Global Root CAs if you are using a certificate that is signed by a well-known public CA.
      3. Select Custom CA Certificate, if you as an enterprise want to self-sign the certificate using your own internal CA. To do this, upload the CA certificate using the UPLOAD A FILE button. When Fortanix CCM as a client connects to the Splunk server and is presented the server’s certificate, it will be able to validate it using the enrolled custom CA Certificate. To generate the CA certificate, run the following command:
        openssl s_client -connect <endoint/ipaddress>:port -showcerts
        Where,
        • ipaddress: is the IP address of the Splunk server.
        • port: is the value of the Management port, under Server settings->General settings in the Splunk Server. Refer to the Appendix for the screenshot.
      4. In case the Custom CA Certificate has a Common Name (CN) that does not match with the server in which Splunk is deployed, clear the Validate Hostname checkbox which prompts Fortanix CCM to ignore the hostname of the Splunk deployment instance. Only the certificate chain will be validated in this case.
    2. The default Port number is 80. If you are running on a different port, add the applicable port number. If you enable HTTPS in "Step a" above, then the default port number is 443.
    3. Add the name of the Splunk index in the Index field to submit events. The index value should be the same as the index in Splunk. Refer to the Appendix for the screenshot. When you push the logs to Splunk, you need to push it to a specific index. This value is sent to the Splunk server and can be set to whatever you like. This will allow distinguishing logs from different sources. For example, the logs from Fortanix CCM can be pushed to the Index source name fortanix_cloud.
    4. Enter a valid Authentication token to authenticate to the HTTP Event Collector of your Splunk instance. The Authentication token will authenticate Fortanix CCM as a client to Splunk and allows it to push the events to Splunk. See the Splunk documentation for detail about generating HEC authentication tokens. AzureLog6.png
      Figure 3: Splunk Log Management Integration Form
      NOTE
      For security reasons, the authentication token is not displayed in the interface when editing an existing configuration.
  5. Click SAVE CHANGES to save the Splunk integration.

Sending Audit Logs to Azure Log Analytics

You can configure Fortanix CCM to send audit log entries to Azure Log Analytics in the Azure Portal to write log queries and interactively analyze the Fortanix CCM log data.

To configure logging events to the Azure Log Analytics, in the Custom Log Management Integrations section, click the ADD INTEGRATION button for Azure Log Analytics.

AzureLog7.png
Figure 4: Add integration for Azure Log Analytics

  1. Configuring an Azure Log Analytics integration requires the following information:
    1. Enter the Workspace ID which is the Log Analytics workspace in the Azure portal. It is a GUID to identify the specific log analytics workspace in the Azure cloud. To create a log-analytics workspace refer to https://docs.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace. To get the Workspace ID after you create a log-analytics workspace:
      1. In the log analytics workspace, click the Agents management tab to see the Workspace ID.
    AzureLog1.png
    Figure 5: Workspace ID
  2. The Custom Log Type is set to “fortanix_audit_v1_CL” for all event logs published to Azure Log collector from Fortanix services. This field is set in HTTP POST request header of all the logs published to the Azure log collector and therefore it is used to query logs from Fortanix services in Azure Log Analytics Workspace. For more details refer to https://docs.microsoft.com/en-us/azure/azure-monitor/logs/queries. AzureLog3.png
    Figure 6: CCM event log query
  3. Click ADD PRIMARY SHARED KEY to add a shared key. Any request to the Azure Monitor HTTP Data Collector API must include an authorization header. Each event log posted to azure log analytics workspace from the logging service is authenticated by the log monitor service in azure by validating the request and checking whether it is signed with either the primary or the secondary key for the workspace that is making the request. To get the Primary Shared Key:
    1. In the log analytics workspace, click the Agents management tab to see the Primary key. The Primary key of the log-analytics workspace is referred as shared_key. AzureLog2.png
      Figure 7: Primary shared key
    AzureLog8.png
    Figure 8: Configure Azure Log Analytics AzureLog13.png
    Figure 9: Add primary shared key
    NOTE
    For security reasons, the Primary Shared Key is not displayed in the interface when editing an existing shared key.
  4. Click SAVE CHANGES to save the Azure Log Analytics integration.

References

Sending Audit Logs to Syslog

You can configure Fortanix CCM to send audit log entries to the Syslog server. 

To configure logging events to Syslog, in the Custom Log Management Integrations section, click the ADD INTEGRATION button for Syslog.

AzureLog9.png
Figure 10: Add Syslog Integration

  1. Configuring a Syslog management integration requires the following information:
    1. Enter the Hostname or IP address of your Syslog server.
    2. You can communicate with a Syslog server either over a non-secure connection or a secure connection using TLS. Depending on the type of TLS certificate that the Syslog server is using,
      1. Select Global Root CAs, if you are using a certificate that is signed by a well-known public CA.
      2. Select Custom CA Certificate, if you as an enterprise want to self-sign the certificate using your own internal CA. To do this, upload the CA certificate using the UPLOAD A FILE button. When Fortanix CCM as a client connects to the Syslog server and is presented with the server’s certificate, it will be able to validate it using the enrolled custom CA Certificate
    3. The default Port number is TCP 514 at which the server must listen for Syslog messages. If you are running on a different port, change to the applicable port number.
    4. When you log an event in Syslog, you can choose to log it in different facilities. This allows you to filter your log for a specific facility. The facilities appearing in the Facility list are well-defined facilities in the Syslog protocol. For example: User, Local0, Local1, and so on. You can configure the Fortanix CCM system to use the Local0 facility for instance. This will help in filtering logs from a particular appliance using a facility. AzureLog10.png
      Figure 11: Syslog Integration Form

Appendix

Following are the Splunk Server screenshots-

  • If you are using an HTTPS connection, then select the Enable SSL check box below in the Global Settings. AzureLog11.png
    Figure 12: Enable SSL
  • Port number on the Splunk server used for generating Custom CA Certificate.
    Sp2.png
    Figure 13: Management Port Number
  • The index value in the Fortanix CCM Splunk Log Management Integration form should be the same as the Default Index value.
    AzureLog12.png
    Figure 14: Index value of the Splunk server
Was this article helpful?
0 out of 0 found this helpful