Logging

1.0 Introduction

Fortanix Armor automatically maintains an internal audit log of system operations across Armor and its solutions, such as Fortanix Key Insight and Fortanix Confidential Computing Manager (CCM), as well as actions related to all Fortanix Armor accounts, users, and sessions.

This article describes the steps to configure a Fortanix Armor account to send these audit log entries to an external logging system.

2.0 Audit Logging in Fortanix Armor

2.1 Log Management

Fortanix Armor supports integration with the following external logging systems:

• Splunk

• Azure Log Analytics

• Syslog

Perform the following steps to configure a logging integration in the Fortanix Armor user interface (UI)

1. Navigate to an Armor account and click the MANAGE ACCOUNT drop down menu on the top-right corner of the page.

2. In the Account Log Management section, click MANAGE INTEGRATIONS.

3. On the Log management page, configure one of the integrations below to access all system activity and user login logs.

2.2 Sending Audit Logs to Splunk

You can configure Fortanix Armor to send audit log entries to a Splunk server using the HTTP Event Collector (HEC).

Perform the following steps to configure logging events to Splunk:

1. On the Log management page, click Splunk → INTEGRATE.

2. In the Add Splunk integration form:

   1. Enter the IP Address or the hostname of your Splunk server.

      1. Select Enable HTTPS to communicate with the Splunk server over HTTPS (recommended) and also select the Enable SSL check box in the Splunk Global Settings. Refer to Section 3.0: Appendix for the screenshot.

         NOTE

         If you are using an HTTP connection, then clear the Enable HTTPS check box in the Add Splunk Integration form and also clear the Enable SSL check box in the Splunk Global Settings. Refer to Section 3.0: Appendix for the screenshot.

         Depending on the type of TLS certificate the Splunk server is using:

      2. Select Global root CAs if you are using a certificate that is signed by a well-known public CA.

      3. Select Custom CA certificate if you, as an enterprise, want to self-sign the certificate using your own internal CA. To do this, upload the CA certificate using UPLOAD A FILE. When Fortanix Armor, as a client, connects to the Splunk server and is presented with the server’s certificate, it will be able to validate it using the enrolled custom CA Certificate. To generate the CA certificate, run the following command:

         openssl s_client -connect <endpoint/ipaddress>:port -showcerts

         Where,

         • ipaddress: This is the IP address of the Splunk server.

         • port: This is the value of the Management port, under Server settings → General settings in the Splunk Server. Refer to Section 3.0: Appendix for the screenshot.

      4. In case the Custom CA Certificate has a Common Name (CN) that does not match with the server on which Splunk is deployed, clear the Enforce hostname matching check box for Validate hostname, which prompts Fortanix Armor to ignore the hostname of the Splunk deployment instance. Only the certificate chain will be validated in this case.

   2. The default Splunk service port number is 80. If you are running on a different port, add the applicable port number. If you enable HTTPS in Step a, then the default port number is 443.

   3. Add the name of the Splunk index in the Splunk Index field to submit events. The index value should be the same as the index in Splunk. Refer to Section 3.0: Appendix for the screenshot. When you push the logs to Splunk, you need to push them to a specific index. This value is sent to the Splunk server and can be set to whatever you like. This will allow distinguishing logs from different sources. For example, the logs from Fortanix Armor can be pushed to the Index source name fortanix_cloud.

   4. Enter a valid Authentication token to authenticate to the HTTP Event Collector of your Splunk instance. The Authentication token will authenticate Fortanix Armor as a client to Splunk and allow it to push the events to Splunk. For more information on how to generate HEC authentication tokens, refer to the official Splunk documentation.

      NOTE

      For security reasons, the authentication token is not displayed in the interface when editing an existing configuration.

3. Click INTEGRATE to save the Splunk integration.

2.3 Sending Audit Logs to Azure Log Analytics

You can configure Fortanix Armor to send audit log entries to Azure Log Analytics in the Azure Portal to write log queries and interactively analyze the Fortanix Armor log data.

Perform the following steps to configure logging events to Azure Log Analytics:

1. On the Log management page, click Azure Log Analytics → INTEGRATE.

2. In the Add Azure Log Analytics integration form:

   1. Enter the Workspace ID, which is the Log Analytics workspace in the Azure portal. It is a GUID to identify the specific log analytics workspace in the Azure cloud. For more information to create a log-analytics workspace, refer to Create a Log Analytics workspace. To get the Workspace ID after you create a log-analytics workspace:

      1. In the log analytics workspace, click the Agents management tab to see the Workspace ID.

         

   2. The Custom Log Type is set to “fortanix_audit_v1_CL” for all event logs published to Azure Log collector from Fortanix services. This field is set in HTTP POST request header of all the logs published to the Azure log collector and therefore it is used to query logs from Fortanix services in Azure Log Analytics Workspace. For more information, refer to Use queries in Log Analytics.  

      

   3. Click ADD PRIMARY SHARED KEY to add a shared key. Any request to the Azure Monitor HTTP Data Collector API must include an authorization header. Each event log posted to Azure log analytics workspace from the logging service is authenticated by the log monitor service in Azure by validating the request and checking whether it is signed with either the primary or the secondary key for the workspace that is making the request. To get the Primary Shared Key:

      1. In the log analytics workspace, click the Agents management menu item to see the Primary key. The Primary key of the Azure Log Analytics workspace is referred to as shared_key.

         

3. Click INTEGRATE to save the Azure Log Analytics integration.

   NOTE

   For security reasons, the Primary Shared Key is not displayed in the interface when editing an existing shared key.

2.3.1 References

• Create log-analytics workspace: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace. In the URL refer to the section: Create a workspace.

• Create log-analytics workspace using CLI - https://docs.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace-cli. In the URL refer to the sections: Prerequisites and Create a workspace.

• Monitoring logs: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-overview.

• Querying logs: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/queries.

2.4 Sending Audit Logs to Syslog

You can configure Fortanix Armor to send audit log entries to the Syslog server. 

Perform the following steps to configure logging events to a Syslog server:

1. On the Log management page, click SysLogs → INTEGRATE.

2. In the Add SysLogs integration form:

   1. Enter the Hostname or IP address of your Syslog server.

   2. You can communicate with a Syslog server either over a non-secure connection or a secure connection using TLS. Depending on the type of TLS certificate that the Syslog server is using,

      1. Select Global root CAs, if you are using a certificate that is signed by a well-known public CA.

      2. Select Custom CA certificate if you, as an enterprise, want to self-sign the certificate using your own internal CA. To do this, upload the CA certificate using UPLOAD A FILE. When Fortanix Armor, as a client, connects to the Syslog server and is presented with the server’s certificate, it will be able to validate it using the enrolled custom CA Certificate.

      3. In case the Custom CA Certificate has a Common Name (CN) that does not match the server on which Syslog is deployed, clear the Enforce hostname matching check box for Validate hostname, which prompts Fortanix Armor to ignore the hostname of the Syslog deployment instance. Only the certificate chain will be validated in this case.

   3. The default Syslog service port number is TCP 514, at which the server must listen for Syslog messages. If you are running on a different port, change to the applicable port number.

   4. When you log an event in Syslog, you can choose to log it in different facilities. This allows you to filter your log for a specific facility. The facilities appearing in the Facility list are well-defined facilities in the Syslog protocol. For example, User, Local0, Local1, and so on. You can configure the Fortanix Armor system to use the Local0 facility, for instance. This will help in filtering logs from a particular appliance using a facility.  

3. Click INTEGRATE to save the Syslog integration.

3.0 Appendix

Following are the Splunk Server screenshots:

• If you are using an HTTPS connection, then select the Enable SSL check box below in the Global Settings.  

  

• Port number on the Splunk server used for generating Custom CA Certificate.

  

• The index value in the Fortanix Armor Splunk Log Management Integration form should be the same as the Default Index value.