Logging

1.0  Introduction

This article describes the Fortanix-Data-Security-Manager (DSM) Audit Log feature and explains how to integrate DSM with external logging systems.

Fortanix DSM automatically maintains an internal audit log that records all activities within each account, including administrative changes, cryptographic operations, and user authentication events.

In addition to the internal log, Fortanix DSM can be configured to forward audit entries to external log management systems (for example, Security Information and Event Management (SIEM) solutions, Security Orchestration, Automation, and Response (SOAR) platforms, or Extended Detection and Response (XDR) tools). This ensures that enterprise security teams have a centralized view of activity across all platforms and can apply monitoring rules, generate alerts, and trigger automated workflows based on Fortanix DSM events.

Fortanix DSM supports integration with the following external logging systems:

• Splunk

• Google Cloud’s operations suite

• Syslog Server

• Azure Log Analytics (Azure Monitor)

Most enterprises need to collect and maintain logs from all systems, including Fortanix DSM, in one place. With external logging systems such as Splunk, Google Cloud’s Operations Suite, Syslog, and Azure Log Analytics, organizations can set rules to monitor events and trigger actions such as alerts or emails. Fortanix DSM supports sending logs and system events to these platforms for centralized monitoring.

2.0  Audit Logs

Fortanix DSM maintains an internal audit log to capture all operations within an account. These logs are essential for maintaining transparency, ensuring compliance, and providing a reliable record for troubleshooting.

Fortanix DSM Audit logs helps you to:

• Track all administrative, authentication, and cryptographic activities.

• Identify who performed an action, when it was done, and which security objects were involved.

• Capture the actions performed by apps.

• Meet compliance requirements by keeping a secure record of all events.

• Troubleshoot issues by reviewing system and application behavior.

2.1 Log Structure

A system event in Fortanix DSM generates a log that has the following components:

1. Severity – The logging backend currently supports the severities “Info” and “Error”. An event is logged as “Error” when the logging request fails, for example due to a client error or internal server error. All other events, including cryptographic operations and object updates, are logged as “Info”.

2. Groups – The Fortanix DSM group that the event belongs to.

3. IP Address – This is the IP address of the client/user whose request triggered the log message. The client IP is recorded whenever it is available. For some logs, the IP address field might appear empty due to one of the following reasons:

   • When Kubernetes is used for load balancing instead of an external load balancer, Kubernetes reroutes requests and does not preserve the original client IP address.

   • Since this was a new field introduced recently, the older logs would have the IP_Address field empty.

4. Message – Description of the action performed in the event.

5. Actor –  The log message can be a user event or an application event.

6. Time – Timestamp of when the event occurred.

7. Type – Type of event (Administrative, Auth, and Crypto Operations).

   • Administrative -  Operations that users can perform, such as importing, updating, or deleting a key, and creating, deleting, or updating apps, groups, and accounts, are classified as “Administrative” events.

   • Crypto Operation – Operations such as generating, encrypting, decrypting, signing, verifying, wrapping, unwrapping, or a key are classified as “Crypto Operation” events.

   • Authentication – Operations such as logging in or logging out, applications authenticating to get a session or terminating their session are classified as “Authentication” events.

8. Response Time - Time taken by the system to complete the request in milliseconds.

When a log is pushed to a third-party external logging system, the log structure with all the log components above is sent to the server.

The format of a message logged on any external logging system is as follows:

<message string> ip_addr=<corresponding client ip address> acct_id=<corresponding account id> groups=[corresponding group ids] actor=<Actor type>:<Actor Id> obj=<Object Id> action=<Action type>

Where,

• All the ids are UUIDs of the respective object

• Actor type can be a User or App

• Action type can be Administrative, Auth, or Crypto Operation

For example,

User "bob@company.com" created key "key_test" ip_addr=123.123.123.123 acct_id=8fb9b132-0b68-4d33-aba2-f1f9db3ab0e9 groups=[5f1d12e9-614a-4f5b-a4ed-837d9fb001b8] actor=User:9dbd5192-ee09-46f6-89fd-812e96863aa4 obj=3da3bf54-610b-4e89-816d-d4931f59f102 action=CRYPTOOPERATION

2.2 Viewing Audit Logs

You can view audit logs for different DSM objects such as security objects and applications directly in the Fortanix DSM user interface (UI).

In the DSM left navigation panel, click the Audit Log menu item to view all audit entries for the account.

Additionally, in the detailed view of an application (app) or a security object, the Activity Logs section displays the audit log entries for that object.

You can also enable or disable the activity logs for security objects using the following steps:

1. Go to the detailed view of the security object.

2. In the Activity Logs section, disable the Keep detailed log for the object toggle. This toggle is enabled by default.

NOTE

• If the group has a Quorum approval policy configured, then enabling or disabling audit logs will trigger a quorum approval request.

• If the Update Operations check box was not selected while configuring the group Quorum approval policy, then enabling or disabling audit logs will not trigger a quorum approval request.

• If the account’s Cryptographic policy enforces detailed logging for all groups in the account, then audit logs for the security object cannot be disabled from its detailed view.

3.0 Configure External Logging

Fortanix DSM can be configured to forward audit entries to external log management systems.

In the Fortanix DSM user interface (UI), navigate to Settings → LOG MANAGEMENT tab.

3.1 Fortanix DSM Audit Logs

The Fortanix DSM external event logging is configured on a per-account basis. Logs or events of an account are not visible to another account within an enterprise. Fortanix DSM automatically maintains an internal audit log of system operations.

To view the audit log, click the Audit Log menu item in the Fortanix DSM UI.

For convenience, when viewing the details of a Security-object and other Fortanix DSM objects, the most recent audit log entries applicable to the object are shown in the right-hand pane in the detailed view of a security object.

3.2 Set Retention Period for Audit Log

By default, audit log entries are retained forever. For new accounts, the log retention period follows the cluster-wide setting defined in System Administration → Settings → POLICIES → Default log retention period for new accounts created on this cluster. For more information, refer to Sysadmin Settings – Policies.

Perform the following steps to override the cluster-wide audit log retention settings for an account:

1. In the Fortanix DSM UI, navigate to Settings → LOG MANAGEMENT tab.

2. In the Retention period for Audit Logs section, click EDIT to set the retention period.

3. Select the Keep log entries forever option to retain the audit logs permanently or specify a future date.

   

4. Click SAVE to save the changes.

3.3 Logging Invalid API Requests

Applications may sometimes send invalid API requests that result in 4XX errors, such as a 400 (Bad Request) error. Fortanix DSM logs them through the LOG MANAGEMENT feature to assist with debugging.

1. In the Fortanix DSM UI, navigate to Settings → LOG MANAGEMENT tab.

2. On the Log management page, enable the Logging invalid API requests toggle.

   

3. Click the Audit Logs tab in the Fortanix DSM UI to view the 4XX logs.

3.4 High Volume Security Objects

In scenarios where a security object is used for cryptographic operations with very high usage, audit logging related to these operations can be explicitly disabled for the security object. This is the only scenario where audit logs must be disabled for an object.

Perform the following steps to disable the audit log on an existing security object:

1. Go to the detailed view of the security object and disable the Keep detailed log for the object toggle.

2. If the group has a quorum policy configured, the Quorum approval request dialog box displays HIGHVOLUME under the Key operations permitted section. The presence of the HIGHVOLUME operation indicates a request to disable audit logging.

Cryptographic operations are not logged for High Volume security objects; however, key lifecycle management operations (such as activation, deactivation, destruction, and so on) will still be logged.

Perform the following steps to disable the audit log for a security object during object creation:

1. Scroll to the bottom of the security object Generate or Import page.

2. Clear the Keep detailed log for the object option.

3.5 Custom Log Management Integrations

Currently, Fortanix DSM supports the following logging systems:

• Splunk

• Google Cloud’s operations suite

• Syslog

• Azure Log Analytics (Azure Monitor)

To integrate with the logging systems, navigate to the Settings → LOG MANAGEMENT tab in the Fortanix DSM UI.

It is possible to have more than one integration active at the same time. Logs will be pushed from Fortanix DSM to all logging facilities that are configured.

3.6 Sending Audit Logs to Splunk

You can configure Fortanix DSM to send audit log entries to a Splunk server using the HTTP Event Collector (HEC).

Perform the following steps to configure logging events to Splunk:

1. Navigate to the Settings → LOG MANAGEMENT tab.

2. In the Custom Log Management Integrations section, click ADD INTEGRATION for Splunk.

3. On the Splunk Log Management Integration form:

   • Host: Enter the hostname or IP address of the Splunk server.

   • Enable HTTPS: Select this check box to communicate with the Splunk server over HTTPS (recommended). Also, select the Enable SSL check box in the Splunk Global Settings. Refer to Section 5.0: Appendix for a sample screenshot.

     NOTE

     If you are using an HTTP connection, then clear the Enable HTTPS check box in the Fortanix DSM Log Management screen for Splunk and clear the Enable SSL check box in the Splunk Global Settings. Refer to Section 5.0: Appendix for the screenshot.

     When you select the Enable HTTPS option for alert integrations, the following settings are displayed and are enabled by default:

     • Host validation: The Validate host option, if selected, ensures that the hostname or IP address you entered matches the hostname on the server certificate, verifying that the connection is securely directed to the intended server.

     • Validate certificate:

       • Global Root CAs: Use this certificate if you are using a certificate that is signed by a well-known public Certificate Authority (CA).

       • Custom CA Certificate: Use this certificate if you, as an enterprise, want to self-sign the certificate using your own internal CA.

         Click UPLOAD A FILE to upload the CA certificate. When Fortanix DSM, as a client, connects to the Splunk server and is presented with the server’s certificate, it validates the connection using the enrolled custom CA Certificate.

         Run the following command to generate the CA certificate:

         openssl s_client -connect <endpoint/ipaddress>:port -showcerts

         Where,

         • ipaddress : Defines the IP address of the Splunk server.

         • port : Defines the value of the Management port, under Server settings → General settings in the Splunk Server. Refer to Section 5.0: Appendix section for the screenshot.

         NOTE

         In case the Custom CA Certificate has a Common Name (CN) that does not match the server on which Splunk is deployed, clear the Validate host check box, which prompts Fortanix DSM to ignore the hostname of the Splunk deployment instance. Only the certificate chain will be validated in this case.

   • Port: Enter the port number for the Splunk service. The default is port 80, or if HTTPS was enabled above, the default is port 443. If a different port is in use, enter the applicable port number.

   • Index: Enter the name of the Splunk index to submit events. Use the same index name configured in your Splunk instance. When you push the logs to Splunk, you must push them to a specific index. Fortanix DSM sends this value to the Splunk server. You can set the index name as needed to differentiate logs from various sources. For example, you can push Fortanix DSM logs to a Splunk index named SDKMS. Refer to Section 5.0: Appendix for a sample screenshot.

   • Authentication token: Enter a valid authentication token to authenticate Fortanix DSM with the HTTP Event Collector (HEC) of your Splunk instance. This token allows Fortanix DSM to push events to Splunk. For example, the logs from Fortanix Data Security Manager (DSM) can be pushed to the Index source name fortanix_cloud. For more information about generating HEC authentication tokens, refer to the Splunk official documentation.  

     NOTE

     For security reasons, the authentication token is not displayed in the interface when editing an existing configuration.

   • Use FQDN hostname: This check box is selected by default. When enabled, the DSM cluster’s fully qualified domain name (FQDN) is used as the hostname in Splunk log entries, enabling identification of the source cluster in multi-cluster environments.

   

4. Click SAVE to add the Splunk integration.

3.7 Sending Audit Logs to Google Cloud’s Operations Suite

You can configure Fortanix DSM to send audit log entries to Google Cloud’s operations suite.

Perform the following steps to configure logging events to Google Cloud’s operations suite:

1. In the Custom Log Management Integrations section, click ADD INTEGRATION for Google Cloud’s operations suite.

2. On the Google Cloud's operations suite Log Management Integration form:

   1. Log ID: Enter the log ID of the log to write to. The log ID must be URL-encoded and included within the log name, which is the resource name of the log to which this log entry belongs. For example, organizations/1234567890/logs/cloudresourcemanager.googleapis.com%2Factivity

      For more information, refer to Google Cloud's Operations Suite reference URL.

   2. Service account key: Upload the service account key or configuration file. To connect Fortanix DSM to Google Cloud’s Operations Suite, you must upload a configuration file that contains the service account key and related authentication details using UPLOAD A FILE.

   

3. Click SAVE to add the Google Cloud Operation integration.

3.8 Sending Audit Logs to Syslog

You can configure Fortanix DSM to send audit log entries to the Syslog server.

Perform the following steps to configure logging events to the Syslog:

1. In the Custom Log Management Integrations section, click ADD INTEGRATION for Syslog.

2. On the Syslog Log Management Integration form:

   • Host: Enter the hostname or IP address of your Syslog server.

   • Enable TLS: Select this check box to communicate with the Syslog server over a secure connection using TLS.

     • Host validation: The Validate host option, if selected, ensures that the hostname or IP address you entered matches the hostname on the server certificate, verifying that the connection is securely directed to the intended server.

     • Validate certificate: You can connect to the Syslog server over a non-secure connection or a secure TLS connection.

       • Global Root CAs: Use this certificate if you are using a certificate that is signed by a well-known public Certificate Authority (CA).

       • Custom CA Certificate: Use this certificate if you, as an enterprise, want to self-sign the certificate using your own internal CA.

         Click UPLOAD A FILE to upload the CA certificate. When Fortanix DSM, as a client, connects to the Splunk server and is presented with the server’s certificate, it validates the connection using the enrolled custom CA Certificate.

   • Port (TCP): Enter the port number for the Syslog service. The default is port 514, or if you are using a different port, update the port number accordingly.

   • Facility: When you log an event in Syslog, you can choose to log it in different facilities. Use this setting to filter logs by a specific facility, such as User, Local0, Local1, and others that are well-defined in the Syslog protocol. For example, configure Fortanix DSM to use the Local0 facility to easily filter logs from a specific appliance.

   • Use FQDN hostname: This check box is selected by default. When enabled, the DSM cluster’s FQDN is used as the hostname in Syslog log entries, enabling identification of the source cluster in multi-cluster environments.

   

3. Click SAVE to add the Syslog integration.

3.9 Sending Audit Logs to Azure Log Analytics

You can configure Fortanix DSM to send audit log entries to Azure Log Analytics in the Azure Portal to write log queries and interactively analyse the Fortanix DSM log data.

Perform the following steps to configure logging events to the Azure Log Analytics:

1. Ensure that you have already created a Log Analytics Workspace in the Azure portal. For more information, refer to Create a Log Analytics workspace. In the log analytics workspace, click the Agents tab to see the Workspace ID and Primary key.

   

2. In the Custom Log Management Integrations section, click ADD INTEGRATION for Azure Log Analytics.

3. On the Azure Log Management Integration page:

   1. Workspace ID: Enter the workspace ID, which is a globally unique identifier (GUID) that identifies your Log Analytics workspace in the Azure portal. You can find this value in Step 1. For more information on how to create a log-analytics workspace, refer to Create a Log Analytics Workspace.  

   2. Primary shared key: Enter the primary shared key, which is the primary key of your Log Analytics workspace in the Azure portal. You can locate this key in Step 1.

      

      NOTE

      For security reasons, the Primary Shared Key is not displayed in the interface when editing an existing shared key.

4. Click SAVE to add the Azure Log Analytics integration.

   NOTE

   The number of external logging configurations is limited to Six per Fortanix DSM account.

5. In the Azure portal, execute the following query in Log Analytics and click Run:

   DSM_AUDIT_LOG_CL 

   

   Running the query retrieves Fortanix DSM audit log entries from Azure Log Analytics, allowing you to analyze, filter, and monitor them.

6. The Custom Log Type is set to “DSM_AUDIT_LOG_CL” for all event logs published to the Azure Log collector from Fortanix services. This field is set in the HTTP POST request header of all the logs published to the Azure log collector, and therefore, it is used to query logs from Fortanix services in Azure Log Analytics Workspace. For more information, refer to Use Queries in Log Analytics.

   

3.10 Sending Audit Logs to Rapid7 InsightIDR

For more information on how to export the Fortanix DSM log files to the Rapid7 InsightIDR centralized log management utility, refer to Using Fortanix DSM with Rapid7 InsightIDR.

4.0 DSM Performance With/Without External Logging System

You can integrate both Splunk and Syslog servers with Fortanix DSM simultaneously. Below are the DSM performance numbers with/without Splunk and Syslog.

NOTE

• A 3-5% performance degradation is seen when both Splunk and Syslog servers are integrated with Fortanix DSM.

• The throughput observed above may vary depending on the environment and circumstances.

5.0 Appendix

The following are the Splunk Server screenshots:

If you are using an HTTPS connection, then in the Global Settings:

• Select the Enable SSL check box.

• Select the Default Source Type as sdkms_audit.

  

• Port number on the Splunk server used for generating the Custom CA Certificate.

  

• The index value in the Fortanix DSM Splunk Log Management Integration form should be the same as the Default Index value.