Logging
Data Discovery and Classification prints its log messages to the CipherTrust Manager logs. DDC logs are located at /opt/keysecure/logs. The CipherTrust Manager System Administrator (ksadmin) can log in using ssh to retrieve CipherTrust Manager logs. Also, the DDC Application Administrators have access to the logs.
For more details on collecting DDC logs, refer to Troubleshooting Issues in Conjunction with Customer Support.
Default Logging Level
By default, log level setting for DDC is INFO. With this log level set DDC prints out the INFO and ERROR level messages to the log. Among the various messages that DDC prints to the logs, the error messages and security audit messages are the most useful for troubleshooting DDC issues and securing the deployment.
Identifying DDC Log Messages
The microservices behind DDC are oleander and sundew and the messages coming to the CipherTrust Manager log from DDC can be identified by those names.
Additionally, oleander has these three modules:
- Clustering
- Agent_Selection
- Scan_watcher
Each of these modules will generate its own error messages, each in its separate log.[ ] log file.
The logging service responsible for collecting and processing these messages is FLUENTD. It is capable of displaying those messages to the terminal through the log command. Here's an example of such a command:
log | grep oleander | grep "clustering"
This command would display all messages coming from the oleander's Clustering module.
For a complete list of error messages that DDC sends to the CipherTrust Manager logs, see the Error Log Messages.
Security Audit Log Messages
The DDC security audit messages can be identified by the Oleander | INFO [security] bit that they contain. The full format of such a log message (or log line) is:
<date> | Oleander | INFO [security] <event> <error (if any)> <details (if any)>
For example:
2020-06-29 | Oleander | INFO | [security] DDCScanClientUnexpectedErrorProbe “error: error probing scan client” “details: [scan_id:5432-5432-543254-2-5432]”
Usually, only the event type is printed out to the log (in the example above, it would be DCScanClientUnexpectedErrorProbe).
Enabling Syslog Logging
Audit records are logged to a local database by default. This is suitable for production systems and clusters with a limited load. However, for clusters that support a large number of transactions, it is recommended to configure the CM to disable logging to a local database and enable logging using a remote Syslog server. This significantly reduces cluster traffic and disk usage. For more information, refer to the following sections in the Thales CipherTrust Manager Administrator Guide:
“Disabling local database audit logging”
“Configuring remote Syslog server”
Logging Troubleshooting Information
In addition to including INFO and ERROR log messages in CipherTrust Manager logs, DDC can generate local logs to record interactions between different components during scan run. These logs contain useful technical information that can help Thales Customer Support in identifying and resolving scan-related issues.
In case the scan fails, is stuck in the running state, or experiences any unexpected issues, you can download and share these logs with Thales Customer Support to address scan-related issues.
Note
Before running the scan, enable the Trace logs scan parameter to capture detailed scan execution information for each file.
You can download the logs starting from the scan initiation, throughout its execution, and after it finishes. These log files are encrypted and require decryption before you can share them with Thales Customer Support.
To download and decrypt the logs files:
In the Scans screen, click the three dots (...) corresponding to the desired scan name.
Select the Download Logs option.
Click Download.
An encrypted .tar file containing all the necessary logs will be downloaded.
Run the following
ksctlcommand to decrypt the .tar file. See CLI Toolkit to learn how to install and runksctl.ksctl ddc raw-data decrypt [flags]Examples
ksctl ddc raw-data decrypt -i /tmp/ScanReport1.tar ksctl ddc raw-data decrypt -i /tmp/ScanReport1.tar -o /tmp/DecryptedScanReport1.zip
Scan logs will be decrypted to a .zip file containing readable files.
