System Logging
Luna Network HSM 7 gathers logs about appliance events, separate from events on the HSM itself. This chapter contains the following sections about system logging:
•Configuring a Remote Syslog Server
•Customizing Remote Logging Severity Levels
For HSM event logging, see Audit Logging.
About System Logging
Logs are managed with the syslog commands (see syslog), where you set rotation and other parameters to suit your own monitoring and management schedule. You can configure flexible logs to gather only information you consider relevant, or send different logs to different remote hosts.
NOTE See Syslog Introduction for information on reading and interpreting system log messages.
Log Severity Levels
Event logs are categorized according to the severity of their impact on the system. The table Table 1: syslog Severity Levels defines the different categories from most to least severe. You can customize logging to include events based on their severity.
Hardware Monitoring and Logging
1.SMART technology monitors the hard disk.
2.IPMI technology monitors CPU fan speed and temperature, as well as PSU (power supply unit) voltage, fan speed and temperature.
The system logs temperature changes of 2 degrees in either direction.
Comparing Syslog vs Audit log
TIP The distinction, between an HSM (or cryptographic module) and its host, is obvious when an HSM is a circuit board/card that you install in a computer, or a USB-connected external unit. However, when an HSM card is an integral part of a network HSM appliance, it can be common usage to refer to the whole unit as "the HSM".
For management of the devices it is important to differentiate between the configuration and operation of the host and the configuration and operation of the cryptographic module within, such as when addressing
•the system logs of the host and
•the audit logs of the cryptographic module.
Function or |
Syslog | Audit Log |
---|---|---|
Managed by |
Managed by Luna Network HSM 7 appliance admin user via Luna Shell "syslog" commands. |
Managed byLuna Network HSM 7 appliance audit user via Luna Shell "audit log" commands. |
Source of log
messages |
Captures events in the host system, not including any activity within the embedded HSM/cryptographic module. | Captures events that occur inside the HSM/cryptographic module. |
Control of behavior | Behavior is broadly standardized but specifics depend on the host and its operating system. See Configuring System Logging. | Behavior is controlled by HSM firmware, modified by configuration settings. See Audit Logging. |
Location where log records are stored |
Events are logged to the host file system, and can be sent to a remote logging server. Default is plain-text, but TLS encryption is a wise option. |
Events are initially logged only to a dedicated space of approximately 16MB within the cryptographic module, but can be exported, in encrypted state, to the host file system, and can further be sent to a remote logging server. |
Remote logging is generally a best practice. The receiving host and port configuration must not be the same for both remote syslog and remote audit log. See syslog remotehost add and audit remotehost add. |
||
Security of logs | Appliance host logs are stored in plain text in the default log file location. They are as secure as the physical and digital access protection that you provide for the host and for any Remote Log Server you choose to use, and can be protected in transit by invoking TLS. |
Audit logs are protected by layers of encryption where they are created and initially reside, within the cryptographic module. They are encrypted when they move from the limited storage of the cryptographic module to the host file system, and remain encrypted if forwarded to a Remote Log Server. Their integrity is assured and the audit logs can be verified and unlocked by an HSM in the same security/cloning domain as the originating cryptographic module. |
Log record and
file accumulation |
The appliance protects itself by deleting the oldest log files when/if they are allowed to accumulate to the point of filling the allotted space (see below). This allows the most recent logs to always be available. [* Remote logging is a best practice in virtually any logging scenario.] See Exporting System Logs and Deleting System Logs and Rotating System Logs. Log rotation on the Luna Network HSM 7 appliance ensures that cleanup occurs on a daily or weekly or monthly basis. NOTE The space in the syslog folder in the Luna Network HSM 7 appliance is 9.7GB; if you reach or exceed that, you begin losing the oldest logs, and your syslog configuration might be in need of adjustment for log rotation and remote logging. |
Audit log records accumulate in the limited space inside the HSM/cryptographic module (approximately 16MB in NVRAM) until that space approaches being full, at which time the cryptographic module stops performing cryptographic functions and partition creation, recording only audit log messages until the audit logs are rotated out (in encrypted form) to the host file system. Obviously, it should never be allowed to get to that state in a production environment. NOTE The space in NVRAM that is allocated to audit logs can handle in the range of a couple of hundred thousand entries. That might sound like a lot, and it is if you are prudent with audit configuration. However, see below. The space in the Luna Network HSM 7 file system for exported Audit logs is 220GB.
Once the crypto module's audit-log space is unclogged, cryptographic operations can resume. This design strategy protects the continuity of the audit logs - the audit trail - that is so important in compliance audits and forensic investigations. |
Logging best practices |
Syslog is ubiquitous, as are compendia of best practices and advice. Confer with your organization's security and compliance teams for their requirements and wishes, regarding logging for network-connected equipment. At a minimum, consider automatic sending to a remote logging server, and invoking TLS for the transfer. Where both udp and tcp network protocols are available: •udp is faster, but can drop packets/records •tcp is slower, but verifies and resends if packets are missed or dropped. If you are in the financial industry, choose RELP for Remote Syslog, perhaps with a TLS wrapper. |
For Audit Logging, best practice is very application dependent. For (say) a certification authority you might configure •"First Asymmetric Key Usage Only" (value "='first'), •"HSM management" (value 'manage'), •access attempts (value 'access'), and •Key management events (value 'keymanage') -- Security and Compliance auditors are likely to want to know when the key was first used, but might not need a record of every usage, which would generate a lot of audit records. But, if a record of every usage is a requirement, then certainly configure for it, but also configure audit log export and rotation (and remote logging*) on a schedule that keeps the audit-log corner of the cryptographic module's NVRAM from filling up with the probable high volume of audit logs. In contrast, for an application that performs many key generations, ongoing operation would generate huge numbers of logs, and it might be sufficient to configure the crypto module to log only failures. Generally, avoid logging all possible events; start small and increase logging scope until you achieve an acceptable balance between •coverage of cryptographic module activity and •performance of the of the cryptographic module (logging activity does consume or divert HSM resources). [* Remote logging is a best practice in virtually any logging scenario.] |