audit

Access commands that allow the audit user to perform HSM auditing tasks.

NOTE   Audit commands control HSM audit logging. They are visible only to the audit user, and are hidden from the appliance admin, operator, monitor, or any other non-auditor user.

Audit log and syslog entries are timestamped in UTC format.

TIP   Performance and Audit Logging

Secure Audit Logging consumes HSM resources, so consider minimizing the intensity of logging that you invoke.

For example, when choosing asymmetric key usage, you have the option to specify event values to record with -value  asymmetric or first.
When choosing symmetric key usage logging you can opt for the corresponding symmetric and symfirst.

An HMAC is generated for each log, so "first" and "symfirst" record the first use of a key (asymmetric sig/ver or symmetric enc/dec respectively) and are much more sparing of HSM cycles, and therefore preferred to configuring for a log entry at every individual use of a given key -- unless that level of detailed logging is mandated.

Log first use, or log all uses?

Logging only the first use of each cryptographic key (versus logging every use) usually delivers most of the security and audit value with lower noise and performance/operations cost.

Detection value (stronger “signal per log”): First-use events quickly reveal new key material coming into play (such as key provisioning, rotation, or unexpected deployment). That can be an early indicator of misconfiguration or compromise.

Forensics value (better timeline anchors): First-use timestamps give clear “start points” for a key’s lifecycle, making it easier to correlate later incidents even if you do not log every cryptographic operation.

Reduced log volume and cost: “Every use” can be extremely high-frequency (TLS sessions, API signing, token verification, envelope encryption, etc.), driving up storage costs and making critical events harder to find.

Lower operational risk: High-volume logging increases the chance of dropped logs, index/search overload, alert fatigue, and slower incident response. First-use logging can be simpler and more reliable at scale.

Privacy/security balance: Logging every use can accidentally create more sensitive metadata (e.g., request context, identifiers) tied to cryptographic operations. First-use logging limits that surface area.

Where logging every use can be preferable:

High-assurance environments that need per-operation non-repudiation, strict misuse detection, or compliance that explicitly requires it.

Keys with high blast radius (such as signing keys for critical actions) where you want to detect anomalies like “key used outside expected service/period.”

When you need precise misuse detection rather than just “key appeared.”

Other - non-audit-related commands

The audit user also has access to a limited set of non-audit commands grouped under the following command menus:

hsm

Provides access to the following:

> The hsm show command. See hsm show

>All hsm ped commands, except for the hsm ped vector commands. The audit appliance user is allowed to connect and disconnect remote PED connections, adjust timeout, and view connection information, but is not allowed to create (init) or erase a remote PED vector. See hsm ped.

my Provides a set of commands equivalent to those provided to other non-admin users. See my
network Provides only the show and ping commands. See network.

Syntax

audit

changepwd
config
init
log
login
logout
remotehost
secret
show
sync

Argument(s) Shortcut Description
changepwd ch Changes the audit user password or PED key. See audit changePwd.
config co Set the audit parameters. See audit config.
init i Initialize the audit role. See audit init.
log log Access commands that allow you to manage audit log files. See audit log.
login logi Login as the audit user. See audit login.
logout logo Logout the audit user. See audit logout.
remotehost r Configure audit logging remote hosts. See audit remotehost.
secret se Export or import the audit logging secret. See audit secret.
show sh Display the current audit logging configuration. See audit show.
sync sy Synchronizes the HSM time to the host time. See audit sync.