Configuring the level of audit information

Depending on your need, you can change the default setting that IBM® Security Guardium® Key Lifecycle Manager uses to collect audit information.

About this task

You can use the Audit page to change the audit information levels (Low, Medium, or High) that are written to the audit log. Alternatively, you can use the following REST services to list and change the Audit.event.types property in the SKLMConfig.properties file:

Get Single Config Property REST Service and Update Config Property REST Service

Note: You can specify the value of the Audit.event.types property to be different than the value of an out-of-the-box audit level (Low, Medium, or High). The audit level is then marked as Custom. You can create this audit level only by using the REST interface. A Custom level audits all failure events, and success events for the event types that you specify in the Audit.event.types property.
Your role must have the permission to the configure action.

Procedure

  1. Go to the appropriate page or directory:
    • Graphical user interface:

      Log on to the graphical user interface. Click IBM Security Guardium Key Lifecycle Manager > Configuration > Audit and Debug.

    • REST interface: Open the Swagger UI or a REST client.
  2. Change the value of the audit information level:
    • In the graphical user interface, select one of the following values for the Audit setting, then click OK.
      Low
      Logs minimal audit records.
      Selecting Low audits failure events only and sets the following property values in the SKLMConfig.properties file:
      • Audit.event.types = all
      • Audit.event.outcome = failure
      Medium
      Stores an intermediate number of audit records.
      Selecting Medium audits all failure events and success events for selected event types, and sets the following property values in the SKLMConfig.properties file:
      • Audit.event.types = runtime,authorization,authorization_terminate, resource_management, key_management
      • Audit.event.outcome = success,failure
      High (default)
      Stores the maximum number of audit records.
      Selecting High audits all failure and success events, and sets the following property values in the SKLMConfig.properties file:
      • Audit.event.types = all
      • Audit.event.outcome = success,failure
      Custom
      Stores audit records as per specification that is provided in the Server configuration properties file.

      You cannot select this option. It is automatically selected and available only when the value of the Audit.event.outcome property is different than the value of any of the out-of-the-box audit levels (Low, Medium, or High).

    • REST interface:
      1. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
      2. To run Get Single Config Property REST Service, send the HTTP GET request. Pass the user authentication identifier that you obtained in Step a along with the request message as shown in the following example.
        GET https://localhost:<port>/SKLM/rest/v1/configProperties/
        Audit.event.types
        Content-Type: application/json
        Accept : application/json
        Authorization: SKLMAuth userAuthId=139aeh34567m
        Accept-Language : en

        Success response might be:

        Status Code : 200 OK
        Content-Language: en
        {"property":"Audit.event.types","value":"all"}
      3. Specify the required change. For example, you can use Update Config Property REST Service to limit the selection to two event types to store in the audit log by sending the following HTTP request:
        PUT https://localhost:<port>/SKLM/rest/v1/configProperties
        Content-Type: application/json
        Accept: application/json
        Authorization: SKLMAuth authId=139aeh34567m
        Accept-Language: en
        { "Audit.event.types": "runtime,audit_management"}
  3. Restart the server. For instructions about how to stop and start the server, see Restarting the Guardium Key Lifecycle Manager server.

What to do next

Rerun an operation that previously returned an error. Then, examine the audit log for details. For more information, see Audit records.