Audit records
The audit subsystem of IBM® Security Guardium® Key Lifecycle Manager records all user actions and writes them to a set of sequential files. You can configure the audit subsystem to generate the audit records in syslog format and send them to a syslog server.
Audit records in sequential files
By default, audit records are written to a set of sequential files. When a file reaches the file size limit, the audit subsystem closes and renames the file with a time stamp, and opens the next file to which audit records are written. You can configure the file size limit and the number of audit log files. The overall audit log is the set of sequentially named files.To limit the total number of audit record files, you might create a script or program to monitor the set of files in the audit directory. As files are closed and named based on the timestamp, your script might copy and append the file contents to a permanent log file and directory that you specify, and then delete the file. Ensure that you do not remove or alter the active file to which IBM Security Guardium Key Lifecycle Manager is writing records.
Audit records in syslog format
You can configure the audit subsystem to write the audit log messages in syslog format. You can specify the host name or IP address and port of a syslog server to redirect the audit log records to the syslog server. You can further configure the audit subsystem to generate the log records in Log Event Extended Format (LEEF) format.- You configure the audit records to be in syslog format but do not specify the host name or IP address of the syslog server.
- The syslog server is not reachable.
When the server is up, the logs are directed to the server.
Configurable audit properties
For a list of all the configurable audit properties, see properties with the prefix Audit. from the Server configuration properties and database values topic.
You can use the graphical user interface or REST interface to configure auditing properties in
the SKLMConfig.properties
configuration file.
Audit record format
All audit records contain some common information including time stamp and record type, along with information specific to the audit event that occurred. Installing or starting IBM Security Guardium Key Lifecycle Manager writes the build level to the audit log.
Each audit record spans multiple lines in the file. The general format for audit records is as follows:
AuditRecordType:[
timestamp=timestampAttribute Name=Attribute Value
...
]
AuditRecordType:[timestamp=timestamp Attribute Name=Attribute Value ... ]
Each record starts with the audit record type, which is the first character, followed by a colon (;) and an opening left bracket ([), which is followed by the name and value of the attributes, and finally the record contains a closing right bracket (]) indented two (2) spaces.
The timestamp for the audit records is based on the system clock of the system on which IBM Security Guardium Key Lifecycle Manager is running. If these records are to be correlated based on timestamp with events occurring on other systems, use some type of time synchronization to ensure that the clocks of the various systems in the environment are synchronized to an acceptable level of accuracy.
The Attribute Name can be the transaction ID, operation type, operation name, and so on.
<37>1 2020-11-07T11:28:53.937+0530 9.xxx.xxx.xxx SKLM - SKLMAudit - %xEF.BB.BFRuntime event:[ timestamp=Nov 7, 2020 11:28:53 AM +0530 ComponentId=Thread[WebContainer : 0,5,main] TransactionId=972da513-6b0b-470c-a024-dc33571e169c OperationType=GUI event source=com.ibm.tklm.ui.servlets.ServletFilter outcome=Success event type=SECURITY_RUNTIME resource=[name:GUI;type:application] action=End Operation user=[name:SKLMAdmin] ]
<37>1 2020-11-05T22:29:33.205-0800 LEEF:1.0|IBM|GKLM|4.1.0.0|SECURITY_MGMT_RESOURCE| cat=true src=10.xx.x.xx ComponentId=Thread[WebContainer : 5,5,main] TransactionId=0390213e-5396-471e-8d5d-fb03f03cf9a8 OperationType=GUI Operation=/SKLM/rest/v1/clients/groups eventSource=com.ibm.tklm.server.api.spi.impl.ClientServiceImpl message=CTGKM3533I Created client group with name CLIENT123. action=Create Group usrName=defaultWIMFileBasedRealm/SKLMAdmin resource=CLIENT123 resourceType=application