Audit records

The audit subsystem of IBM® Security Guardium® Key Lifecycle Manager records all user actions and writes them to a set of sequential files. You can configure the audit subsystem to generate the audit records in syslog format and send them to a syslog server.

Audit records in sequential files

By default, audit records are written to a set of sequential files. When a file reaches the file size limit, the audit subsystem closes and renames the file with a time stamp, and opens the next file to which audit records are written. You can configure the file size limit and the number of audit log files. The overall audit log is the set of sequentially named files.

To limit the total number of audit record files, you might create a script or program to monitor the set of files in the audit directory. As files are closed and named based on the timestamp, your script might copy and append the file contents to a permanent log file and directory that you specify, and then delete the file. Ensure that you do not remove or alter the active file to which IBM Security Guardium Key Lifecycle Manager is writing records.

Audit records in syslog format

You can configure the audit subsystem to write the audit log messages in syslog format. You can specify the host name or IP address and port of a syslog server to redirect the audit log records to the syslog server. You can further configure the audit subsystem to generate the log records in Log Event Extended Format (LEEF) format.
The audit log messages are redirected to a local audit file in syslog format in one of the following situations:
  • You configure the audit records to be in syslog format but do not specify the host name or IP address of the syslog server.
  • The syslog server is not reachable.

    When the server is up, the logs are directed to the server.

For more information, see Generating audit records in syslog format.

Configurable audit properties

For a list of all the configurable audit properties, see properties with the prefix Audit. from the Server configuration properties and database values topic.

You can use the graphical user interface, REST interface, or command-line interface to configure auditing properties in the SKLMConfig.properties configuration file.

Audit record format

All audit records contain some common information including time stamp and record type, along with information specific to the audit event that occurred. Installing or starting IBM Security Guardium Key Lifecycle Manager writes the build level to the audit log.

Each audit record spans multiple lines in the file. The general format for audit records is as follows:

AuditRecordType:[
  timestamp=timestampAttribute Name=Attribute Value
  ...
  ]
Audit record in syslog format is included on single line in the file. The format is as follows:
AuditRecordType:[timestamp=timestamp  Attribute Name=Attribute Value  ... ]

Each record starts with the audit record type, which is the first character, followed by a colon (;) and an opening left bracket ([), which is followed by the name and value of the attributes, and finally the record contains a closing right bracket (]) indented two (2) spaces.

The timestamp for the audit records is based on the system clock of the system on which IBM Security Guardium Key Lifecycle Manager is running. If these records are to be correlated based on timestamp with events occurring on other systems, use some type of time synchronization to ensure that the clocks of the various systems in the environment are synchronized to an acceptable level of accuracy.

The Attribute Name can be the transaction ID, operation type, operation name, and so on.

Sample audit record in syslog format, without LEEF format:
<37>1 2020-11-07T11:28:53.937+0530 9.xxx.xxx.xxx SKLM - SKLMAudit - %xEF.BB.BFRuntime event:[     timestamp=Nov 7, 2020 11:28:53 AM +0530         ComponentId=Thread[WebContainer : 0,5,main]     TransactionId=972da513-6b0b-470c-a024-dc33571e169c      OperationType=GUI       event source=com.ibm.tklm.ui.servlets.ServletFilter     outcome=Success         event type=SECURITY_RUNTIME     resource=[name:GUI;type:application]    action=End Operation    user=[name:SKLMAdmin]   ]
Sample audit record in LEEF format:
<37>1 2020-11-05T22:29:33.205-0800 LEEF:1.0|IBM|GKLM|4.1.0.0|SECURITY_MGMT_RESOURCE|	cat=true	src=10.xx.x.xx	ComponentId=Thread[WebContainer : 5,5,main]	 TransactionId=0390213e-5396-471e-8d5d-fb03f03cf9a8	 OperationType=GUI	 Operation=/SKLM/rest/v1/clients/groups	eventSource=com.ibm.tklm.server.api.spi.impl.ClientServiceImpl	message=CTGKM3533I Created client group with name CLIENT123.	action=Create Group	usrName=defaultWIMFileBasedRealm/SKLMAdmin	resource=CLIENT123	resourceType=application
Note: Audit record formats are not considered to be programming interfaces. The format of these records might change from release to release.