Skip to content

Log

The HSM produces and maintains a record of all events (audit logs) internally at its cryptographic border, such as the opening and closing of sessions by users, initialization, activation and shutdown of the HSM, cleaning of the log file, access to cryptographic keys, among others.

The event log (audit logs) contains user authentication data (successful or not) and also cryptographic key occurrences, such as creation or generation, use, release for use in the case of authenticated partitions with M of N and the secure destruction of the key.

Only operators and users with specific permissions can access the log, for consultation, extraction and removal.

Events recorded in the log can also be monitored in real time as they occur. The sessions for this monitoring are special sessions, and they run in passive mode, waiting for notifications to arrive from the HSM. To preserve the HSM's resources, a maximum of three sessions of this type can be opened simultaneously.

It is recommended that you establish a policy to export HSM logs regularly to files and promote log cleaning in the HSM. This will make log analysis easier and log extraction operations faster. There is no loss of HSM performance by working with very large logs. Whenever a log cleaning operation is performed, the first event in the next log is the cleaning operation information.

See the topic Log recovery for operating details.

Authenticated Log

It is possible to authenticate the log exported by the HSM, which allows the operator to be sure of its origin and integrity. The authentication mechanism is based on MAC(Message Authentication Code), using a DPK(Data Protection Key) derived from the SVMK that activated the HSM. Both compressed and uncompressed downloaded logs can be authenticated.

To perform the check, simply submit the downloaded file (compressed or not) to an HSM activated with the same SVMK as the drive where the log was downloaded. It is not mandatory to use exactly the same HSM as the one from which the log originated.

Authentication uses an LSH(Log Hash) and an LAC(Log Authentication Code). In the uncompressed log the LAC is added as text at the end of the file (e.g. =>LAC: 43E...26A) and in the compressed log it is included in the metadata structure.

Currently the authentication and verification option is only available in the GUI console.