Skip to content

Logs

Main menu option: Logs...

Manages the HSM 's event and audit logs (Logs). You can export the logs to file(Retrieve),clear the logs in the HSM(Clear) or follow the logs generated during HSM operation(Follow).

Log recovery
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

HSM - Logs



 1 - Retrieve
 2 - Clear
 3 - Follow













 0 - Main Menu

Option:

Log recovery

It exports the HSM 's event log to a file on the user's workstation. The log records can be used for audit analysis, with information on key usage for example, or to monitor HSM operation and detect any problems.

The size of the log is informed before the user confirms the operation.

It is recommended that you establish a policy to export HSM logs regularly to files and promote log cleaning in the HSM. This will make log analysis easier and log extraction operations faster. There is no loss of HSM performance by working with very large logs.

Occasionally the size of the file received may be larger than indicated because new events have been recorded while the log is being exported.

The log is originally received from HSM in native format, with the date, time and session information compressed and separated from the event text by a |:

Log events are kept in a proprietary format, with the date, time, thread, counter and cid(correlation id) information, and separated from the event text by a | character(yyyy/mm/dd HH:MM:SS tttttttt cccccc iiiiiiii|text):

  1. yyyy: year
  2. mm: month
  3. dd: day
  4. HH: hour
  5. MM: minute
  6. SS: second
  7. tttttttttt: identifier (08 hexadecimal digits) for the HSM 's internal physical work session (thread) where the event occurred. Not every internal session corresponds to a client session, as certain events are generated by the HSM firmware, and the same HSM work session can sequentially serve several client sessions.
  8. cccccccc: monotonic event counter, reset each time the HSM is started
  9. iiiiiiii: correlation id (cid) identifies a client session; all events in the same client session receive the same identifier, which is unique per session.
  10. |: separator character, literal (the HSM console changes this separator to a space).
  11. text: description of the event.

Some log events can bring context-specific attributes, such as key type, object flags and physical session identifier. For example:

  1. t:n for the type of algorithm/key, e.g. 6 for RSA 2048 (a more extensive list of types is given below).
  2. a:n for object attributes (e.g. a:0 indicates a non-exportable key i.e. export bit off, if RSA it also indicates a default public exponent:216 + 1 = 65537).
  3. c:n for the physical identifier(socket) of the session.
Log retrieval to file
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

HSM - Logs - Retrieve

Log size : 34250 bytes (33.45 KB).
Interval : 2022-Jan-10 to 2022-Jan-11

Retrieve logs (y/[n]): y
Filter interval (y/[n]):
Zip log in HSM before retrieving (y/[n]):
Local file to save logs: hsmlogs.txt
.

Logs successfully retrieved.

Press ENTER key to continue...

List of algorithm types for reference in the log

INVALID_OBJ_TYPE            0
ALG_DES                     1
ALG_3DES_112                2 (EDE)
ALG_3DES_168                3 (EDE)
ALG_RSA_512                 4
ALG_RSA_1024                5
ALG_RSA_2048                6
ALG_AES_128                 7
ALG_AES_192                 8
ALG_AES_256                 9
ALG_ARC4                   10 (128)
ALG_RSA_4096               11
ALG_OBJ_BLOB               12
ALG_OBJ_BLOB_X509          13
ALG_OBJ_BLOB_PKCS7         14
ALG_OBJ_BLOB_CRL           15
ALG_OBJ_BLOB_HOTP          16
ALG_ECC_SECP112R1          18 (SECG/WTLS curve over a 112 bit prime field)
ALG_ECC_SECP112R2          19 (SECG curve over a 112 bit prime field)
ALG_ECC_SECP128R1          20 (SECG curve over a 128 bit prime field)
ALG_ECC_SECP128R2          21 (SECG curve over a 128 bit prime field)
ALG_ECC_SECP160K1          22 (SECG curve over a 160 bit prime field)
ALG_ECC_SECP160R1          23 (SECG curve over a 160 bit prime field)
ALG_ECC_SECP160R2          24 (SECG/WTLS curve over a 160 bit prime field)
ALG_ECC_SECP192K1          25 (SECG curve over a 192 bit prime field)
ALG_ECC_SECP192R1          26 (NIST/X9.62/SECG curve over a 192 bit prime field)
ALG_ECC_SECP224K1          27 (SECG curve over a 224 bit prime field)
ALG_ECC_SECP224R1          28 (NIST/SECG curve over a 224 bit prime field)
ALG_ECC_SECP256K1          29 (SECG curve over a 256 bit prime field)
ALG_ECC_SECP256R1          30 (NIST/X9.62/SECG curve over a 256 bit prime field)
ALG_ECC_SECP384R1          31 (NIST/SECG curve over a 384 bit prime field)
ALG_ECC_SECP521R1          32 (NIST/SECG curve over a 521 bit prime field)
ALG_ECC_X9_62_PRIME192V1   26
ALG_ECC_X9_62_PRIME192V2   33 (X9.62 curve over a 192 bit prime field)
ALG_ECC_X9_62_PRIME192V3   34 (X9.62 curve over a 192 bit prime field)
ALG_ECC_X9_62_PRIME239V1   35 (X9.62 curve over a 239 bit prime field)
ALG_ECC_X9_62_PRIME239V2   36 (X9.62 curve over a 239 bit prime field)
ALG_ECC_X9_62_PRIME239V3   37 (X9.62 curve over a 239 bit prime field)
ALG_ECC_X9_62_PRIME256V1   30
ALG_ECC_BRAINPOOL_P160R1   38 (RFC 5639 standard curves)
ALG_ECC_BRAINPOOL_P160T1   39
ALG_ECC_BRAINPOOL_P192R1   40
ALG_ECC_BRAINPOOL_P192T1   41
ALG_ECC_BRAINPOOL_P224R1   42
ALG_ECC_BRAINPOOL_P224T1   43
ALG_ECC_BRAINPOOL_P256R1   44
ALG_ECC_BRAINPOOL_P256T1   45
ALG_ECC_BRAINPOOL_P320R1   46
ALG_ECC_BRAINPOOL_P320T1   47
ALG_ECC_BRAINPOOL_P384R1   48
ALG_ECC_BRAINPOOL_P384T1   49
ALG_ECC_BRAINPOOL_P512R1   50
ALG_ECC_BRAINPOOL_P512T1   51
ALG_MAP_2_OBJ              90
ALG_DESX                   91
ALG_HMAC_MD5               92
ALG_HMAC_SHA1              93
ALG_HMAC_SHA2_256          94
ALG_HMAC_SHA2_384          95
ALG_HMAC_SHA2_512          96
ALG_CMAC_AES              250
ALG_CMAC_DES              251
ALG_RSA_1152              121
ALG_RSA_1408              122
ALG_RSA_1984              123
ALG_RSA_8192              124
ALG_EXT_MAP_2_OBJ         125
ALG_RSA_2304              126
ALG_RSA_2560              127
ALG_RSA_2816              128
ALG_RSA_3072              129

Cleaning up logs

Removes all event records in the HSM log. This operation is irreversible. It is recommended that you always export the log to file before performing a complete deletion of the HSM log.

When the log is removed in the HSM, the first record in the next log is an indication of the removal of the log and the user who performed the removal operation:

Example:

2022/01/11 22:28:56 0000004C 0000017C A575C340 log truncated|172.17.0.1 172.17.0.2:4433 master
2022/01/11 22:28:56 0000004C 0000017D A575C340 master truncated log|172.17.0.1 172.17.0.2:4433 master
Cleaning up the HSM log
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

HSM - Logs - Clear

Log size :  34774 bytes (33.96 KB).

*******************************************************************************
*                                                                             *
*                                   Warning                                   *
*                                                                             *
*     If the logs are cleared you will not be able to recover them later.     *
*                                                                             *
*******************************************************************************

Confirm clearing logs (y/[n]): y

Logs successfully cleared.

Press ENTER key to continue...

Real-time logs

Displays log events at the same time as they are generated.

For the remote console program to receive log events in real time, it goes into passive mode and is notified by the HSM whenever a new event occurs. To stop receiving events, close the remote console program with the Control+C keys. The events received are the same as those recorded in the HSM log. The date and time shown in the events is from the HSM, not the station or server.

Up to three simultaneous event monitoring sessions can be opened at the same time; this limitation is intended to conserve server resources.

Real-time logging
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

HSM - Logs - Follow

Press Control+C to exit...

2022/01/11 22:31:54 00000052 00000198 000A3309 session thread up [2]
2022/01/11 22:31:54 00000052 00000199 EE4E6C03 172.17.0.1 auth try, c: 21, tls: y, 2|172.17.0.1 172.17.0.2:4433 -
2022/01/11 22:31:54 00000052 0000019A EE4E6C03 master auth init, c: 21|172.17.0.1 172.17.0.2:4433 -
2022/01/11 22:31:54 00000052 0000019B EE4E6C03 master auth ok, 172.17.0.1, 2|172.17.0.1 172.17.0.2:4433 -
2022/01/11 22:31:54 00000052 0000019C EE4E6C03 172.17.0.1#21 probe|172.17.0.1 172.17.0.2:4433 master
2022/01/11 22:31:54 00000052 0000019D EE4E6C03 172.17.0.1#21 probe|172.17.0.1 172.17.0.2:4433 master
2022/01/11 22:31:54 00000052 0000019E EE4E6C03 172.17.0.1#21 probe|172.17.0.1 172.17.0.2:4433 master
2022/01/11 22:31:54 00000052 0000019F EE4E6C03 172.17.0.1#21 probe|172.17.0.1 172.17.0.2:4433 master
2022/01/11 22:31:54 00000052 000001A0 EE4E6C03 172.17.0.1#21 probe|172.17.0.1 172.17.0.2:4433 master
2022/01/11 22:31:54 00000052 000001A1 EE4E6C03 172.17.0.1#21 probe|172.17.0.1 172.17.0.2:4433 master
2022/01/11 22:32:17 00000052 000001A2 EE4E6C03 new key prodkey, t: 6, a: 0, c: 21|172.17.0.1 172.17.0.2:4433 master
2022/01/11 22:32:17 00000052 000001A3 EE4E6C03 R_COOR trying to setup EEFC642F1A9A3A5F 04|172.17.0.1 172.17.0.2:4433 master
2022/01/11 22:32:17 00000052 000001A4 EE4E6C03 R_COOR prepared EEFC642F1A9A3A5F 04|172.17.0.1 172.17.0.2:4433 master
2022/01/11 22:32:17 00000052 000001A5 EE4E6C03 priv key prodkey created|172.17.0.1 172.17.0.2:4433 master
2022/01/11 22:32:32 00000052 000001A6 EE4E6C03 rsa prodkey!9FcLP5AfWsa/Xp+AXsMMpN7V8FSYfOpHk1+7hbW4OKM=, c: 21|172.17.0.1 172.17.0.2:4433 master