13.2. Using Logs
13.2.1. Viewing Logs in the Console
To troubleshoot the subsystem, check the error or informational messages that the server has logged. Examining the log files can also monitor many aspects of the server's operation. Some log files can be viewed through the Console. However, the audit log is only accessible by users with the Auditor role, using a method detailed in Section 13.2.2, “Using Signed Audit Logs”.
To view the contents of an active or rotated system log file:
- Log into the Console.
- Select the Status tab.
- Under Logs, select the log to view.
- Set the viewing preferences in the Display Options section.
- Entries — The maximum number of entries to be displayed. When this limit is reached, the Certificate System returns any entries that match the search request. Zero (0) means no messages are returned. If the field is blank, the server returns every matching entry, regardless of the number found.
- Source — Select the Certificate System component or service for which log messages are to be displayed. Choosing All means messages logged by all components that log to this file are displayed.
- Level — Select a message category that represents the log level for filtering messages.
- Filename — Select the log file to view. Choose Current to view the currently active system log file.
- Click.The table displays the system log entries. The entries are in reverse chronological order, with the most current entry placed at the top. Use the scroll arrows on the right edge of the panel to scroll through the log entries.Each entry has the following information shown:
- Source — The component or resource that logged the message.
- Level — The severity of the corresponding entry.
- Date — The date on which the entry was logged.
- Time — The time at which the entry was logged.
- Details — A brief description of the log.
- To view a full entry, double-click it, or select the entry, and click.
13.2.2. Using Signed Audit Logs
This section explains how a user in the Auditor group displays and verifies signed audit logs.
13.2.2.1. Listing Audit Logs
As a user with auditor privileges, use the the
pki subsystem-audit-file-find
command to list existing audit log files on the server.
For example, to list the audit log files on the CA hosted on
server.example.com
:
# pki -h server.example.com -p 8443 -n auditor ca-audit-file-find ----------------- 3 entries matched ----------------- File name: ca_audit.20170331225716 Size: 2883 File name: ca_audit.20170401001030 Size: 189 File name: ca_audit Size: 6705 ---------------------------- Number of entries returned 3 ----------------------------
The command uses the client certificate with the auditor nickname stored in the
~/.dogtag/nssdb/
directory for authenticating to the CA. For further details about the parameters used in the command and alternative authentication methods, see the pki(1) man page.
13.2.2.2. Downloading Audit Logs
As a user with auditor privileges, use the
pki subsystem-audit-file-retrieve
command to download a specific audit log from the server.
For example, to download an audit log file from the CA hosted on
server.example.com
:
- Optionally, list the available log files on the CA. See Section 13.2.2.1, “Listing Audit Logs”.
- Download the log file. For example, to download the
ca_audit
file:# pki -U https://server.example.com:8443 -n auditor ca-audit-file-retrieve ca_audit
The command uses the client certificate with the auditor nickname stored in the~/.dogtag/nssdb/
directory for authenticating to the CA. For further details about the parameters used in the command and alternative authentication methods, see the pki(1) man page.
After downloading a log file, you can search for specific log entries, for example, using the
grep
utility:
# grep "\[AuditEvent=ACCESS_SESSION_ESTABLISH\]" log_file
13.2.2.3. Verifying Signed Audit Logs
If audit log signing is enabled, users with auditor privileges can verify the logs:
- Initialize the NSS database and import the CA certificate. For details, see the Command-line Initialization section in the Red Hat Certificate System 9 Planning, Installation and Deployment Guide (Common Criteria Edition).
- If the audit signing certificate does not exist in the PKI client database, import it:
- Search the audit signing certificate for the subsystem logs you want to verify. For example:
# pki ca-cert-find --name "CA Audit Signing Certificate" --------------- 1 entries found --------------- Serial Number: 0x5 Subject DN: CN=CA Audit Signing Certificate,O=EXAMPLE Status: VALID Type: X.509 version 3 Key Algorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Fri Jul 08 03:56:08 CEST 2016 Not Valid After: Thu Jun 28 03:56:08 CEST 2018 Issued On: Fri Jul 08 03:56:08 CEST 2016 Issued By: system ---------------------------- Number of entries returned 1 ----------------------------
- Import the audit signing certificate into the PKI client:
# pki client-cert-import "CA Audit Signing Certificate" --serial 0x5 --trust ",,P" --------------------------------------------------- Imported certificate "CA Audit Signing Certificate" ---------------------------------------------------
- Download the audit logs. See Section 13.2.2.2, “Downloading Audit Logs”.
- Verify the audit logs.
- Create a text file that contains a list of the audit log files you want to verify in chronological order. For example:
# cat > ~/audit.txt << EOF ca_audit.20170331225716 ca_audit.20170401001030 ca_audit EOF
- Use the
AuditVerify
utility to verify the signatures. For example:# AuditVerify -d ~/.dogtag/nssdb/ -n "CA Audit Signing Certificate" \ -a ~/audit.txt Verification process complete. Valid signatures: 10 Invalid signatures: 0
For further details about usingAuditVerify
, see the AuditVerify(1) man page.
13.2.3. Displaying Operating System-level Audit Logs
Note
To see Operating System-level audit logs using the instructions below, the
auditd
logging framework must be configured per the Enabling OS-level Audit Logs section in the Red Hat Certificate System 9 Planning, Installation and Deployment Guide (Common Criteria Edition).
To display operating system-level access logs, use the
ausearch
utility as root or as a privileged user with the sudo
utility.
13.2.3.1. Displaying Audit Log Deletion Events
Since these events are keyed (with
rhcs_audit_deletion
), use the -k
parameter to find events matching that key:
# ausearch -k rhcs_audit_deletion
13.2.3.2. Displaying Access to the NSS Database for Secret and Private Keys
Since these events are keyed (with
rhcs_audit_nssdb
), use the -k
parameter to find events matching that key:
# ausearch -k rhcs_audit_nssdb
13.2.3.3. Displaying Time Change Events
Since these events are keyed (with
rhcs_audit_time_change
), use the -k
parameter to find events matching that key:
# ausearch -k rhcs_audit_time_change
13.2.3.4. Displaying Package Update Events
Since these events are a typed message (of type
SOFTWARE_UPDATE
), use the -m
parameter to find events matching that type:
# ausearch -m SOFTWARE_UPDATE
13.2.3.5. Displaying Changes to the PKI Configuration
Since these events are keyed (with
rhcs_audit_config
), use the -k
parameter to find events matching that key:
# ausearch -k rhcs_audit_config