Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

13.2. Using Logs

13.2.1. Viewing Logs in the Console
Copiar enlace

To troubleshoot the subsystem, check the error or informational messages that the server has logged. Examining the log files can also monitor many aspects of the server's operation. Some log files can be viewed through the Console. However, the audit log is only accessible by users with the Auditor role, using a method detailed in Section 13.2.2, “Using Signed Audit Logs”.
To view the contents of an active or rotated system log file:
  1. Log into the Console.
  2. Select the Status tab.
  3. Under Logs, select the log to view.
  4. Set the viewing preferences in the Display Options section.
    • Entries — The maximum number of entries to be displayed. When this limit is reached, the Certificate System returns any entries that match the search request. Zero (0) means no messages are returned. If the field is blank, the server returns every matching entry, regardless of the number found.
    • Source — Select the Certificate System component or service for which log messages are to be displayed. Choosing All means messages logged by all components that log to this file are displayed.
    • Level — Select a message category that represents the log level for filtering messages.
    • Filename — Select the log file to view. Choose Current to view the currently active system log file.
  5. Click Refresh.
    The table displays the system log entries. The entries are in reverse chronological order, with the most current entry placed at the top. Use the scroll arrows on the right edge of the panel to scroll through the log entries.
    Each entry has the following information shown:
    • Source — The component or resource that logged the message.
    • Level — The severity of the corresponding entry.
    • Date — The date on which the entry was logged.
    • Time — The time at which the entry was logged.
    • Details — A brief description of the log.
  6. To view a full entry, double-click it, or select the entry, and click View.

13.2.2. Using Signed Audit Logs
Copiar enlace

This section explains how a user in the Auditor group displays and verifies signed audit logs.

13.2.2.1. Listing Audit Logs
Copiar enlace

As a user with auditor privileges, use the the pki subsystem-audit-file-find command to list existing audit log files on the server.
For example, to list the audit log files on the CA hosted on server.example.com: 
# pki -h server.example.com -p 8443 -n auditor ca-audit-file-find
-----------------
3 entries matched
-----------------
  File name: ca_audit.20170331225716
  Size: 2883

  File name: ca_audit.20170401001030
  Size: 189

  File name: ca_audit
  Size: 6705
----------------------------
Number of entries returned 3
----------------------------
Copy to Clipboard Toggle word wrap
The command uses the client certificate with the auditor nickname stored in the ~/.dogtag/nssdb/ directory for authenticating to the CA. For further details about the parameters used in the command and alternative authentication methods, see the pki(1) man page.

13.2.2.2. Downloading Audit Logs
Copiar enlace

As a user with auditor privileges, use the pki subsystem-audit-file-retrieve command to download a specific audit log from the server.
For example, to download an audit log file from the CA hosted on server.example.com:
  1. Optionally, list the available log files on the CA. See Section 13.2.2.1, “Listing Audit Logs”.
  2. Download the log file. For example, to download the ca_audit file: 
    # pki -U https://server.example.com:8443 -n auditor ca-audit-file-retrieve ca_audit
    Copy to Clipboard Toggle word wrap
    The command uses the client certificate with the auditor nickname stored in the ~/.dogtag/nssdb/ directory for authenticating to the CA. For further details about the parameters used in the command and alternative authentication methods, see the pki(1) man page.
After downloading a log file, you can search for specific log entries, for example, using the grep utility: 
# grep "\[AuditEvent=ACCESS_SESSION_ESTABLISH\]" log_file
Copy to Clipboard Toggle word wrap

13.2.2.3. Verifying Signed Audit Logs
Copiar enlace

If audit log signing is enabled, users with auditor privileges can verify the logs:
  1. Initialize the NSS database and import the CA certificate. For details, see the Command-line Initialization section in the Red Hat Certificate System 9 Planning, Installation and Deployment Guide (Common Criteria Edition).
  2. If the audit signing certificate does not exist in the PKI client database, import it:
    1. Search the audit signing certificate for the subsystem logs you want to verify. For example: 
      # pki ca-cert-find --name "CA Audit Signing Certificate"
---------------
1 entries found
---------------
  Serial Number: 0x5
  Subject DN: CN=CA Audit Signing Certificate,O=EXAMPLE
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Jul 08 03:56:08 CEST 2016
  Not Valid After: Thu Jun 28 03:56:08 CEST 2018
  Issued On: Fri Jul 08 03:56:08 CEST 2016
  Issued By: system
----------------------------
Number of entries returned 1
----------------------------
      Copy to Clipboard Toggle word wrap
    2. Import the audit signing certificate into the PKI client: 
      # pki client-cert-import "CA Audit Signing Certificate" --serial 0x5 --trust ",,P"
---------------------------------------------------
Imported certificate "CA Audit Signing Certificate"
---------------------------------------------------
      Copy to Clipboard Toggle word wrap
  3. Download the audit logs. See Section 13.2.2.2, “Downloading Audit Logs”.
  4. Verify the audit logs.
    1. Create a text file that contains a list of the audit log files you want to verify in chronological order. For example: 
      # cat > ~/audit.txt << EOF
ca_audit.20170331225716
ca_audit.20170401001030
ca_audit
EOF
      Copy to Clipboard Toggle word wrap
    2. Use the AuditVerify utility to verify the signatures. For example: 
      # AuditVerify -d ~/.dogtag/nssdb/ -n "CA Audit Signing Certificate" \
     -a ~/audit.txt
Verification process complete.
Valid signatures: 10
Invalid signatures: 0
      Copy to Clipboard Toggle word wrap
      For further details about using AuditVerify, see the AuditVerify(1) man page.

13.2.3. Displaying Operating System-level Audit Logs
Copiar enlace

Note

To see Operating System-level audit logs using the instructions below, the auditd logging framework must be configured per the Enabling OS-level Audit Logs section in the Red Hat Certificate System 9 Planning, Installation and Deployment Guide (Common Criteria Edition).
To display operating system-level access logs, use the ausearch utility as root or as a privileged user with the sudo utility.

13.2.3.1. Displaying Audit Log Deletion Events
Copiar enlace

Since these events are keyed (with rhcs_audit_deletion), use the -k parameter to find events matching that key: 
# ausearch -k rhcs_audit_deletion
Copy to Clipboard Toggle word wrap
Since these events are keyed (with rhcs_audit_nssdb), use the -k parameter to find events matching that key: 
# ausearch -k rhcs_audit_nssdb
Copy to Clipboard Toggle word wrap

13.2.3.3. Displaying Time Change Events
Copiar enlace

Since these events are keyed (with rhcs_audit_time_change), use the -k parameter to find events matching that key: 
# ausearch -k rhcs_audit_time_change
Copy to Clipboard Toggle word wrap

13.2.3.4. Displaying Package Update Events
Copiar enlace

Since these events are a typed message (of type SOFTWARE_UPDATE), use the -m parameter to find events matching that type: 
# ausearch -m SOFTWARE_UPDATE
Copy to Clipboard Toggle word wrap

13.2.3.5. Displaying Changes to the PKI Configuration
Copiar enlace

Since these events are keyed (with rhcs_audit_config), use the -k parameter to find events matching that key: 
# ausearch -k rhcs_audit_config
Copy to Clipboard Toggle word wrap
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat