Skip to main content

Key Management Service - Pushing logs to Logs Data Platform

Stephanie R.
Updated

Learn about logs generated by OVHcloud KMS and how they are managed from Logs Data Platform.

 

Requirements

 

Instructions

Description

OVHcloud KMS has a native integration with Logs Data Platform for logs management.

 

Logs direct access

From the OVHcloud Control Panel, navigate to your Key Management Service via the Identity, Security & Operations menu.

Once there, click the Logs tab.

manager_kms_logsTab_large.png

This tab displays all KMS logs in real time. A selector allows you to switch the display between the two types of logs:

  • REST API audit logs.
  • KMIP audit logs.

 

Logs access through LDP

From the Logs tab, you can Subscribe to an LDP data stream. Once the subscription is enabled, all the logs will be pushed to Logs Data Platform to archive generated logs and perform advanced searches, and create alerts or visualizations.

For more information, please refer to our Quick Start for Logs Data Platform guide.

manager_kms_subscribeLDP.png

 

Available logs details

KMS logs contain the following information:

  • REST API

    Logs are displayed with this format:

    {{ http_method }} {{ http_path }} - {{ http_status }} - identity: {{ iam_identities }} - operation: {{ iam_operation }} on {{ res_urn }} - from {{ip}} with certificate {{cert_id}} - request id: {{ request_id }}

    Example: 

    INFO | GET /v1/servicekey/77f0a3f6-c2ef-4e76-xxxx-xxxxxxxxxxxx - 200 - identity: urn:v1:us:identity:group:xx1111-ovh/john.smith - operation: okms:apiovh:serviceKey/get on urn:v1:us:resource:okms:8d1c84cc-1128-4629-xxxx-xxxxxxxxxx/serviceKey/77f0a3f6-c2ef-4e76-xxxx-xxxxxxxxxxxx - from Manager/APIv2 - request id: us.manager-5.684c3abe.3880620.2080cff16eaa5539bf92cxxxxxxxx

    Elements that can be pushed to Logs Data Platform:

    Field Description
    domain_id OKMS domain ID
    request_id request ID
    type  
    log_level Log priority level
    client_ip IP of the client making the request
    tls_cert_id Authentication certificate ID used
    res_urn target resource URN
    region OKMS domain region
    iam_operation IAM action evalutated
    iam_identities IAM identity used for rights evaluation
    http_path Request path
    http_status HTTP answer status
    http_method Request method
    err_category Error category

  • KMIP

    Logs are displayed with this format:

    {{ http_method }} {{ http_path }} - {{ http_status }} - identity: {{ iam_identities }} - operation: {{ iam_operation }} on {{ res_urn }} - from {{ip}} with certificate {{cert_id}} - request id: {{ request_id }}

    Example: 

    INFO | GET on urn:v1:us:resource:okms:8d1c84cc-1128-4629-xxxx-xxxxxxxxxxx/kmip/ff55638c-3e86-4cb3-xxxx-xxxxxxxx - identity: urn:v1:us:identity:account:xx1111-ovh - operation: okms:kmip:get - from XXX.XXX.XXX.XXX with certificate e7850a19-a5de-4527-xxxx-xxxxxxxxx - request id: OKMS.db61c455-abfa-4a66-xxxx-xxxxxxxxxxx

    Elements that can be pushed to Logs Data Platform:

    Field Description
    domain_id OKMS domain ID
    request_id Request ID
    log_level Log priority level
    client_ip IP of the client making the request
    tls_cert_id Authentication certificate ID used
    res_urn Target resource URN
    region OKMS domain region
    iam_operation IAM action evalutated
    iam_identities IAM identity used for rights evaluation
    kmip_operation KMIP operation used
    kmip_reason Standard KMIP error code

 

Go further

For more information and tutorials, please see our other Manage & Operate support guides or explore the guides for other OVHcloud products and services.

Related articles