Policy and Key Audit logs
The policy audit logs generated for policy-related operations are sent to ESA. You can view them in Discover. Log in to the ESA, navigating to Audit Store > Dashboard > Open in new tab. Select Discover from the menu and select a time period such as Last 30 days.
Note:
- The policy and key audit log codes are similar to the previous version.
- The log descriptions in v10.2.0 are revised for policy and key audits. These changes may impact automated systems, alerts, and parsing logic in production environments. We recommend to review and update any dependent tools or queries.
event_status Field
In the ESA v10.2.0, a new field event_status has been introduced for all policy and key related audits. This field captures the outcome of each policy operation:
Success: Indicates the action was completed successfully.
Failure: Indicates the action was unsuccessful due to an error.
Other: Indicates the
event_statuscannot be classified as neither a success nor a failure. The other value is usually used for logs providing information about an operation performed.
Example: Master Key Rotation – Success and Failure
Success Scenario
Imagine you are performing a routine rotation of the Master Key to maintain cryptographic hygiene. The following logs would indicate a successful operation:
| Log Code | Log Description | Event Status | What It Means |
|---|---|---|---|
| 179 | Rotate master key. (Master key rotated successfully) | success | The Master Key was rotated without issues. |
| 78 | Create key. (Key xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx created) | success | A new key was generated as part of the rotation process. |
These logs confirm that the key lifecycle was handled properly. For instance, a new key was created, the old one was deactivated, and the system remains secure and compliant.
Failure Scenario
Now, suppose the Master Key rotation fails due to a service outage, for example the kmgw service has stopped. You might see logs like:
| Log Code | Log Description | Event Status | What It Means |
|---|---|---|---|
| 179 | Rotate master key. (Master key rotation failed) | failure | The rotation process could not complete due to a system issue. |
| 78 | Create key. | failure | The system failed to generate a new key, possibly because the key management gateway kmgw was down. |
These logs indicate that the rotation process was interrupted. No new key was created and the old key remains active. This could pose a security risk if not resolved promptly.
Other Scenario
| Log Code | Log Description | Event Status | What It Means |
|---|---|---|---|
| 178 | Master key expire warning. (Master key with UID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx will expire on yyyy-mm-dd) | other | Master key expire warning. |
Table: Policy and Key Audit logs
| Audit Code | Log Description |
|---|---|
| 50 | Create policy. |
| 51 | Update policy. |
| 52 | Delete policy. |
| 56 | Role added to policy. |
| 57 | Unprotect access revoked for users having mask conflict. |
| 58 | Data element added to policy. |
| 59 | Data element removed from policy. |
| 71 | Deploy policy. |
| 74 | Policy removed from datastore. |
| 75 | Policy added to datastore. |
| 76 | Policy changed state. |
| 78 | Create key. |
| 80 | Policy deploy failed. |
| 81 | Policy deploy started. |
| 82 | Policy deploy ended. |
| 83 | Token publish failed. |
| 84 | Token published successful. |
| 85 | Data Element key(s) exported. |
| 86 | Policy deploy warning. |
| 87 | Alphabet publish failed. |
| 88 | Alphabet published successful. |
| 100 | Password changed. |
| 101 | Create datastore. |
| 102 | Update datastore. |
| 103 | Delete datastore. |
| 107 | Create mask. |
| 108 | Delete mask. |
| 109 | Securitycoordinate deleted. |
| 110 | Securitycoordinate created. |
| 111 | Create role. |
| 112 | Delete role. |
| 113 | Create membersource. |
| 114 | Update membersource. |
| 115 | Delete membersource. |
| 116 | All roles resolved. |
| 117 | Role resolved. |
| 118 | Role groupmember resolved. |
| 119 | Create trusted application. |
| 120 | Delete trusted application. |
| 121 | Update trusted application. |
| 124 | Trusted application added to datastore. |
| 125 | Trusted application removed from datastore. |
| 126 | Update mask. |
| 127 | Update role. |
| 128 | Policy permissions updated. |
| 129 | Node registered. |
| 130 | Node updated. |
| 131 | Node unregistered. |
| 141 | Create alphabet. |
| 142 | Delete Alphabet. |
| 149 | Update data element. |
| 150 | Create data element. |
| 151 | Delete data element. |
| 152 | Too many keys created. |
| 153 | License expire warning. |
| 154 | License has expired. |
| 155 | License is invalid. |
| 156 | Policy is compromised. |
| 157 | Failed to import some users. |
| 158 | Policy successfully imported. |
| 159 | Failed to import policy. |
| 170 | Key exported. |
| 171 | Key updated. |
| 172 | Key deleted. |
| 173 | Datastore key has expired. |
| 174 | Datastore key expire warning. |
| 176 | Rotate datastore key. |
| 177 | Master key has expired. |
| 178 | Master key expire warning. |
| 179 | Rotate master key. |
| 180 | Configure New HSM. |
| 181 | Repository key has expired. |
| 182 | Repository key expire warning. |
| 183 | Rotate repository key. |
| 184 | Metering created. |
| 185 | Metering updated. |
| 186 | Metering deleted. |
| 187 | Integrity created. |
| 188 | Integrity updated. |
| 189 | Integrity deleted. |
| 195 | Signing key has expired. |
| 196 | Signing key expire warning. |
| 197 | Rotate signing key. |
| 198 | Signing key exported. |
| 199 | Case sensitive data element created. |
| 210 | Data Element key has expired. |
| 211 | Data Element key expire warning. |
| 212 | Conflicting policy users found. |
| 213 | Change key state. |
| 214 | Automatic key rotation disabled. |
| 215 | Automatic key rotation enabled. |
| 220 | Data Element deprecated. |
| 221 | Add export key. |
| 222 | Update export key. |
| 223 | Delete export key. |
| 224 | Role permissions updated for Data Element. |
| 225 | Permissions for Data Element updated. |
| 226 | Role removed from policy. |
| 227 | Create range in datastore. |
| 228 | Update range in datastore. |
| 229 | Delete range from datastore. |
| 230 | Add member to role. |
| 231 | Update member in role. |
| 232 | Remove member from role. |
To view the policy audit logs:
- Log in to the ESA.
- Navigate to Audit Store > Dashboard.
- From the menu, select Discover.
- Select index pty_insight_analytics*policy_log_* from Index patterns and a time period such as Today.
The list of policy audit logs appear.
For more information about the Insight Indexes, refer to Understanding the Insight indexes.
Feedback
Was this page helpful?