Working with client SDK logs
You can retrieve logs generated by the Client SDK. AWS CloudHSM offers an implementation of logging with Client SDK 3 and Client SDK 5.
Client SDK 3 logging
Client SDK 3 logs contain detailed information from the AWS CloudHSM client daemon. The location of the logs depends on the operating system of the Amazon EC2 client instance where you run the client daemon.
- Amazon Linux
-
In Amazon Linux, the AWS CloudHSM client logs are written to the file named
/opt/cloudhsm/run/cloudhsm_client.log
. You can use logrotate or a similar tool to rotate and manage these logs. - Amazon Linux 2
-
In Amazon Linux 2, the AWS CloudHSM Client logs are collected and stored in the journal. You can use journalctl to view and manage these logs. For example, use the following command to view the AWS CloudHSM Client logs.
journalctl -f -u cloudhsm-client
- CentOS 7
-
In CentOS 7, the AWS CloudHSM Client logs are collected and stored in the journal. You can use journalctl to view and manage these logs. For example, use the following command to view the AWS CloudHSM Client logs.
journalctl -f -u cloudhsm-client
- CentOS 8
-
In CentOS 8, the AWS CloudHSM Client logs are collected and stored in the journal. You can use journalctl to view and manage these logs. For example, use the following command to view the AWS CloudHSM Client logs.
journalctl -f -u cloudhsm-client
- RHEL 7
-
In Red Hat Enterprise Linux 7, the AWS CloudHSM Client logs are collected and stored in the journal. You can use journalctl to view and manage these logs. For example, use the following command to view the AWS CloudHSM Client logs.
journalctl -f -u cloudhsm-client
- RHEL 8
-
In Red Hat Enterprise Linux 8, the AWS CloudHSM Client logs are collected and stored in the journal. You can use journalctl to view and manage these logs. For example, use the following command to view the AWS CloudHSM Client logs.
journalctl -f -u cloudhsm-client
- Ubuntu 16.04
-
In Ubuntu 16.04, the AWS CloudHSM Client logs are collected and stored in the journal. You can use journalctl to view and manage these logs. For example, use the following command to view the AWS CloudHSM Client logs.
journalctl -f -u cloudhsm-client
- Ubuntu 18.04
-
In Ubuntu 18.04, the AWS CloudHSM Client logs are collected and stored in the journal. You can use journalctl to view and manage these logs. For example, use the following command to view the AWS CloudHSM Client logs.
journalctl -f -u cloudhsm-client
- Windows
-
-
For Windows client 1.1.2+:
AWS CloudHSM client logs are written to a
cloudhsm.log
file in the AWS CloudHSM program files folder (C:\Program Files\Amazon\CloudHSM\
). Each log file name is suffixed with a timestamp indicating when the AWS CloudHSM client was started. -
For Windows client 1.1.1 and older:
The client logs are not written to a file. The logs are displayed at the command prompt or in the PowerShell window where you started the AWS CloudHSM client.
-
Client SDK 5 logging
Client SDK 5 logs contain information for each component in a file named for the component. You can use the configure tool for Client SDK 5 to configure logging for each component. For more information about the configure tool, see Client SDK 5 Configure Tool.
How to configure logging for Client SDK 5
You can configure the name of the log file, how much information Client SDK 5 components include in the logs, and how often the system rotates the logs.
- PKCS #11 library
-
To configure the name of the logging file
-
Use the
log-file
option to change the name or location of the log file.$
sudo /opt/cloudhsm/bin/configure-pkcs11 --log-file
path/to/log
For example, use the following command to set the log file name to
cloudhsm-pkcs11.log
.$
sudo /opt/cloudhsm/bin/configure-pkcs11 --log-file
cloudhsm-pkcs11.log
If you do not specify a location for the file, the system writes logs to the default location.
-
Linux:
/opt/cloudhsm/run
-
Windows:
C:\ProgramData\Amazon\CloudHSM
-
To configure the logging level
-
Use the
log-level
option to establish how much information Client SDK 5 should log.$
sudo /opt/cloudhsm/bin/configure-pkcs11 --log-level <
error
|warn
|info
|debug
|trace
>For example, use the following command to set the log level to receive error and warning messages in logs.
$
sudo /opt/cloudhsm/bin/configure-pkcs11 --log-level warn
To configure log rotation
-
Use the
log-rotation
option to establish how often Client SDK 5 should rotate the logs.$
sudo /opt/cloudhsm/bin/configure-pkcs11 --log-rotation <
daily
|hourly
|never
>For example, use the following command to rotate the logs daily. Each day the system creates a new log and appends a time stamp to the file name.
$
sudo /opt/cloudhsm/bin/configure-pkcs11 --log-rotation daily
-
- OpenSSL Dynamic Engine
-
To configure the name of the logging file
-
Use the
log-file
option to change the name or location of the log file.$
sudo /opt/cloudhsm/bin/configure-dyn --log-file
path/to/log
For example, use the following command to set the log file name to
cloudhsm-dyn.log
.$
sudo /opt/cloudhsm/bin/configure-dyn --log-file
cloudhsm-dyn.log
If you do not specify a location for the file, the system writes logs to
stderr
To configure the logging level
-
Use the
log-level
option to establish how much information Client SDK 5 should log.$
sudo /opt/cloudhsm/bin/configure-dyn --log-level <
error
|warn
|info
|debug
|trace
>For example, use the following command to set the log level to receive error and warning messages in logs.
$
sudo /opt/cloudhsm/bin/configure-dyn --log-level warn
To configure log rotation
-
Use the
log-rotation
option to establish how often Client SDK 5 should rotate the logs.$
sudo /opt/cloudhsm/bin/configure-dyn --log-rotation <
daily
|hourly
|never
>For example, use the following command to rotate the logs daily. Each day the system creates a new log and appends a time stamp to the file name.
$
sudo /opt/cloudhsm/bin/configure-dyn --log-rotation daily
-
- JCE provider
-
To configure the name of the logging file
-
Use the
log-file
option to change the name or location of the log file.$
sudo /opt/cloudhsm/bin/configure-jce --log-file
path/to/log
For example, use the following command to set the log file name to
cloudhsm-dyn.log
.$
sudo /opt/cloudhsm/bin/configure-jce --log-file
cloudhsm-dyn.log
If you do not specify a location for the file, the system writes logs to the default location:
-
Linux:
/opt/cloudhsm/run
-
Windows:
C:\ProgramData\Amazon\CloudHSM
-
To configure the logging level
-
Use the
log-level
option to establish how much information Client SDK 5 should log.$
sudo /opt/cloudhsm/bin/configure-jce --log-level <
error
|warn
|info
|debug
|trace
>For example, use the following command to set the log level to receive error and warning messages in logs.
$
sudo /opt/cloudhsm/bin/configure-jce --log-level warn
To configure log rotation
-
Use the
log-rotation
option to establish how often Client SDK 5 should rotate the logs.$
sudo /opt/cloudhsm/bin/configure-jce --log-rotation <
daily
|hourly
|never
>For example, use the following command to rotate the logs daily. Each day the system creates a new log and appends a time stamp to the file name.
$
sudo /opt/cloudhsm/bin/configure-jce --log-rotation daily
-