Working With Client SDK Logs

You can retrieve logs generated by the Client SDK. AWS CloudHSM offers an implementation of logging with Client SDK 3 and Client SDK 5.

Client SDK 3 Logging

Client SDK 3 logs contain detailed information from the AWS CloudHSM client daemon. The location of the logs depends on the operating system of the Amazon EC2 client instance where you run the client daemon.

Amazon Linux

In Amazon Linux, the AWS CloudHSM client logs are written to the file named /opt/cloudhsm/run/cloudhsm_client.log. You can use logrotate or a similar tool to rotate and manage these logs.

Amazon Linux 2

In Amazon Linux 2, the AWS CloudHSM Client logs are collected and stored in the journal. You can use journalctl to view and manage these logs. For example, use the following command to view the AWS CloudHSM Client logs.

journalctl -f -u cloudhsm-client

CentOS 7

In CentOS 7, the AWS CloudHSM Client logs are collected and stored in the journal. You can use journalctl to view and manage these logs. For example, use the following command to view the AWS CloudHSM Client logs.

journalctl -f -u cloudhsm-client

CentOS 8

In CentOS 8, the AWS CloudHSM Client logs are collected and stored in the journal. You can use journalctl to view and manage these logs. For example, use the following command to view the AWS CloudHSM Client logs.

journalctl -f -u cloudhsm-client

RHEL 7

In Red Hat Enterprise Linux 7, the AWS CloudHSM Client logs are collected and stored in the journal. You can use journalctl to view and manage these logs. For example, use the following command to view the AWS CloudHSM Client logs.

journalctl -f -u cloudhsm-client

RHEL 8

In Red Hat Enterprise Linux 8, the AWS CloudHSM Client logs are collected and stored in the journal. You can use journalctl to view and manage these logs. For example, use the following command to view the AWS CloudHSM Client logs.

journalctl -f -u cloudhsm-client

Ubuntu 16.04

In Ubuntu 16.04, the AWS CloudHSM Client logs are collected and stored in the journal. You can use journalctl to view and manage these logs. For example, use the following command to view the AWS CloudHSM Client logs.

journalctl -f -u cloudhsm-client

Ubuntu 18.04

In Ubuntu 18.04, the AWS CloudHSM Client logs are collected and stored in the journal. You can use journalctl to view and manage these logs. For example, use the following command to view the AWS CloudHSM Client logs.

journalctl -f -u cloudhsm-client

Windows

• For Windows client 1.1.2+:

  AWS CloudHSM client logs are written to a cloudhsm.log file in the AWS CloudHSM program files folder (C:\Program Files\Amazon\CloudHSM\). Each log file name is suffixed with a timestamp indicating when the AWS CloudHSM client was started.

• For Windows client 1.1.1 and older:

  The client logs are not written to a file. The logs are displayed at the command prompt or in the PowerShell window where you started the AWS CloudHSM client.

Client SDK 5 Logging

Client SDK 5 logs contain information for each component in a file named for the component. You can use the configure tool for Client SDK 5 to configure logging for each component. For more information about the configure tool, see Client SDK 5 Configure Tool.

How to Configure Logging for Client SDK 5

You can configure the name of the log file, how much information Client SDK 5 components include in the logs, and how often the system rotates the logs.

PKCS #11 library

To configure the name of the logging file

• Use the log-file option to change the name or location of the log file.

  $ sudo /opt/cloudhsm/bin/configure-pkcs11 --log-file path/to/log

  For example, use the following command to set the log file name to cloudhsm-pkcs11.log.

  $ sudo /opt/cloudhsm/bin/configure-pkcs11 --log-file cloudhsm-pkcs11.log

  If you do not specify a location for the file, the system writes logs to the default location.

  • Linux:

    /opt/cloudhsm/lib

  • Windows:

    C:\ProgramData\Amazon\CloudHSM

To configure the logging level

• Use the log-level option to establish how much information Client SDK 5 should log.

  $ sudo /opt/cloudhsm/bin/configure-pkcs11 --log-level <error | warn | info | debug | trace>

  For example, use the following command to set the log level to receive error and warning messages in logs.

  $ sudo /opt/cloudhsm/bin/configure-pkcs11 --log-level warn

To configure log rotation

• Use the log-rotation option to establish how often Client SDK 5 should rotate the logs.

  $ sudo /opt/cloudhsm/bin/configure-pkcs11 --log-rotation <daily | hourly | never>

  For example, use the following command to rotate the logs daily. Each day the system creates a new log and appends a time stamp to the file name.

  $ sudo /opt/cloudhsm/bin/configure-pkcs11 --log-rotation daily

OpenSSL Dynamic Engine

To configure the name of the logging file

• Use the log-file option to change the name or location of the log file.

  $ sudo /opt/cloudhsm/bin/configure-dyn --log-file path/to/log

  For example, use the following command to set the log file name to cloudhsm-dyn.log.

  $ sudo /opt/cloudhsm/bin/configure-dyn --log-file cloudhsm-dyn.log

  If you do not specify a location for the file, the system writes logs to the default location:

  /opt/cloudhsm/lib

To configure the logging level

• Use the log-level option to establish how much information Client SDK 5 should log.

  $ sudo /opt/cloudhsm/bin/configure-dyn --log-level <error | warn | info | debug | trace>

  For example, use the following command to set the log level to receive error and warning messages in logs.

  $ sudo /opt/cloudhsm/bin/configure-dyn --log-level warn

To configure log rotation

• Use the log-rotation option to establish how often Client SDK 5 should rotate the logs.

  $ sudo /opt/cloudhsm/bin/configure-dyn --log-rotation <daily | hourly | never>

  For example, use the following command to rotate the logs daily. Each day the system creates a new log and appends a time stamp to the file name.

  $ sudo /opt/cloudhsm/bin/configure-dyn --log-rotation daily