How can I collect AWS CloudHSM Classic logs for troubleshooting?
Last updated: 2019-05-14
I'm having issues with my AWS CloudHSM Classic client or appliance. How do I collect CloudHSM logs for troubleshoot these issues?
Follow these steps to collect the CloudHSM client c_supportInfo.txt file, CloudHSM appliance supportInfo.txt file, and syslogs for troubleshooting.
Collect CloudHSM supportInfo.txt files
1. Create the supportInfo.txt file on each CloudHSM client device by running the following command:
$ vtl supportinfo
'vtl supportInfo' completed. File "c_supportInfo.txt" created.
2. After the c_supportInfo.txt file is created on the CloudHSM client, connect to each CloudHSM appliance and generate the supportInfo.txt by running the following command:
$ ssh 10.0.1.10 lunash:>hsm supportInfo
'hsm supportInfo' successful. Use 'scp' from a client machine to get file named: supportInfo.txt
3. Run exit to return to your client instance.
4. After you generate the supportInfo.txt, use SCP from a client machine to get the file name, such as supportInfo.txt, by running the following command:
$ scp manager@<IP-ADDRESS-HSM1>:supportInfo.txt ~/supportInfo-HSM1.txt $ scp manager@<IP-ADDRESS-HSM2>:supportInfo.txt ~/supportInfo-HSM2.txt
5. Provide each support file to AWS Support for further assistance. Here is some of the information provided in the c_supportInfo.txt and supportInfo.txt files.
Contents of c_supportInfo.txt file.
Retrieved from the HSM client.
Contents of supportInfo.txt file.
Retrieved from the HSM appliance.
Collect syslogs from your CloudHSM appliance
The HSM appliance generates logs that can be exported using syslog. Syslogs can be used to audit security events, review appliance hardware events, and error logging.
1. Connect to each CloudHSM appliance, and run the following command to generate the syslogs:
$ ssh <IP-ADDRESS-HSM> lunash:> syslog tarlogs
2. Run exit to return to your client instance.
3. From the CloudHSM client, use SCP to copy the logs.tgz files from each CloudHSM appliance to the CloudHSM client. You can gather these files by running commands similar to the following:
$ scp manager@<IP-ADDRESS-HSM1>:logs.tgz ~/logs-HSM1.tgz $ scp manager@<IP-ADDRESS-HSM2>:logs.tgz ~/logs-HSM2.tgz
4. Copy the logs.tgz files from the HSM client to your workstation by running commands similar to the following:
$ scp -i "privatekeyfile.pem" ec2-user@<CLIENT-PUBLIC-IP>:logs-HSM1.tgz ~/logs-HSM1.tgz $ scp -i "privatekeyfile.pem" ec2-user@<CLIENT-PUBLIC-IP>:logs-HSM2.tgz ~/logs-HSM2.tgz