How can I collect AWS CloudHSM Classic logs for troubleshooting?

Last updated: 2019-05-14

I'm having issues with my AWS CloudHSM Classic client or appliance. How do I collect CloudHSM logs for troubleshoot these issues?

Short Description

Follow these steps to collect the CloudHSM client c_supportInfo.txt file, CloudHSM appliance supportInfo.txt file, and syslogs for troubleshooting.

Resolution

Collect CloudHSM supportInfo.txt files

1.    Create the supportInfo.txt file on each CloudHSM client device by running the following command:

$ vtl supportinfo

Example outcome:

'vtl supportInfo' completed. File "c_supportInfo.txt" created.

2.    After the c_supportInfo.txt file is created on the CloudHSM client, connect to each CloudHSM appliance and generate the supportInfo.txt by running the following command:

$ ssh 10.0.1.10
lunash:>hsm supportInfo

Example outcome:

'hsm supportInfo' successful.

Use 'scp' from a client machine to get file named:
supportInfo.txt

3.    Run exit to return to your client instance.

4.    After you generate the supportInfo.txt, use SCP from a client machine to get the file name, such as supportInfo.txt, by running the following command:

$ scp manager@<IP-ADDRESS-HSM1>:supportInfo.txt ~/supportInfo-HSM1.txt
$ scp manager@<IP-ADDRESS-HSM2>:supportInfo.txt ~/supportInfo-HSM2.txt

5.    Provide each support file to AWS Support for further assistance. Here is some of the information provided in the c_supportInfo.txt and supportInfo.txt files.

Contents of c_supportInfo.txt file.

Retrieved from the HSM client.

Contents of supportInfo.txt file.

Retrieved from the HSM appliance.

  • CLIENT INFORMATION and DATE/TIME
  • CLIENT CHRYSTOKI CONFIGURATION FILE
  • CLIENT FILE CHECKS
  • CLIENT CERTIFICATE
  • REGISTERED SERVER CERTIFICATES
  • LOOKUP and PING HOST and REGISTERED SERVERS
  • INSTALLED LUNA SA CLIENT PACKAGES
  • HSM DUALPORT
  • BACKUP TOKEN DUALPORT
  • BACKUP TOKEN INFO AND POLICIES
  • HOST INFORMATION and DATE/TIME
  • HSM Details: HSM Label, Serial #, Firmware, Hardware Model, etc.
  • Partitions created on HSM
  • FIPS 140-2 Operation Status
  • HSM Storage Information (Bytes): Maximum HSM Storage Space, Space In Use, Free Space Left
  • HSM POLICIES, HSM PARTITIONS, AND PARTITION POLICIES
  • HSM LICENSES / HSM CAPABILITY LICENSES
  • HSM APPLIANCE CPU USAGE, NETSTAT, SYSLOG SETTINGS, DISK, MEMORY, NETWORK INFORMATION, RESOLV FILE, PACKAGES, CERT, NTLS BIND INFORMATION
  • HSM ISSUE (build) FILE
  • HSM Update Path
  • HSM APPLIANCE PROCESSES
  • LOADED CLIENT CERTS
  • CLIENT AUTHENTICATION DATABASE
  • Client Authenticate Configuration File

Collect syslogs from your CloudHSM appliance

The HSM appliance generates logs that can be exported using syslog. Syslogs can be used to audit security events, review appliance hardware events, and error logging.

1.    Connect to each CloudHSM appliance, and run the following command to generate the syslogs:

$ ssh <IP-ADDRESS-HSM>
lunash:> syslog tarlogs

2.    Run exit to return to your client instance.

3.    From the CloudHSM client, use SCP to copy the logs.tgz files from each CloudHSM appliance to the CloudHSM client. You can gather these files by running commands similar to the following:

$ scp manager@<IP-ADDRESS-HSM1>:logs.tgz ~/logs-HSM1.tgz
$ scp manager@<IP-ADDRESS-HSM2>:logs.tgz ~/logs-HSM2.tgz

4.    Copy the logs.tgz files from the HSM client to your workstation by running commands similar to the following:

$ scp -i "privatekeyfile.pem" ec2-user@<CLIENT-PUBLIC-IP>:logs-HSM1.tgz ~/logs-HSM1.tgz
$ scp -i "privatekeyfile.pem" ec2-user@<CLIENT-PUBLIC-IP>:logs-HSM2.tgz ~/logs-HSM2.tgz

Did this article help you?

Anything we could improve?


Need more help?