1. Home
  2. Archive Old Dev Docs
  3. YubiHSM2
  4. Commands
  5. Get Log Entries

    GET LOG ENTRIES

    Fetch device audit log.

    Description

    Fetch all current entries from the device Log Store.

    Shell Example

    yubihsm> audit get 0
0 unlogged boots found
0 unlogged authentications found
Found 6 items
item:    46 -- cmd: 0x4b -- length:  234 -- session key: 0x0001 -- target key: 0xcf94 -- second key: 0x997e -- result: 0xcb -- tick: 335725 -- hash: 415f51f1f035a1b713e730e4464e4033
item:    47 -- cmd: 0x4c -- length:   77 -- session key: 0x0001 -- target key: 0xaff7 -- second key: 0xffff -- result: 0xcc -- tick: 351714 -- hash: 5496a60d478c2b9c801d8d32ca66b554
item:    48 -- cmd: 0x00 -- length:    0 -- session key: 0xffff -- target key: 0x0000 -- second key: 0x0000 -- result: 0x00 -- tick: 0 -- hash: 14ac7747ba9bbb243cfc70befeb5349b
item:    49 -- cmd: 0x03 -- length:   10 -- session key: 0xffff -- target key: 0x0001 -- second key: 0xffff -- result: 0x83 -- tick: 139 -- hash: b20a8f25c025e693a8e869b433294a20
item:    50 -- cmd: 0x04 -- length:   17 -- session key: 0xffff -- target key: 0x0001 -- second key: 0xffff -- result: 0x84 -- tick: 139 -- hash: ebfae425c319ac7a0afbb8b92597de7c
item:    51 -- cmd: 0x67 -- length:    2 -- session key: 0x0001 -- target key: 0xffff -- second key: 0xffff -- result: 0xe7 -- tick: 697 -- hash: 2e395d1b706668737e1d2215813db47e

    Protocol Details

    Command

    Tc = 0x4d

    Lc = 0

    Vc = Ø

    Response

    Tr = 0xcd

    Lr = 2 + 2 + 1 + (N * 32)

    Vr = B || O || N || E1 || E2 || … || EN

    B := Number of unlogged boot events (if the log buffer is full and audit enforce is set) (2 bytes)

    O := Number of unlogged authentication events (if the log buffer is full and audit enforce is set) (2 bytes)

    N := Number of elements in the list (1 byte)

    Ei := Generic log entry composed of

    • Command number (two bytes)

    • Command ID (one byte)

    • Command length (two bytes)

    • ID of the originating session’s authentication key (two bytes)

    • Target key affected by the command (two bytes)

    • Secondary key if the command affected more than one key (two bytes)

    • Result of the command on success or an error code if unsuccessful (one byte)

    • Systick when the command was processed (4 bytes)

    • Digest (16 bytes)

    The digest is computed as trunc(16, SHA256(Ei.Data || trunc(16, Ei-1.Digest))). For the initial log entry, a random string of 32 bytes is used, instead of the digest of the previous message.

    When the device initializes after a reset, a log entry with all fields set to 0xff is logged.

    When the device boots up, a log entry with all fields set to 0x00 is logged.