Exporting and Purging Audit Logs

You can export and purge audit events to free space from the Key Manager Database. The high-level workflow is as follows:

Request audit events to be purged from a certain timespan.
Export and verify the target audit events.
Execute the purge request.

Prerequisites

You need a client such as curl for using the Key Manager API. Audit-data export can only be performed via the Key Manager API. However, audit-data export is not supported by Key Manager API client.

For performance reasons, we recommend purging audit events in batches smaller than 5 million entries at a time. If purging or exporting commands time out, increase the HTTP timeout of your client. You may also increase front-end limits (SSHMGR_FRONTEND_TIMEOUT and proxy_read_timeout) on your Key Manager front end. For more information about these limits, see the PrivX Key Manager Installation Manuals.
The workflow requires two or more Key Manager administrators. Like other requests, purge requests must be decided and approved by somebody else than the requester.
Key Manager administrator giving purge and approval decisions need the Key Manager permission Delete audit events.

Steps for Exporting and Purging

Create a purge request with the following data:
- request_type: export_and_purge
- choice: audit_event
- export_window: A timespan in <start>-<end> format. All audit events in the timespan shall be purged. <start> and <end> can be set to relative or absolute time values. You may set <start> to .. to include all audit events before <end>.
Example, to request a purge of audit events older than a year (via the command-line client):
```
$ ssh-mgr-client add-request -d \
"request_type=export_and_purge,choice=audit_event,export_window=..-1y"
```
Note the returned request ID. It is later needed for exporting audit events, and for verifying the purge request.
Export the target audit events via the Key Manager API.

Example curl command:
```
$ curl -H "Authorization: Bearer <PKM_TOKEN>" \
-H "Content-type: application/json" \
https://<PKM_SERVER>/api/v3/requests/<REQUEST_ID>/export/ \
-d {} > <OUT_FILE>
```
Replace placeholder values as follows:
- <PKM_TOKEN>: A Key Manager API token. Example value:
  
  r6I69OGty8eXG0t162N9ufbhePx3Eg
- <PKM_SERVER>: Address of your Key Manager front end. Such as keymanager.example.com
- <REQUEST_ID>: The numerical ID of the purge request. Such as 99
- <OUT_FILE>: Path of the output file. Such as out.jsonseq
Audit events are saved to the output file as a JSON text sequence. The fields for each audit event are a superset of those available in the command-line client command list-audit-events (described in list-audit-events).
Obtain the SHA2-384 digest of the output file (replace <OUT_FILE> with the output-file path):
```
$ sha384sum <OUT_FILE> | cut -d " " -f1
```
This outputs the output-file digest, which is later needed for verifying the purge request.
Verify that the exported audit data matches with the purge request.

Example command-line client command (replace <REQUEST_ID> with the ID of the purge request, replace <SHA384SUM_OUTPUT> with the output-file digest):
```
$ ssh-mgr-client decide-requests -i <REQUEST_ID> -a verify \
-d 'algorithm=sha384,digest=<SHA384SUM_OUTPUT>'
```
To delete the target audit events from Key Manager, approve the purge request.

Example for approving the purge request via the command-line client (replace <REQUEST_ID> with the ID of your purge request):
```
$ ssh-mgr-client decide-requests -i <REQUEST_ID> -a purge
```
If additional approvals are required, use the command-line client as other Key Manager administrators and run the following command (replace 99 with the ID of your purge request):
```
$ ssh-mgr-client approve-requests -i <REQUEST_ID>
```
Key Manager starts jobs for purging the affected audit events from the Key Manager Database. Once the purging jobs complete successfully, the purge request will be in the purged state.

Prerequisites​

Steps for Exporting and Purging​

Prerequisites

Steps for Exporting and Purging