Merge pull request #8010 from ovh/dev/gbarideau/kms-l2c

New KMS troubleshooting guide

Author: Y0Coss

pages/index.md

@@ -1976,6 +1976,11 @@
                 + [Pushing logs with a forwarder - Syslog-ng 3.8+ (Linux)](manage_and_operate/observability/logs_data_platform/ingestion_syslog_ng)
                 + [Pushing logs with a forwarder - NXLog (Windows)](manage_and_operate/observability/logs_data_platform/ingestion_windows_nxlog)
                 + [Pushing logs from software - Apache](manage_and_operate/observability/logs_data_platform/ingestion_apache)
+                + [Pushing logs from a Kubernetes cluster to Logs Data Platform using Fluent Bit](manage_and_operate/observability/logs_data_platform/ingestion_kubernetes_fluent_bit)
+                + [Pushing logs from OVHcloud account to Logs Data Platform](manage_and_operate/iam/iam-logs-forwarding)
+                + [Pushing logs from OVHcloud KMS to Logs Data Platform](manage_and_operate/kms/kms-troubleshooting)
+                + [Pushing logs from SAP to Logs Data Platform](hosted_private_cloud/sap_on_ovhcloud/cookbook_sap_logs_on_ovhcloud_logs_data_platform_solution_setup)
+                + [Logs Data Platform - Collect VMware on OVHcloud logs](/pages/hosted_private_cloud/hosted_private_cloud_powered_by_vmware/vmware_ldp)
             + [Visualizing, querying and exploiting your logs](observability-logs-data-platform-visualizing-querying-exploiting)
                 + [Exposing your logs to third-party tools via the OpenSearch API](manage_and_operate/observability/logs_data_platform/integration_opensearch_api)
                 + [Using OpenSearch Dashboards with Logs Data Platform](manage_and_operate/observability/logs_data_platform/visualization_opensearch_dashboards)
@@ -2002,6 +2007,7 @@
         + [OVHcloud KMS Architecture overview](manage_and_operate/kms/architecture-overview)
         + [OVHcloud KMS - Responsibility model](manage_and_operate/kms/responsibility-model-kms)
         + [How to connect a compatible product using KMIP protocol with OVHcloud KMS](manage_and_operate/kms/kms-kmip)
+        + [Pushing logs from OVHcloud KMS to Logs Data Platform](manage_and_operate/kms/kms-troubleshooting)
 + OVHcloud Labs
     + [Data Collector](products/ovhcloud-labs-data-collector)
         + [Getting started](ovhcloud-labs-data-collector-getting-started)

pages/manage_and_operate/kms/kms-troubleshooting/guide.en-gb.md

@@ -0,0 +1,112 @@
+---
+title: "Pushing logs from OVHcloud KMS to Logs Data Platform"
+excerpt: "Analyze KMS logs through LDP"
+updated: 2025-06-17
+---
+
+## Objective
+
+This guide aims to introduce logs generated by OVHcloud KMS and how they are managed from Logs Data Platform.
+
+## Requirements
+
+- An [OVHcloud customer account](/pages/account_and_service_management/account_information/ovhcloud-account-creation).
+- An [OVHcloud KMS ordered and an access certificate created](/pages/manage_and_operate/kms/quick-start).
+
+## Instructions
+
+### Description
+
+OVHcloud KMS has a native integration with [Logs Data Platform](/links/manage-operate/ldp) for logs management.
+
+### Logs direct access
+
+KMS logs are available from each KMS `Logs`{.action} tab.
+
+![Logs tab](images/kms-logs-tab.png){.thumbnail}
+
+This tab displays all KMS logsin real time.
+A selector allows to switch display between the two types of logs:
+
+- REST API audit logs.
+- KMIP audit logs.
+
+### Logs access through LDP
+
+From the `Logs`{.action} tab, you can subscribe to an LDP data stream.
+Once the subscription is enabled, all the logs will be pushed to [Logs Data Platform](/links/manage-operate/ldp) to archive generated logs and perform advanced searches, create alerts and visualisations.
+
+![LDP Subscription](images/kms-ldp-subscription.png){.thumbnail}
+
+For more information, please refer to our guide "[Quick start for Logs Data Platform](/pages/manage_and_operate/observability/logs_data_platform/getting_started_quick_start)".
+
+### Available logs details
+
+KMS logs contain the following information:
+
+- REST API
+
+Logs are displayed with this format:
+
+```bash
+{{ http_method }} {{ http_path }} - {{ http_status }} - identity: {{ iam_identities }} - operation: {{ iam_operation }} on {{ res_urn }} - from {{ip}} with certificate {{cert_id}} - request id: {{ request_id }}
+```
+
+**Example:**
+
+```console
+INFO | GET /v1/servicekey/77f0a3f6-c2ef-4e76-xxxx-xxxxxxxxxxxx - 200 - identity: urn:v1:eu:identity:group:xx1111-ovh/john.smith - operation: okms:apiovh:serviceKey/get on urn:v1:eu:resource:okms:8d1c84cc-1128-4629-xxxx-xxxxxxxxxx/serviceKey/77f0a3f6-c2ef-4e76-xxxx-xxxxxxxxxxxx - from Manager/APIv2 - request id: EU.manager-5.684c3abe.3880620.2080cff16eaa5539bf92cxxxxxxxx
+```
+
+Elements that can be pushed to Logs Data Platform:
+
+|**Field**|**Description**|
+| :-: | :-: |
+|domain_id|OKMS domain ID|
+|request_id|request ID|
+|type||
+|log_level|Log priority level|
+|client_ip|IP of the client making the request|
+|tls_cert_id|Authentication certificate ID used|
+|res_urn|target resource URN|
+|region|OKMS domain region|
+|iam_operation|IAM action evalutated|
+|iam_identities|IAM identity used for rights evaluation|
+|http_path|Request path|
+|http_status|HTTP answer status|
+|http_method|Request method|
+|err_category|Error category|
+
+- KMIP
+
+Logs are displayed with this format:
+
+```bash
+{{ http_method }} {{ http_path }} - {{ http_status }} - identity: {{ iam_identities }} - operation: {{ iam_operation }} on {{ res_urn }} - from {{ip}} with certificate {{cert_id}} - request id: {{ request_id }}
+```
+
+**Example:**
+
+```console
+INFO | GET on urn:v1:eu:resource:okms:8d1c84cc-1128-4629-xxxx-xxxxxxxxxxx/kmip/ff55638c-3e86-4cb3-xxxx-xxxxxxxx - identity: urn:v1:eu:identity:account:xx1111-ovh - operation: okms:kmip:get - from XXX.XXX.XXX.XXX with certificate e7850a19-a5de-4527-xxxx-xxxxxxxxx - request id: OKMS.db61c455-abfa-4a66-xxxx-xxxxxxxxxxx
+```
+
+Elements that can be pushed to Logs Data Platform:
+
+|**Field**|**Description**|
+| :-: | :-: |
+|domain_id|OKMS domain ID|
+|request_id|Request ID|
+|log_level|Log priority level|
+|client_ip|IP of the client making the request|
+|tls_cert_id|Authentication certificate ID used|
+|res_urn|Target resource URN|
+|region|OKMS domain region|
+|iam_operation|IAM action evalutated|
+|iam_identities|IAM identity used for rights evaluation|
+|kmip_operation|KMIP operation used|
+|kmip_reason|[Standard KMIP error code](https://docs.oasis-open.org/kmip/spec/v1.4/kmip-spec-v1.4.pdf#%5B%7B%22num%22%3A484%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C69%2C720%2C0%5D){.external}|
+
+## Go further
+
+Join our [community of users](/links/community).

pages/manage_and_operate/kms/kms-troubleshooting/guide.fr-fr.md

@@ -0,0 +1,113 @@
+---
+title: "Transférer les logs du KMS OVHcloud à Logs Data Platform"
+excerpt: "Analyser les logs KMS via LDP"
+updated: 2025-06-17
+---
+
+## Objectif
+
+L'objectif de ce guide est de présenter les logs générés par le KMS OVHcloud et la manière dont ils sont gérés depuis Logs Data Platform.
+
+## Prérequis
+
+- Disposer d'un [compte client OVHcloud](/pages/account_and_service_management/account_information/ovhcloud-account-creation).
+- Avoir [commandé un KMS OVHcloud et créé un certificat d'accès](/pages/manage_and_operate/kms/quick-start).
+
+## En pratique
+
+### Description
+
+Le KMS OVHcloud dispose d'une intégration native avec [Logs Data Platform](/links/manage-operate/ldp) pour la gestion des logs.
+
+### Accès aux logs en direct
+
+Les logs du KMS sont accessibles depuis l'onglet `Logs`{.action} d'un KMS.
+
+![Logs tab](images/kms-logs-tab.png){.thumbnail}
+
+Cet onglet affiche en temps réel les logs du KMS.
+Le sélecteur permet de choisir le type de logs affichés :
+
+- REST API audit logs.
+- KMIP audit logs.
+
+### Accès aux logs via LDP
+
+Depuis l'onglet `Logs`{.action} il est possible de s'abonner à un flux LDP.
+Une fois l'abonnement actif, l'ensemble des logs seront transmis à [Logs Data Platform](/links/manage-operate/ldp) pour retrouver l'historique des logs générés et la possiblité de faire des recherches plus avancées, créer des alertes et des visualisations.
+
+![LDP Subscription](images/kms-ldp-subscription.png){.thumbnail}
+
+Pour plus d'informations, veuillez consulter notre guide « [Quick start for Logs Data Platform](/pages/manage_and_operate/observability/logs_data_platform/getting_started_quick_start) ».
+
+### Liste des logs générés
+
+Les logs du KMS comportent les informations suivantes :
+
+- API REST
+
+Les logs sont sous le format suivant :
+
+```bash
+{{ http_method }} {{ http_path }} - {{ http_status }} - identity: {{ iam_identities }} - operation: {{ iam_operation }} on {{ res_urn }} - from {{ip}} with certificate {{cert_id}} - request id: {{ request_id }}
+```
+
+**Exemple :**
+
+```console
+INFO | GET /v1/servicekey/77f0a3f6-c2ef-4e76-xxxx-xxxxxxxxxxxx - 200 - identity: urn:v1:eu:identity:group:xx1111-ovh/john.smith - operation: okms:apiovh:serviceKey/get on urn:v1:eu:resource:okms:8d1c84cc-1128-4629-xxxx-xxxxxxxxxx/serviceKey/77f0a3f6-c2ef-4e76-xxxx-xxxxxxxxxxxx - from Manager/APIv2 - request id: EU.manager-5.684c3abe.3880620.2080cff16eaa5539bf92cxxxxxxxx
+```
+
+Les éléments pouvant être transmis à Logs Data Platform sont :
+
+|**Champ**|**Description**|
+| :-: | :-: |
+|domain_id|ID du domaine OKMS|
+|request_id|ID de la requête|
+|type||
+|log_level|Niveau de priorité du log|
+|client_ip|IP du client réalisant la requête|
+|tls_cert_id|ID du certificat utilisé pour l'authentification|
+|res_urn|URN de la ressource ciblé|
+|region|Région du domaine OKMS|
+|iam_operation|Action IAM évaluée|
+|iam_identities|Identitée IAM utilisé pour l'évaluation des droits|
+|http_path|Chemin de la requête|
+|http_status|Status de la réponse HTTP|
+|http_method|Methode de la requête|
+|err_category|Catégorie de l'erreur|
+
+- KMIP
+
+Les logs sont sous le format suivant :
+
+```bash
+{{ http_method }} {{ http_path }} - {{ http_status }} - identity: {{ iam_identities }} - operation: {{ iam_operation }} on {{ res_urn }} - from {{ip}} with certificate {{cert_id}} - request id: {{ request_id }}
+```
+
+**Exemple :**
+
+```console
+INFO | GET on urn:v1:eu:resource:okms:8d1c84cc-1128-4629-xxxx-xxxxxxxxxxx/kmip/ff55638c-3e86-4cb3-xxxx-xxxxxxxx - identity: urn:v1:eu:identity:account:xx1111-ovh - operation: okms:kmip:get - from XXX.XXX.XXX.XXX with certificate e7850a19-a5de-4527-xxxx-xxxxxxxxx - request id: OKMS.db61c455-abfa-4a66-xxxx-xxxxxxxxxxx"
+```
+
+Les éléments pouvant être transmis à Logs Data Platform étant :
+
+|**Champ**|**Description**|
+| :-: | :-: |
+|domain_id|ID du domaine OKMS|
+|request_id|ID de la requête|
+|type||
+|log_level|Niveau de priorité du log|
+|client_ip|IP du client réalisant la requête|
+|tls_cert_id|ID du certificat utilisé pour l'authentification|
+|res_urn|URN de la ressource ciblée|
+|region|Région du domaine OKMS|
+|iam_operation|Action IAM évaluée|
+|iam_identities|Identitée IAM utilisé pour l'évaluation des droits|
+|kmip_operation|Opération KMIP utilisée|
+|kmip_reason|[code d'erreur KMIP](https://docs.oasis-open.org/kmip/spec/v1.4/kmip-spec-v1.4.pdf#%5B%7B%22num%22%3A484%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C69%2C720%2C0%5D){.external}|
+
+## Aller plus loin
+
+Échangez avec notre [communauté d'utilisateurs](/links/community).

pages/manage_and_operate/kms/kms-troubleshooting/images/kms-ldp-subscription.png

@@ -0,0 +1,3 @@
+id: 751e237a-47e4-4ac8-854d-189530462197
+full_slug: kms-logs
+reference_category: manage-operate-kms