If Encryption Management Server has the Keyserver service enabled and inbound LDAP and/or LDAPS connections are permitted, external hosts can perform key lookups on Encryption Management Server.

Such lookups are recorded in log files on Encryption Management Server. However, depending on the configuration of your firewall, the public IP addresses of the remote hosts may not be recorded.

Symantec Encryption Management Server 10.5 and above.

To view the IP addresses that connect to the Encryption Management Keyserver service over LDAP, please do the following from the administration console:

1. Navigate to Reporting / Logs.
2. Select the Clustering SSL log from the dropdown list.
3. An LDAP lookup appears like this where 192.169.1.62 is the remote host and 192.168.1.61 is the Encryption Management Server:

To view the IP addresses that connect to the Encryption Management Keyserver service over LDAPS, ssh to Encryption Management Server and search the /var/log/ovid/stunnel.log file. For example, this shows an LDAPS connection from IP 192.168.1.62:

# grep accepted /var/log/ovid/stunnel.log
2024.01.31 09:49:02 LOG5[2199:140332951226112]: Service [ldaps1] accepted connection from 10.1.2.3:57316

To view the LDAP or LDAPS queries performed against Encryption Management Server, ssh to Encryption Management Server and search the /var/log/ldap file. For example, this shows a search for the public key associated with the email address [email protected]:

# grep pgpUserID /var/log/ldap
Jan 31 09:49:03 +00:00 keys slapd slapd[1305]: conn=1006 op=1 SRCH base="o=PGP keys" scope=2 deref=0 filter="(&(pgpUserID=*<[email protected]>*)(pgpDisabled=0))"