Audit Log Format and Details¶
The following is the format of an audit log entry. Line breaks have been added here for readability.
%b %d %Y %H:%M:%S.%f %Z|
UserID : %s
ClientAddress : %s
Severity : %s
EventType : %s
ResourceAccessed: %s
EventStatus : %s
CompulsoryEvent : No
AuditCategory : %s
ComponentID : CUCDM
AuditDetails : %s
App ID: %s
The first entry is the string format of the
timestamp, while the %s is a variable for a value.
An example of the timestamp would be:
Oct 23 2015 10:54:28.615377 UTC
- Audit logs include logs for
auditdandaudispdwhich include system events. If system events are not required, they must be filtered by the client. - All remote syslog streaming from VOSS-4-UC is via TCP. UDP is not supported.
The tables below show key and example descriptions in the audit log.
UserID |
Username |
|---|---|
| “johnB” | Username on CLI or database |
| “johnB prov1.cust1” | GUI username and hierarchy |
| “ProviderUser@Provider.com” | User email address from GUI login |
hidden |
Invalid username |
ClientAddress |
IP address / pseudo terminal |
|---|---|
| “102.29.232.50:/dev/pts/1” | From IP: 102.29.232.50 and pseudo terminal /dev/pts/1 |
127.0.0.1 |
Internal API user |
102.29.232.50 |
IP of GUI or API. Also Bulk Load, JSON import. |
Severity |
0-2. Higher is more severe |
|---|---|
| 0 | Basic log activity on the CLI. All log activity on the GUI or API. |
| 1 | All Rootshell activity |
| 2 | CLI: AuditCategory : Priviliged, AuditDetails : user list and App ID: CLI - user may not run user list command |
EventType |
Type of event |
|---|---|
UserLogging |
Login, logout, expiry activity |
FileDetection |
File checksum activity |
| <AuditCategory> | GUI or API event type is the AuditCategory |
ResourceAccessed |
Resource accessed |
|---|---|
CLI |
CLI transaction |
DB |
Database logging |
Application REST API |
GUI or API resource |
EventStatus |
Status of the event |
|---|---|
Success |
Successful transaction |
Failed |
Failed transaction |
Unknown |
Note: Mongo successful login has this status |
CompulsoryEvent |
Not in use |
|---|---|
No |
Currently always No |
AuditCategory |
Activity category |
|---|---|
AdministrativeEvent |
non-privileged CLI command |
Privileged |
CLI transactions as root user, and commands by any user from the list below. |
SecurityEvent |
Login or logout to CLI, database, |
PrivilegedDataModelAdd |
e.g. GUI or API system user, including the type and operation. Type can also be Mod and Del. Details in AuditDetails. |
DataModelAdd |
e.g. GUI or API ordinary user, including the type and operation. Type can also be Mod and Del. Details in AuditDetails. |
UserRoleChange |
Transactions on the GUI, API flagged as privileged, including the type and operation. Details in AuditDetails. |
UserLogin |
Login on the GUI, API. |
UserLogout |
Logout on the GUI, API. |
MultipleSourceLogin |
Simultaneous login on GUI, API. Multiple sources in AuditDetails. |
The CLI commands that are flagged as Privileged, are:
- user (and any parameters, such as user del)
- voss unlock_sysadmin_account
- voss cleardown
- system password
- system reboot
- system shutdown
The GUI and API commands flagged as privilged, are:
- carried out by a system user
- operations on the models:
data/Roledata/AccessProfiledata/User.roledata/CredentialPolicy
Audit Category for GUI and API transaction on a data model can be: [Privileged]DataModel(Add|Delete|Update)
ComponentID |
Identifier |
|---|---|
CUCDM |
The value is always CUCDM |
App ID |
Application |
|---|---|
CUCDM |
The application GUI and API interface |
CLI |
CLI command |
CUCDM CLI |
Rootshell login |
CUCDM SSH |
SSH login |
CUCDM DB |
Database, for example Mongo connect, login, logout |
Audit Details |
Details of transaction |
|---|---|
Login |
CLI or database login |
| “Login from 172.29.232.88” | GUI or API login also shows IP address |
Logout |
CLI or database logout |
Login Invalid User |
CLI or database login |
Login Invalid Password |
CLI or database login |
RootShell login |
Root shell login |
RootShell logout |
Root shell logout |
File checksum initialized |
File checksum process initialized. The EventType is FileDetection. |
| <CLI command> | The CLI command that is run |
| “Resource type data/User named User Name: Joe” | Example of a create transaction on the data/User model. |
| “User Joe role updated to admin” | Example of a role update on a user. |
| “Login failed with Unknown from 172.29.232.88” | |
| [Basic|NonInteractive|SSO|LDAP] Authentication on Log [in|out] | Login or log out by a user using the indicated credentials (Basic, NonInteractive, SSO, LDAP). The log entry includes Client Address for source of the login. |
| Session Expired | Session timeout |
| Permission Error | Access control error: the user has no permission for an operation on a resource type from a hierarchy. |
| Invalid Request | If the request URL is not found (HTTP response is 400, 404) |
Example Syslog Messages¶
The following are example audit log entries.
Note
Line breaks have been added for readability.
API,Login,2019-10-29T21:11:20+00:00 VOSS audit: Oct 29 2019 21:11:20.042962 UTC|
UserID : CS-PAdmin
ClientAddress : 172.29.90.25
Severity : 0
EventType : UserLogin
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : UserLogin
ComponentID : CUCDM
AuditDetails : Login with Mongo from 172.29.90.25 using interface None
App ID: CUCDM
API,Logout,2019-10-29T21:11:11+00:00 VOSS audit: Oct 29 2019 21:11:11.449544 UTC|
UserID : CS-PAdmin
ClientAddress : 172.29.90.25
Severity : 0
EventType : AuthLogout
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : AuthLogout
ComponentID : CUCDM
AuditDetails : Logged out from 172.29.90.25
App ID: CUCDM
API,Access Control Bypass,2019-10-29T21:14:36+00:00 VOSS audit: Oct 29 2019 21:14:36.016777 UTC|
UserID : CS-PAdmin sys.hcs.CS-P
ClientAddress : 172.29.90.25
Severity : 0
EventType : PermissionError
ResourceAccessed : Application REST API
EventStatus : Failed
CompulsoryEvent : No
AuditCategory : PermissionError
ComponentID : CUCDM
AuditDetails : Read operation on model type data/Countries
App ID: CUCDM
API,Data Model Add,2019-10-29T21:31:33+00:00 VOSS audit: Oct 29 2019 21:31:33.872904 UTC|
UserID : CS-PAdmin sys.hcs.CS-P
ClientAddress : 172.31.252.1
Severity : 0
EventType : DataModelAdd
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : DataModelAdd
ComponentID : CUCDM
AuditDetails : Resource type data/Role named
Name: Test
App ID: CUCDM
CLI,User Add,
"2019-10-29T21:45:42+00:00
VOSS audispd:
node=VOSS
type=ADD_GROUP
msg=audit(1572385542.608:242353):
pid=421859
uid=0
auid=1401
ses=4
msg='op=adding group acct=""testuser"" exe=""/usr/sbin/useradd"" hostname=? addr=? terminal=pts/0 res=success'
2019-10-29T21:45:42+00:00
VOSS audispd:
node=VOSS
type=USER_CHAUTHTOK
msg=audit(1572385542.736:242401):
pid=421872
uid=0
auid=1401
ses=4
msg='op=PAM:chauthtok acct=""testuser"" exe=""/usr/sbin/chpasswd"" hostname=? addr=? terminal=? res=success'
2019-10-29T21:45:42+00:00
VOSS audispd:
node=VOSS
type=PATH
msg=audit(1572385542.764:242413):
item=0
name=""/opt/platform/users/testuser""
inode=1654786
dev=08:12
mode=040700
ouid=0
ogid=0
rdev=00:00
nametype=NORMAL
2019-10-29T21:45:42+00:00
VOSS audispd:
node=VOSS
type=PATH
msg=audit(1572385542.768:242417):
item=0
name=""/opt/platform/users/testuser/media""
inode=1654788
dev=08:12
mode=040500
ouid=0
ogid=0
rdev=00:00
nametype=NORMAL
...
