.. _audit_log_format_and_details: .. rst-class:: chapter-with-expand Audit Log Format and Details ---------------------------- The following is the format of an audit log entry. Line breaks have been added here for readability. :: %b %d %Y %H:%M:%S.%f %Z| UserID : %s ClientAddress : %s Severity : %s EventType : %s ResourceAccessed: %s EventStatus : %s CompulsoryEvent : No AuditCategory : %s ComponentID : CUCDM AuditDetails : %s App ID: %s The first entry is the string format of the timestamp, while the ``%s`` is a variable for a value. An example of the timestamp would be: :: Oct 23 2015 10:54:28.615377 UTC * Audit logs include logs for ``auditd`` and ``audispd`` which include system events. If system events are not required, they must be filtered by the client. * All remote syslog streaming from VOSS-4-UC is via TCP. UDP is not supported. The tables below show key and example descriptions in the audit log. .. tabularcolumns:: |p{5cm}|p{10cm}| =========================== =============================================================================================================================== ``UserID`` Username =========================== =============================================================================================================================== "johnB" Username on CLI or database "johnB prov1.cust1" GUI username and hierarchy "ProviderUser@Provider.com" User email address from GUI login ``hidden`` Invalid username =========================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ========================== ========================================================================================================================= ``ClientAddress`` IP address / pseudo terminal ========================== ========================================================================================================================= "102.29.232.50:/dev/pts/1" From IP: 102.29.232.50 and pseudo terminal /dev/pts/1 ``127.0.0.1`` Internal API user ``102.29.232.50`` IP of GUI or API. Also Bulk Load, JSON import. ========================== ========================================================================================================================= .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``Severity`` 0-2. Higher is more severe ==================== =============================================================================================================================== 0 Basic log activity on the CLI. All log activity on the GUI or API. 1 All Rootshell activity 2 CLI: ``AuditCategory : Priviliged``, ``AuditDetails : user list`` and ``App ID: CLI`` - user may not run **user list** command ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``EventType`` Type of event ==================== =============================================================================================================================== ``UserLogging`` Login, logout, expiry activity ``FileDetection`` File checksum activity GUI or API event type is the AuditCategory ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ======================== =============================================================================================================================== ``ResourceAccessed`` Resource accessed ======================== =============================================================================================================================== ``CLI`` CLI transaction ``DB`` Database logging ``Application REST API`` GUI or API resource ======================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``EventStatus`` Status of the event ==================== =============================================================================================================================== ``Success`` Successful transaction ``Failed`` Failed transaction ``Unknown`` Note: Mongo successful login has this status ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``CompulsoryEvent`` Not in use ==================== =============================================================================================================================== ``No`` Currently always ``No`` ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ========================== =================================================================================================================================== ``AuditCategory`` Activity category ========================== =================================================================================================================================== ``AdministrativeEvent`` non-privileged CLI command ``Privileged`` CLI transactions as root user, and commands by any user from the list below. ``SecurityEvent`` Login or logout to CLI, database, ``PrivilegedDataModelAdd`` e.g. GUI or API system user, including the type and operation. Type can also be ``Mod`` and ``Del``. Details in ``AuditDetails``. ``DataModelAdd`` e.g. GUI or API ordinary user, including the type and operation. Type can also be ``Mod`` and ``Del``. Details in ``AuditDetails``. ``UserRoleChange`` Transactions on the GUI, API flagged as privileged, including the type and operation. Details in ``AuditDetails``. ``UserLogin`` Login on the GUI, API. ``UserLogout`` Logout on the GUI, API. ``MultipleSourceLogin`` Simultaneous login on GUI, API. Multiple sources in ``AuditDetails``. ========================== =================================================================================================================================== The CLI commands that are flagged as ``Privileged``, are: * **user** (and any parameters, such as **user del**) * **voss unlock_sysadmin_account** * **voss cleardown** * **system password** * **system reboot** * **system shutdown** The GUI and API commands flagged as privilged, are: * carried out by a system user * operations on the models: * ``data/Role`` * ``data/AccessProfile`` * ``data/User.role`` * ``data/CredentialPolicy`` Audit Category for GUI and API transaction on a data model can be: *[Privileged]DataModel(Add|Delete|Update)* .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``ComponentID`` Identifier ==================== =============================================================================================================================== ``CUCDM`` The value is always ``CUCDM`` ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``App ID`` Application ==================== =============================================================================================================================== ``CUCDM`` The application GUI and API interface ``CLI`` CLI command ``CUCDM CLI`` Rootshell login ``CUCDM SSH`` SSH login ``CUCDM DB`` Database, for example Mongo connect, login, logout ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ============================================================== ===================================================================================================================================================================== ``Audit Details`` Details of transaction ============================================================== ===================================================================================================================================================================== ``Login`` CLI or database login "Login from 172.29.232.88" GUI or API login also shows IP address ``Logout`` CLI or database logout ``Login Invalid User`` CLI or database login ``Login Invalid Password`` CLI or database login ``RootShell login`` Root shell login ``RootShell logout`` Root shell logout ``File checksum initialized`` File checksum process initialized. The EventType is ``FileDetection``. ** The CLI command that is run "Resource type data/User named User Name: Joe" Example of a create transaction on the ``data/User`` model. "User Joe role updated to admin" Example of a role update on a user. "Login failed with Unknown from 172.29.232.88" [Basic|NonInteractive|SSO|LDAP] Authentication on Log [in|out] Login or log out by a user using the indicated credentials (Basic, NonInteractive, SSO, LDAP). The log entry includes Client Address for source of the login. Session Expired Session timeout Permission Error Access control error: the user has no permission for an operation on a resource type from a hierarchy. Invalid Request If the request URL is not found (HTTP response is 400, 404) ============================================================== ===================================================================================================================================================================== Example Syslog Messages ....................... The following are example audit log entries. .. note:: Line breaks have been added for readability. :: API,Login,2019-10-29T21:11:20+00:00 VOSS audit: Oct 29 2019 21:11:20.042962 UTC| UserID : CS-PAdmin ClientAddress : 172.29.90.25 Severity : 0 EventType : UserLogin ResourceAccessed : Application REST API EventStatus : Success CompulsoryEvent : No AuditCategory : UserLogin ComponentID : CUCDM AuditDetails : Login with Mongo from 172.29.90.25 using interface None App ID: CUCDM API,Logout,2019-10-29T21:11:11+00:00 VOSS audit: Oct 29 2019 21:11:11.449544 UTC| UserID : CS-PAdmin ClientAddress : 172.29.90.25 Severity : 0 EventType : AuthLogout ResourceAccessed : Application REST API EventStatus : Success CompulsoryEvent : No AuditCategory : AuthLogout ComponentID : CUCDM AuditDetails : Logged out from 172.29.90.25 App ID: CUCDM API,Access Control Bypass,2019-10-29T21:14:36+00:00 VOSS audit: Oct 29 2019 21:14:36.016777 UTC| UserID : CS-PAdmin sys.hcs.CS-P ClientAddress : 172.29.90.25 Severity : 0 EventType : PermissionError ResourceAccessed : Application REST API EventStatus : Failed CompulsoryEvent : No AuditCategory : PermissionError ComponentID : CUCDM AuditDetails : Read operation on model type data/Countries App ID: CUCDM API,Data Model Add,2019-10-29T21:31:33+00:00 VOSS audit: Oct 29 2019 21:31:33.872904 UTC| UserID : CS-PAdmin sys.hcs.CS-P ClientAddress : 172.31.252.1 Severity : 0 EventType : DataModelAdd ResourceAccessed : Application REST API EventStatus : Success CompulsoryEvent : No AuditCategory : DataModelAdd ComponentID : CUCDM AuditDetails : Resource type data/Role named Name: Test App ID: CUCDM CLI,User Add, "2019-10-29T21:45:42+00:00 VOSS audispd: node=VOSS type=ADD_GROUP msg=audit(1572385542.608:242353): pid=421859 uid=0 auid=1401 ses=4 msg='op=adding group acct=""testuser"" exe=""/usr/sbin/useradd"" hostname=? addr=? terminal=pts/0 res=success' 2019-10-29T21:45:42+00:00 VOSS audispd: node=VOSS type=USER_CHAUTHTOK msg=audit(1572385542.736:242401): pid=421872 uid=0 auid=1401 ses=4 msg='op=PAM:chauthtok acct=""testuser"" exe=""/usr/sbin/chpasswd"" hostname=? addr=? terminal=? res=success' 2019-10-29T21:45:42+00:00 VOSS audispd: node=VOSS type=PATH msg=audit(1572385542.764:242413): item=0 name=""/opt/platform/users/testuser"" inode=1654786 dev=08:12 mode=040700 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL 2019-10-29T21:45:42+00:00 VOSS audispd: node=VOSS type=PATH msg=audit(1572385542.768:242417): item=0 name=""/opt/platform/users/testuser/media"" inode=1654788 dev=08:12 mode=040500 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL ... .. |VOSS-4-UC| replace:: VOSS-4-UC .. |Unified CM| replace:: Unified CM