Audit Log Format and Details

The following is the format of an audit log entry. Line breaks have been added here for readability.

%b %d %Y %H:%M:%S.%f %Z|
UserID : %s
ClientAddress : %s
Severity : %s
EventType : %s
ResourceAccessed: %s
EventStatus : %s
CompulsoryEvent : No
AuditCategory : %s
ComponentID : CUCDM
AuditDetails : %s
App ID: %s

The first entry is the string format of the timestamp, while the %s is a variable for a value.

An example of the timestamp would be:

Oct 23 2015 10:54:28.615377 UTC
  • Audit logs include logs for auditd and audispd which include system events. If system events are not required, they must be filtered by the client.
  • All remote syslog streaming from VOSS-4-UC is via TCP. UDP is not supported.

The tables below show key and example descriptions in the audit log.

UserID Username
“johnB” Username on CLI or database
“johnB prov1.cust1” GUI username and hierarchy
ProviderUser@Provider.com User email address from GUI login
hidden Invalid username
ClientAddress IP address / pseudo terminal
“102.29.232.50:/dev/pts/1” From IP: 102.29.232.50 and pseudo terminal /dev/pts/1
127.0.0.1 Internal API user
102.29.232.50 IP of GUI or API. Also Bulk Load, JSON import.
Severity 0-2. Higher is more severe
0 Basic log activity on the CLI. All log activity on the GUI or API.
1 All Rootshell activity
2 CLI: AuditCategory : Priviliged, AuditDetails : user list and App ID: CLI - user may not run user list command
EventType Type of event
UserLogging Login, logout, expiry activity
FileDetection File checksum activity
<AuditCategory> GUI or API event type is the AuditCategory
ResourceAccessed Resource accessed
CLI CLI transaction
DB Database logging
Application REST API GUI or API resource
EventStatus Status of the event
Success Successful transaction
Failed Failed transaction
Unknown Note: Mongo successful login has this status
CompulsoryEvent Not in use
No Currently always No
AuditCategory Activity category
AdministrativeEvent non-privileged CLI command
Privileged CLI transactions as root user, and commands by any user from the list below.
SecurityEvent Login or logout to CLI, database,
PrivilegedDataModelAdd e.g. GUI or API system user, including the type and operation. Type can also be Mod and Del. Details in AuditDetails.
DataModelAdd e.g. GUI or API ordinary user, including the type and operation. Type can also be Mod and Del. Details in AuditDetails.
UserRoleChange Transactions on the GUI, API flagged as privileged, including the type and operation. Details in AuditDetails.
UserLogin Login on the GUI, API.
UserLogout Logout on the GUI, API.
MultipleSourceLogin Simultaneous login on GUI, API. Multiple sources in AuditDetails.

The CLI commands that are flagged as Privileged, are:

  • user (and any parameters, such as user del)
  • voss unlock_sysadmin_account
  • voss cleardown
  • system password
  • system reboot
  • system shutdown

The GUI and API commands flagged as privilged, are:

  • carried out by a system user
  • operations on the models:
    • data/Role
    • data/AccessProfile
    • data/User.role
    • data/CredentialPolicy

Audit Category for GUI and API transaction on a data model can be: [Privileged]DataModel(Add|Delete|Update)

ComponentID Identifier
CUCDM The value is always CUCDM
App ID Application
CUCDM The application GUI and API interface
CLI CLI command
CUCDM CLI Rootshell login
CUCDM SSH SSH login
CUCDM DB Database, for example Mongo connect, login, logout
Audit Details Details of transaction
Login CLI or database login
“Login from 172.29.232.88” GUI or API login also shows IP address
Logout CLI or database logout
Login Invalid User CLI or database login
Login Invalid Password CLI or database login
User account locked - {} / {} CLI or database login. Account locked after failed_login_attempts / allowed_attempts
User account expired CLI or database login. Account expired
RootShell login Root shell login
RootShell logout Root shell logout
File checksum initialized File checksum process initialized. The EventType is FileDetection.
<CLI command> The CLI command that is run
“Resource type data/User named User Name: Joe” Example of a create transaction on the data/User model.
“User Joe role updated to admin” Example of a role update on a user.
“Login failed with Unknown from 172.29.232.88”  
[Basic|NonInteractive|SSO|LDAP] Authentication on Log [in|out] Login or log out by a user using the indicated credentials (Basic, NonInteractive, SSO, LDAP). The log entry includes Client Address for source of the login.
Session Expired Session timeout
Permission Error Access control error: the user has no permission for an operation on a resource type from a hierarchy.
Invalid Request If the request URL is not found (HTTP response is 400, 404)
Password retry limit reached. Locking account with username .. When an account is locked due to failed password attempts
Unlocking account with username .. When an account is unlocked
Locking account with username .. When an account is locked

Example Syslog Messages

The following are example audit log entries.

Note

Line breaks have been added for readability.

API,Login,2019-10-29T21:11:20+00:00 VOSS audit: Oct 29 2019 21:11:20.042962 UTC|
UserID : CS-PAdmin
ClientAddress : 172.29.90.25
Severity : 0
EventType : UserLogin
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : UserLogin
ComponentID : CUCDM
AuditDetails : Login with Mongo from 172.29.90.25 using interface None
App ID: CUCDM

API,Logout,2019-10-29T21:11:11+00:00 VOSS audit: Oct 29 2019 21:11:11.449544 UTC|
UserID : CS-PAdmin
ClientAddress : 172.29.90.25
Severity : 0
EventType : AuthLogout
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : AuthLogout
ComponentID : CUCDM
AuditDetails : Logged out from 172.29.90.25
App ID: CUCDM

API,Access Control Bypass,2019-10-29T21:14:36+00:00 VOSS audit: Oct 29 2019 21:14:36.016777 UTC|
UserID : CS-PAdmin sys.hcs.CS-P
ClientAddress : 172.29.90.25
Severity : 0
EventType : PermissionError
ResourceAccessed : Application REST API
EventStatus : Failed
CompulsoryEvent : No
AuditCategory : PermissionError
ComponentID : CUCDM
AuditDetails : Read operation on model type data/Countries
App ID: CUCDM

API,Data Model Add,2019-10-29T21:31:33+00:00 VOSS audit: Oct 29 2019 21:31:33.872904 UTC|
UserID : CS-PAdmin sys.hcs.CS-P
ClientAddress : 172.31.252.1
Severity : 0
EventType : DataModelAdd
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : DataModelAdd
ComponentID : CUCDM
   AuditDetails : Resource type data/Role named
Name: Test
App ID: CUCDM

CLI,User Add,
"2019-10-29T21:45:42+00:00
VOSS audispd:
  node=VOSS
  type=ADD_GROUP
msg=audit(1572385542.608:242353):
  pid=421859
  uid=0
  auid=1401
  ses=4
  msg='op=adding group acct=""testuser"" exe=""/usr/sbin/useradd"" hostname=? addr=? terminal=pts/0 res=success'

2019-10-29T21:45:42+00:00
VOSS audispd:
  node=VOSS
  type=USER_CHAUTHTOK
msg=audit(1572385542.736:242401):
  pid=421872
  uid=0
  auid=1401
  ses=4
  msg='op=PAM:chauthtok acct=""testuser"" exe=""/usr/sbin/chpasswd"" hostname=? addr=? terminal=? res=success'

2019-10-29T21:45:42+00:00
VOSS audispd:
  node=VOSS
  type=PATH
msg=audit(1572385542.764:242413):
  item=0
  name=""/opt/platform/users/testuser""
  inode=1654786
  dev=08:12
  mode=040700
  ouid=0
  ogid=0
  rdev=00:00
  nametype=NORMAL

2019-10-29T21:45:42+00:00
VOSS audispd:
  node=VOSS
  type=PATH
  msg=audit(1572385542.768:242417):
    item=0
    name=""/opt/platform/users/testuser/media""
    inode=1654788
    dev=08:12
    mode=040500
    ouid=0
    ogid=0
    rdev=00:00
    nametype=NORMAL


2021-05-26T15:27:33.715215+00:00 VOSS audit: May 26 2021 15:27:33.714993 UTC|
UserID : system
ClientAddress : 172.29.90.57
Severity : 0
EventType : SecurityEvent
ResourceAccessed : Application REST API
EventStatus : Failed
CompulsoryEvent : No
AuditCategory : SecurityEvent
ComponentID : CUCDM
AuditDetails : Password retry limit reached. Locking account with username john_smith.
App ID: CUCDM

...