Audit Log Format and Details

The following is the format of an audit log entry. Line breaks have been added here for readability.

%b %d %Y %H:%M:%S.%f %Z|
UserID : %s
ClientAddress : %s
Severity : %s
EventType : %s
ResourceAccessed: %s
EventStatus : %s
CompulsoryEvent : No
AuditCategory : %s
ComponentID : CUCDM
AuditDetails : %s
App ID: %s

The first entry is the string format of the timestamp, while the %s is a variable for a value.

An example of the timestamp would be:

Oct 23 2015 10:54:28.615377 UTC
  • Audit logs include logs for auditd and audispd which include system events. If system events are not required, they must be filtered by the client.
  • All remote syslog streaming from VOSS-4-UC is via TCP. UDP is not supported.

The tables below show key and example descriptions in the audit log.

UserID Username
“johnB” Username on CLI or database
“johnB prov1.cust1” GUI username and hierarchy
ProviderUser@Provider.com User email address from GUI login
hidden Invalid username
ClientAddress IP address / pseudo terminal
“102.29.232.50:/dev/pts/1” From IP: 102.29.232.50 and pseudo terminal /dev/pts/1
127.0.0.1 Internal API user
102.29.232.50 IP of GUI or API. Also Bulk Load, JSON import.
Severity 0-2. Higher is more severe
0 Basic log activity on the CLI. All log activity on the GUI or API.
1 All Rootshell activity
2 CLI: AuditCategory : Priviliged, AuditDetails : user list and App ID: CLI - user may not run user list command
EventType Type of event
UserLogging Login, logout, expiry activity
FileDetection File checksum activity
<AuditCategory> GUI or API event type is the AuditCategory
ResourceAccessed Resource accessed
CLI CLI transaction
DB Database logging
Application REST API GUI or API resource
EventStatus Status of the event
Success Successful transaction
Failed Failed transaction
Unknown Note: Mongo successful login has this status
CompulsoryEvent Not in use
No Currently always No
AuditCategory Activity category
AdministrativeEvent non-privileged CLI command
Privileged CLI transactions as root user, and commands by any user from the list below.
SecurityEvent Login or logout to CLI, database,
PrivilegedDataModelAdd e.g. GUI or API system user, including the type and operation. Type can also be Mod and Del. Details in AuditDetails.
DataModelAdd e.g. GUI or API ordinary user, including the type and operation. Type can also be Mod and Del. Details in AuditDetails.
UserRoleChange Transactions on the GUI, API flagged as privileged, including the type and operation. Details in AuditDetails.
UserLogin Login on the GUI, API.
UserLogout Logout on the GUI, API.
MultipleSourceLogin Simultaneous login on GUI, API. Multiple sources in AuditDetails.

The CLI commands that are flagged as Privileged, are:

  • user (and any parameters, such as user del)
  • voss unlock_sysadmin_account
  • voss cleardown
  • system password
  • system reboot
  • system shutdown

The GUI and API commands flagged as privilged, are:

  • carried out by a system user
  • operations on the models:
    • data/Role
    • data/AccessProfile
    • data/User.role
    • data/CredentialPolicy

Audit Category for GUI and API transaction on a data model can be: [Privileged]DataModel(Add|Delete|Update)

ComponentID Identifier
CUCDM The value is always CUCDM
App ID Application
CUCDM The application GUI and API interface
CLI CLI command
CUCDM CLI Rootshell login
CUCDM SSH SSH login
CUCDM DB Database, for example Mongo connect, login, logout
Audit Details Details of transaction
Login CLI or database login
“Login from 172.29.232.88” GUI or API login also shows IP address
Logout CLI or database logout
Login Invalid User CLI or database login
Login Invalid Password CLI or database login
User account locked - {} / {} CLI or database login. Account locked after failed_login_attempts / allowed_attempts
User account expired CLI or database login. Account expired
RootShell login Root shell login
RootShell logout Root shell logout
File checksum initialized File checksum process initialized. The EventType is FileDetection.
<CLI command> The CLI command that is run
“Resource type data/User named User Name: Joe” Example of a create transaction on the data/User model.
“User Joe role updated to admin” Example of a role update on a user.
“Login failed with Unknown from 172.29.232.88”  
[Basic|NonInteractive|SSO|LDAP] Authentication on Log [in|out] Login or log out by a user using the indicated credentials (Basic, NonInteractive, SSO, LDAP). The log entry includes Client Address for source of the login.
Session Expired Session timeout
Permission Error Access control error: the user has no permission for an operation on a resource type from a hierarchy.
Invalid Request If the request URL is not found (HTTP response is 400, 404)
Password retry limit reached. Locking account with username .. When an account is locked due to failed password attempts
Unlocking account with username .. When an account is unlocked
Locking account with username .. When an account is locked