.. _audit_log_format_and_details: .. rst-class:: chapter-with-expand Audit Log Format and Details ---------------------------- .. _21.1|VOSS-643|EKB-8451: .. _21.1|VOSS-643|EKB-8452: .. _21.3|VOSS-911|EKB-11962: The following is the format of an audit log entry. Line breaks have been added here for readability. :: %b %d %Y %H:%M:%S.%f %Z| UserID : %s ClientAddress : %s Severity : %s EventType : %s ResourceAccessed: %s EventStatus : %s CompulsoryEvent : No AuditCategory : %s ComponentID : CUCDM AuditDetails : %s App ID: %s The first entry is the string format of the timestamp, while the ``%s`` is a variable for a value. An example of the timestamp would be: :: Oct 23 2015 10:54:28.615377 UTC * Audit logs include logs for ``auditd`` and ``audispd`` which include system events. If system events are not required, they must be filtered by the client. * All remote syslog streaming from VOSS Automate is via TCP. UDP is not supported. The tables below show key and example descriptions in the audit log. .. tabularcolumns:: |p{5cm}|p{10cm}| =========================== =============================================================================================================================== ``UserID`` Username =========================== =============================================================================================================================== "johnB" Username on CLI or database "johnB prov1.cust1" GUI username and hierarchy "ProviderUser@Provider.com" User email address from GUI login ``hidden`` Invalid username =========================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ========================== ========================================================================================================================= ``ClientAddress`` IP address / pseudo terminal ========================== ========================================================================================================================= "102.29.232.50:/dev/pts/1" From IP: 102.29.232.50 and pseudo terminal /dev/pts/1 ``127.0.0.1`` Internal API user ``102.29.232.50`` IP of GUI or API. Also Bulk Load, JSON import. ========================== ========================================================================================================================= .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``Severity`` 0-2. Higher is more severe ==================== =============================================================================================================================== 0 Basic log activity on the CLI. All log activity on the GUI or API. 1 All Rootshell activity 2 CLI: ``AuditCategory : Priviliged``, ``AuditDetails : user list`` and ``App ID: CLI`` - user may not run **user list** command ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``EventType`` Type of event ==================== =============================================================================================================================== ``UserLogging`` Login, logout, expiry activity ``FileDetection`` File checksum activity GUI or API event type is the AuditCategory ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ======================== =============================================================================================================================== ``ResourceAccessed`` Resource accessed ======================== =============================================================================================================================== ``CLI`` CLI transaction ``DB`` Database logging ``Application REST API`` GUI or API resource ======================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``EventStatus`` Status of the event ==================== =============================================================================================================================== ``Success`` Successful transaction ``Failed`` Failed transaction ``Unknown`` Note: Mongo successful login has this status ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``CompulsoryEvent`` Not in use ==================== =============================================================================================================================== ``No`` Currently always ``No`` ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ========================== =================================================================================================================================== ``AuditCategory`` Activity category ========================== =================================================================================================================================== ``AdministrativeEvent`` non-privileged CLI command ``Privileged`` CLI transactions as root user, and commands by any user from the list below. ``SecurityEvent`` Login or logout to CLI, database, ``PrivilegedDataModelAdd`` e.g. GUI or API system user, including the type and operation. Type can also be ``Mod`` and ``Del``. Details in ``AuditDetails``. ``DataModelAdd`` e.g. GUI or API ordinary user, including the type and operation. Type can also be ``Mod`` and ``Del``. Details in ``AuditDetails``. ``UserRoleChange`` Transactions on the GUI, API flagged as privileged, including the type and operation. Details in ``AuditDetails``. ``UserLogin`` Login on the GUI, API. ``UserLogout`` Logout on the GUI, API. ``MultipleSourceLogin`` Simultaneous login on GUI, API. Multiple sources in ``AuditDetails``. ========================== =================================================================================================================================== The CLI commands that are flagged as ``Privileged``, are: * **user** (and any parameters, such as **user del**) * **voss unlock_sysadmin_account** * **voss cleardown** * **system password** * **system reboot** * **system shutdown** The GUI and API commands flagged as privileged, are: * carried out by a system user * operations on the models: * ``data/AccessProfile`` * ``data/CredentialPolicy`` * ``data/HierarchyDefault`` * ``data/Role`` * ``data/User`` * ``data/Settings`` * ``data/Application`` * ``data/UnityConnection`` * ``data/CallManager`` * ``data/AuthorizedAdminHierarchy`` Audit Category for GUI and API transaction on a data model can be: *[Privileged]DataModel(Add|Delete|Update)* .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``ComponentID`` Identifier ==================== =============================================================================================================================== ``CUCDM`` The value is always ``CUCDM`` ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``App ID`` Application ==================== =============================================================================================================================== ``CUCDM`` The application GUI and API interface ``CLI`` CLI command ``CUCDM CLI`` Rootshell login ``CUCDM SSH`` SSH login ``CUCDM DB`` Database, for example Mongo connect, login, logout ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ============================================================== ===================================================================================================================================================================== ``Audit Details`` Details of transaction ============================================================== ===================================================================================================================================================================== ``Login`` CLI or database login "Login from 172.29.232.88" GUI or API login also shows IP address ``Logout`` CLI or database logout ``Login Invalid User`` CLI or database login ``Login Invalid Password`` CLI or database login ``User account locked - {} / {}`` CLI or database login. Account locked after failed_login_attempts / allowed_attempts ``User account expired`` CLI or database login. Account expired ``RootShell login`` Root shell login ``RootShell logout`` Root shell logout ``File checksum initialized`` File checksum process initialized. The EventType is ``FileDetection``. ** The CLI command that is run "Resource type data/User named User Name: Joe" Example of a create transaction on the ``data/User`` model. "User Joe role updated to admin" Example of a role update on a user. "Login failed with Unknown from 172.29.232.88" [Basic|NonInteractive|SSO|LDAP] Authentication on Log [in|out] Login or log out by a user using the indicated credentials (Basic, NonInteractive, SSO, LDAP). The log entry includes Client Address for source of the login. Session Expired Session timeout Permission Error Access control error: the user has no permission for an operation on a resource type from a hierarchy. Invalid Request If the request URL is not found (HTTP response is 400, 404) Password retry limit reached. Locking account with username .. When an account is locked due to failed password attempts Unlocking account with username .. When an account is unlocked Locking account with username .. When an account is locked ============================================================== ===================================================================================================================================================================== Example Syslog Messages ....................... The following are example audit log entries. .. note:: Line breaks have been added for readability. :: API,Login,2019-10-29T21:11:20+00:00 VOSS audit: Oct 29 2019 21:11:20.042962 UTC| UserID : CS-PAdmin ClientAddress : 172.29.90.25 Severity : 0 EventType : UserLogin ResourceAccessed : Application REST API EventStatus : Success CompulsoryEvent : No AuditCategory : UserLogin ComponentID : CUCDM AuditDetails : Login with Mongo from 172.29.90.25 using interface None App ID: CUCDM API,Logout,2019-10-29T21:11:11+00:00 VOSS audit: Oct 29 2019 21:11:11.449544 UTC| UserID : CS-PAdmin ClientAddress : 172.29.90.25 Severity : 0 EventType : AuthLogout ResourceAccessed : Application REST API EventStatus : Success CompulsoryEvent : No AuditCategory : AuthLogout ComponentID : CUCDM AuditDetails : Logged out from 172.29.90.25 App ID: CUCDM API,Access Control Bypass,2019-10-29T21:14:36+00:00 VOSS audit: Oct 29 2019 21:14:36.016777 UTC| UserID : CS-PAdmin sys.hcs.CS-P ClientAddress : 172.29.90.25 Severity : 0 EventType : PermissionError ResourceAccessed : Application REST API EventStatus : Failed CompulsoryEvent : No AuditCategory : PermissionError ComponentID : CUCDM AuditDetails : Read operation on model type data/Countries App ID: CUCDM API,Data Model Add,2019-10-29T21:31:33+00:00 VOSS audit: Oct 29 2019 21:31:33.872904 UTC| UserID : CS-PAdmin sys.hcs.CS-P ClientAddress : 172.31.252.1 Severity : 0 EventType : DataModelAdd ResourceAccessed : Application REST API EventStatus : Success CompulsoryEvent : No AuditCategory : DataModelAdd ComponentID : CUCDM AuditDetails : Resource type data/Role named Name: Test App ID: CUCDM CLI,User Add, "2019-10-29T21:45:42+00:00 VOSS audispd: node=VOSS type=ADD_GROUP msg=audit(1572385542.608:242353): pid=421859 uid=0 auid=1401 ses=4 msg='op=adding group acct=""testuser"" exe=""/usr/sbin/useradd"" hostname=? addr=? terminal=pts/0 res=success' 2019-10-29T21:45:42+00:00 VOSS audispd: node=VOSS type=USER_CHAUTHTOK msg=audit(1572385542.736:242401): pid=421872 uid=0 auid=1401 ses=4 msg='op=PAM:chauthtok acct=""testuser"" exe=""/usr/sbin/chpasswd"" hostname=? addr=? terminal=? res=success' 2019-10-29T21:45:42+00:00 VOSS audispd: node=VOSS type=PATH msg=audit(1572385542.764:242413): item=0 name=""/opt/platform/users/testuser"" inode=1654786 dev=08:12 mode=040700 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL 2019-10-29T21:45:42+00:00 VOSS audispd: node=VOSS type=PATH msg=audit(1572385542.768:242417): item=0 name=""/opt/platform/users/testuser/media"" inode=1654788 dev=08:12 mode=040500 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL 2021-05-26T15:27:33.715215+00:00 VOSS audit: May 26 2021 15:27:33.714993 UTC| UserID : system ClientAddress : 172.29.90.57 Severity : 0 EventType : SecurityEvent ResourceAccessed : Application REST API EventStatus : Failed CompulsoryEvent : No AuditCategory : SecurityEvent ComponentID : CUCDM AuditDetails : Password retry limit reached. Locking account with username john_smith. App ID: CUCDM ... .. |VOSS Automate| replace:: VOSS Automate .. |Unified CM| replace:: Unified CM