Audit Log Format and Details¶
The following is the format of an audit log entry. Line breaks have been added here for readability.
%b %d %Y %H:%M:%S.%f %Z|
UserID : %s
ClientAddress : %s
Severity : %s
EventType : %s
ResourceAccessed: %s
EventStatus : %s
CompulsoryEvent : No
AuditCategory : %s
ComponentID : CUCDM
AuditDetails : %s
App ID: %s
The first entry is the string format of the
timestamp, while the %s
is a variable for a value.
An example of the timestamp would be:
Oct 23 2015 10:54:28.615377 UTC
Audit logs include logs for
auditd
andaudispd
which include system events. If system events are not required, they must be filtered by the client.All remote syslog streaming from VOSS Automate is via TCP. UDP is not supported.
The tables below show key and example descriptions in the audit log.
|
Username |
---|---|
“johnB” |
Username on CLI or database |
“johnB prov1.cust1” |
GUI username and hierarchy |
User email address from GUI login |
|
|
Invalid username |
|
IP address / pseudo terminal |
---|---|
“102.29.232.50:/dev/pts/1” |
From IP: 102.29.232.50 and pseudo terminal /dev/pts/1 |
|
Internal API user |
|
IP of GUI or API. Also Bulk Load, JSON import. |
|
0-2. Higher is more severe |
---|---|
0 |
Basic log activity on the CLI. All log activity on the GUI or API. |
1 |
All Rootshell activity |
2 |
CLI: |
|
Type of event |
---|---|
|
Login, logout, expiry activity |
|
File checksum activity |
<AuditCategory> |
GUI or API event type is the AuditCategory |
|
Resource accessed |
---|---|
|
CLI transaction |
|
Database logging |
|
GUI or API resource |
|
Status of the event |
---|---|
|
Successful transaction |
|
Failed transaction |
|
Note: Mongo successful login has this status |
|
Not in use |
---|---|
|
Currently always |
|
Activity category |
---|---|
|
non-privileged CLI command |
|
CLI transactions as root user, and commands by any user from the list below. |
|
Login or logout to CLI, database, |
|
e.g. GUI or API system user, including the type and operation. Type can also be |
|
e.g. GUI or API ordinary user, including the type and operation. Type can also be |
|
Transactions on the GUI, API flagged as privileged, including the type and operation. Details in |
|
Login on the GUI, API. |
|
Logout on the GUI, API. |
|
Simultaneous login on GUI, API. Multiple sources in |
The CLI commands that are flagged as Privileged
, are:
user (and any parameters, such as user del)
voss unlock_sysadmin_account
voss cleardown
system password
system reboot
system shutdown
The GUI and API commands flagged as privileged, are:
carried out by a system user
operations on the models:
data/AccessProfile
data/CredentialPolicy
data/HierarchyDefault
data/Role
data/User
data/Settings
data/Application
data/UnityConnection
data/CallManager
data/AuthorizedAdminHierarchy
Audit Category for GUI and API transaction on a data model can be: [Privileged]DataModel(Add|Delete|Update)
|
Identifier |
---|---|
|
The value is always |
|
Application |
---|---|
|
The application GUI and API interface |
|
CLI command |
|
Rootshell login |
|
SSH login |
|
Database, for example Mongo connect, login, logout |
|
Details of transaction |
---|---|
|
CLI or database login |
“Login from 172.29.232.88” |
GUI or API login also shows IP address |
|
CLI or database logout |
|
CLI or database login |
|
CLI or database login |
|
CLI or database login. Account locked after failed_login_attempts / allowed_attempts |
|
CLI or database login. Account expired |
|
Root shell login |
|
Root shell logout |
|
File checksum process initialized. The EventType is |
<CLI command> |
The CLI command that is run |
“Resource type data/User named User Name: Joe” |
Example of a create transaction on the |
“User Joe role updated to admin” |
Example of a role update on a user. |
“Login failed with Unknown from 172.29.232.88” |
|
[Basic|NonInteractive|SSO|LDAP] Authentication on Log [in|out] |
Login or log out by a user using the indicated credentials (Basic, NonInteractive, SSO, LDAP). The log entry includes Client Address for source of the login. |
Session Expired |
Session timeout |
Permission Error |
Access control error: the user has no permission for an operation on a resource type from a hierarchy. |
Invalid Request |
If the request URL is not found (HTTP response is 400, 404) |
Password retry limit reached. Locking account with username .. |
When an account is locked due to failed password attempts |
Unlocking account with username .. |
When an account is unlocked |
Locking account with username .. |
When an account is locked |
Example Syslog Messages¶
The following are example audit log entries.
Note
Line breaks have been added for readability.
API,Login,2019-10-29T21:11:20+00:00 VOSS audit: Oct 29 2019 21:11:20.042962 UTC|
UserID : CS-PAdmin
ClientAddress : 172.29.90.25
Severity : 0
EventType : UserLogin
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : UserLogin
ComponentID : CUCDM
AuditDetails : Login with Mongo from 172.29.90.25 using interface None
App ID: CUCDM
API,Logout,2019-10-29T21:11:11+00:00 VOSS audit: Oct 29 2019 21:11:11.449544 UTC|
UserID : CS-PAdmin
ClientAddress : 172.29.90.25
Severity : 0
EventType : AuthLogout
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : AuthLogout
ComponentID : CUCDM
AuditDetails : Logged out from 172.29.90.25
App ID: CUCDM
API,Access Control Bypass,2019-10-29T21:14:36+00:00 VOSS audit: Oct 29 2019 21:14:36.016777 UTC|
UserID : CS-PAdmin sys.hcs.CS-P
ClientAddress : 172.29.90.25
Severity : 0
EventType : PermissionError
ResourceAccessed : Application REST API
EventStatus : Failed
CompulsoryEvent : No
AuditCategory : PermissionError
ComponentID : CUCDM
AuditDetails : Read operation on model type data/Countries
App ID: CUCDM
API,Data Model Add,2019-10-29T21:31:33+00:00 VOSS audit: Oct 29 2019 21:31:33.872904 UTC|
UserID : CS-PAdmin sys.hcs.CS-P
ClientAddress : 172.31.252.1
Severity : 0
EventType : DataModelAdd
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : DataModelAdd
ComponentID : CUCDM
AuditDetails : Resource type data/Role named
Name: Test
App ID: CUCDM
CLI,User Add,
"2019-10-29T21:45:42+00:00
VOSS audispd:
node=VOSS
type=ADD_GROUP
msg=audit(1572385542.608:242353):
pid=421859
uid=0
auid=1401
ses=4
msg='op=adding group acct=""testuser"" exe=""/usr/sbin/useradd"" hostname=? addr=? terminal=pts/0 res=success'
2019-10-29T21:45:42+00:00
VOSS audispd:
node=VOSS
type=USER_CHAUTHTOK
msg=audit(1572385542.736:242401):
pid=421872
uid=0
auid=1401
ses=4
msg='op=PAM:chauthtok acct=""testuser"" exe=""/usr/sbin/chpasswd"" hostname=? addr=? terminal=? res=success'
2019-10-29T21:45:42+00:00
VOSS audispd:
node=VOSS
type=PATH
msg=audit(1572385542.764:242413):
item=0
name=""/opt/platform/users/testuser""
inode=1654786
dev=08:12
mode=040700
ouid=0
ogid=0
rdev=00:00
nametype=NORMAL
2019-10-29T21:45:42+00:00
VOSS audispd:
node=VOSS
type=PATH
msg=audit(1572385542.768:242417):
item=0
name=""/opt/platform/users/testuser/media""
inode=1654788
dev=08:12
mode=040500
ouid=0
ogid=0
rdev=00:00
nametype=NORMAL
2021-05-26T15:27:33.715215+00:00 VOSS audit: May 26 2021 15:27:33.714993 UTC|
UserID : system
ClientAddress : 172.29.90.57
Severity : 0
EventType : SecurityEvent
ResourceAccessed : Application REST API
EventStatus : Failed
CompulsoryEvent : No
AuditCategory : SecurityEvent
ComponentID : CUCDM
AuditDetails : Password retry limit reached. Locking account with username john_smith.
App ID: CUCDM
...