Audit Log Format and Details

The following is the format of an audit log entry. Line breaks have been added here for readability.

%b %d %Y %H:%M:%S.%f %Z|
UserID : %s
ClientAddress : %s
Severity : %s
EventType : %s
ResourceAccessed: %s
EventStatus : %s
CompulsoryEvent : No
AuditCategory : %s
ComponentID : CUCDM
AuditDetails : %s
App ID: %s

The first entry is the string format of the timestamp, while the %s is a variable for a value.

An example of the timestamp would be:

Oct 23 2015 10:54:28.615377 UTC
  • Audit logs include logs for auditd and audispd which include system events. If system events are not required, they must be filtered by the client.

  • All remote syslog streaming from VOSS Automate is via TCP. UDP is not supported.

The tables below show key and example descriptions in the audit log.

UserID

Username

“johnB”

Username on CLI or database

“johnB prov1.cust1”

GUI username and hierarchy

ProviderUser@Provider.com

User email address from GUI login

hidden

Invalid username

ClientAddress

IP address / pseudo terminal

“102.29.232.50:/dev/pts/1”

From IP: 102.29.232.50 and pseudo terminal /dev/pts/1

127.0.0.1

Internal API user

102.29.232.50

IP of GUI or API. Also Bulk Load, JSON import.

Severity

0-2. Higher is more severe

0

Basic log activity on the CLI. All log activity on the GUI or API.

1

All Rootshell activity

2

CLI: AuditCategory : Priviliged, AuditDetails : user list and App ID: CLI - user may not run user list command

EventType

Type of event

UserLogging

Login, logout, expiry activity

FileDetection

File checksum activity

<AuditCategory>

GUI or API event type is the AuditCategory

ResourceAccessed

Resource accessed

CLI

CLI transaction

DB

Database logging

Application REST API

GUI or API resource

EventStatus

Status of the event

Success

Successful transaction

Failed

Failed transaction

Unknown

Note: Mongo successful login has this status

CompulsoryEvent

Not in use

No

Currently always No

AuditCategory

Activity category

AdministrativeEvent

non-privileged CLI command

Privileged

CLI transactions as root user, and commands by any user from the list below.

SecurityEvent

Login or logout to CLI, database,

PrivilegedDataModelAdd

e.g. GUI or API system user, including the type and operation. Type can also be Mod and Del. Details in AuditDetails.

DataModelAdd

e.g. GUI or API ordinary user, including the type and operation. Type can also be Mod and Del. Details in AuditDetails.

UserRoleChange

Transactions on the GUI, API flagged as privileged, including the type and operation. Details in AuditDetails.

UserLogin

Login on the GUI, API.

UserLogout

Logout on the GUI, API.

MultipleSourceLogin

Simultaneous login on GUI, API. Multiple sources in AuditDetails.

The CLI commands that are flagged as Privileged, are:

  • user (and any parameters, such as user del)

  • voss unlock_sysadmin_account

  • voss cleardown

  • system password

  • system reboot

  • system shutdown

The GUI and API commands flagged as privileged, are:

  • carried out by a system user

  • operations on the models:

    • data/AccessProfile

    • data/CredentialPolicy

    • data/HierarchyDefault

    • data/Role

    • data/User

    • data/Settings

    • data/Application

    • data/UnityConnection

    • data/CallManager

    • data/AuthorizedAdminHierarchy

Audit Category for GUI and API transaction on a data model can be: [Privileged]DataModel(Add|Delete|Update)

ComponentID

Identifier

CUCDM

The value is always CUCDM

App ID

Application

CUCDM

The application GUI and API interface

CLI

CLI command

CUCDM CLI

Rootshell login

CUCDM SSH

SSH login

CUCDM DB

Database, for example Mongo connect, login, logout

Audit Details

Details of transaction

Login

CLI or database login

“Login from 172.29.232.88”

GUI or API login also shows IP address

Logout

CLI or database logout

Login Invalid User

CLI or database login

Login Invalid Password

CLI or database login

User account locked - {} / {}

CLI or database login. Account locked after failed_login_attempts / allowed_attempts

User account expired

CLI or database login. Account expired

RootShell login

Root shell login

RootShell logout

Root shell logout

File checksum initialized

File checksum process initialized. The EventType is FileDetection.

<CLI command>

The CLI command that is run

“Resource type data/User named User Name: Joe”

Example of a create transaction on the data/User model.

“User Joe role updated to admin”

Example of a role update on a user.

“Login failed with Unknown from 172.29.232.88”

[Basic|NonInteractive|SSO|LDAP] Authentication on Log [in|out]

Login or log out by a user using the indicated credentials (Basic, NonInteractive, SSO, LDAP). The log entry includes Client Address for source of the login.

Session Expired

Session timeout

Permission Error

Access control error: the user has no permission for an operation on a resource type from a hierarchy.

Invalid Request

If the request URL is not found (HTTP response is 400, 404)

Password retry limit reached. Locking account with username ..

When an account is locked due to failed password attempts

Unlocking account with username ..

When an account is unlocked

Locking account with username ..

When an account is locked

Example Syslog Messages

The following are example audit log entries.

Note

Line breaks have been added for readability.

API,Login,2019-10-29T21:11:20+00:00 VOSS audit: Oct 29 2019 21:11:20.042962 UTC|
UserID : CS-PAdmin
ClientAddress : 172.29.90.25
Severity : 0
EventType : UserLogin
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : UserLogin
ComponentID : CUCDM
AuditDetails : Login with Mongo from 172.29.90.25 using interface None
App ID: CUCDM

API,Logout,2019-10-29T21:11:11+00:00 VOSS audit: Oct 29 2019 21:11:11.449544 UTC|
UserID : CS-PAdmin
ClientAddress : 172.29.90.25
Severity : 0
EventType : AuthLogout
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : AuthLogout
ComponentID : CUCDM
AuditDetails : Logged out from 172.29.90.25
App ID: CUCDM

API,Access Control Bypass,2019-10-29T21:14:36+00:00 VOSS audit: Oct 29 2019 21:14:36.016777 UTC|
UserID : CS-PAdmin sys.hcs.CS-P
ClientAddress : 172.29.90.25
Severity : 0
EventType : PermissionError
ResourceAccessed : Application REST API
EventStatus : Failed
CompulsoryEvent : No
AuditCategory : PermissionError
ComponentID : CUCDM
AuditDetails : Read operation on model type data/Countries
App ID: CUCDM

API,Data Model Add,2019-10-29T21:31:33+00:00 VOSS audit: Oct 29 2019 21:31:33.872904 UTC|
UserID : CS-PAdmin sys.hcs.CS-P
ClientAddress : 172.31.252.1
Severity : 0
EventType : DataModelAdd
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : DataModelAdd
ComponentID : CUCDM
   AuditDetails : Resource type data/Role named
Name: Test
App ID: CUCDM

CLI,User Add,
"2019-10-29T21:45:42+00:00
VOSS audispd:
  node=VOSS
  type=ADD_GROUP
msg=audit(1572385542.608:242353):
  pid=421859
  uid=0
  auid=1401
  ses=4
  msg='op=adding group acct=""testuser"" exe=""/usr/sbin/useradd"" hostname=? addr=? terminal=pts/0 res=success'

2019-10-29T21:45:42+00:00
VOSS audispd:
  node=VOSS
  type=USER_CHAUTHTOK
msg=audit(1572385542.736:242401):
  pid=421872
  uid=0
  auid=1401
  ses=4
  msg='op=PAM:chauthtok acct=""testuser"" exe=""/usr/sbin/chpasswd"" hostname=? addr=? terminal=? res=success'

2019-10-29T21:45:42+00:00
VOSS audispd:
  node=VOSS
  type=PATH
msg=audit(1572385542.764:242413):
  item=0
  name=""/opt/platform/users/testuser""
  inode=1654786
  dev=08:12
  mode=040700
  ouid=0
  ogid=0
  rdev=00:00
  nametype=NORMAL

2019-10-29T21:45:42+00:00
VOSS audispd:
  node=VOSS
  type=PATH
  msg=audit(1572385542.768:242417):
    item=0
    name=""/opt/platform/users/testuser/media""
    inode=1654788
    dev=08:12
    mode=040500
    ouid=0
    ogid=0
    rdev=00:00
    nametype=NORMAL


2021-05-26T15:27:33.715215+00:00 VOSS audit: May 26 2021 15:27:33.714993 UTC|
UserID : system
ClientAddress : 172.29.90.57
Severity : 0
EventType : SecurityEvent
ResourceAccessed : Application REST API
EventStatus : Failed
CompulsoryEvent : No
AuditCategory : SecurityEvent
ComponentID : CUCDM
AuditDetails : Password retry limit reached. Locking account with username john_smith.
App ID: CUCDM

...