Audit Log Format and Details#

The following is the format of an audit log entry. Line breaks have been added here for readability.

%b %d %Y %H:%M:%S.%f %Z|
UserID : %s
ClientAddress : %s
Severity : %s
EventType : %s
ResourceAccessed: %s
EventStatus : %s
CompulsoryEvent : No
AuditCategory : %s
ComponentID : VOSS Automate
AuditDetails : %s
App ID: %s

The first entry is the string format of the timestamp, while the %s is a variable for a value.

An example of the timestamp would be:

Oct 23 2015 10:54:28.615377 UTC
  • Audit logs include logs for auditd and audispd which include system events. If system events are not required, they must be filtered by the client.

  • All remote syslog streaming from VOSS Automate is via TCP. UDP is not supported.

The tables below show key and example descriptions in the audit log.

UserID

Username

johnB

Username on CLI or database

johnB prov1.cust1

GUI username and hierarchy

ProviderUser@Provider.com

User email address from GUI login

hidden

Invalid username

ClientAddress

IP address / pseudo terminal

102.29.232.50:/dev/pts/1

From IP: 102.29.232.50 and pseudo terminal /dev/pts/1

127.0.0.1

Internal API user

102.29.232.50

IP of GUI or API. Also Bulk Load, JSON import.

Severity

0-2. Higher is more severe

0

Basic log activity on the CLI. All log activity on the GUI or API.

1

All Rootshell activity

2

CLI: AuditCategory : Priviliged, AuditDetails : user list and App ID: CLI - user may not run user list command

EventType

Type of event

UserLogging

Login, logout, expiry activity

FileDetection

File checksum activity

<AuditCategory>

GUI or API event type is the AuditCategory

ResourceAccessed

Resource accessed

CLI

CLI transaction

DB

Database logging

Application REST API

GUI or API resource

EventStatus

Status of the event

Success

Successful transaction

Failed

Failed transaction

Unknown

Note: Mongo successful login has this status

CompulsoryEvent

Not in use

No

Currently always No

AuditCategory

Activity category

AdministrativeEvent

non-privileged CLI command

Privileged

CLI transactions as root user, and commands by any user from the list below.

SecurityEvent

Login or logout to CLI, database,

PrivilegedDataModelAdd

e.g. GUI or API system user, including the type and operation. Type can also be Mod and Del. Details in AuditDetails.

DataModelAdd

e.g. GUI or API ordinary user, including the type and operation. Type can also be Mod and Del. Details in AuditDetails.

UserRoleChange

Transactions on the GUI, API flagged as privileged, including the type and operation. Details in AuditDetails.

UserLogin

Login on the GUI, API.

UserLogout

Logout on the GUI, API.

MultipleSourceLogin

Simultaneous login on GUI, API. Multiple sources in AuditDetails.

The CLI commands that are flagged as Privileged, are:

  • user (and any parameters, such as user del)

  • voss unlock_sysadmin_account

  • voss cleardown

  • system password

  • system reboot

  • system shutdown

The GUI and API commands flagged as privileged, are:

  • carried out by a system user

  • operations on the models:

    • data/AccessProfile

    • data/CredentialPolicy

    • data/HierarchyDefault

    • data/Role

    • data/User

    • data/Settings

    • data/Application

    • data/UnityConnection

    • data/CallManager

    • data/AuthorizedAdminHierarchy

Audit Category for GUI and API transaction on a data model can be: [Privileged]DataModel(Add|Delete|Update)

ComponentID

Identifier

VOSS Automate

The value is always VOSS Automate

App ID

Application

VOSS Automate

The application GUI and API interface

CLI

CLI command

VOSS Automate CLI

Rootshell login

VOSS Automate SSH

SSH login

VOSS Automate DB

Database, for example Mongo connect, login, logout

Audit Details

Details of transaction

Login

CLI or database login

Login from 172.29.232.88

GUI or API login also shows IP address

Logout

CLI or database logout

Login Invalid User

CLI or database login

Login Invalid Password

CLI or database login

User account locked - {} / {}

CLI or database login. Account locked after failed_login_attempts / allowed_attempts

User account expired

CLI or database login. Account expired

RootShell login

Root shell login

RootShell logout

Root shell logout

File checksum initialized

File checksum process initialized. The EventType is FileDetection.

<CLI command>

The CLI command that is run

Resource type data/User named User Name: Joe

Example of a create transaction on the data/User model.

User Joe role updated to admin

Example of a role update on a user.

Login failed with Unknown from 172.29.232.88

[Basic|NonInteractive|SSO|LDAP] Authentication on Log [in|out]

Login or log out by a user using the indicated credentials (Basic, NonInteractive, SSO, LDAP). The log entry includes Client Address for source of the login.

Session Expired

Session timeout

Permission Error

Access control error: the user has no permission for an operation on a resource type from a hierarchy.

Invalid Request

If the request URL is not found (HTTP response is 400, 404)

Password retry limit reached. Locking account with username ..

When an account is locked due to failed password attempts

Unlocking account with username ..

When an account is unlocked

Locking account with username ..

When an account is locked

Example Syslog Messages#

The following are example audit log entries.

Note

Line breaks have been added for readability.

API,Login,2019-10-29T21:11:20+00:00 VOSS audit: Oct 29 2019 21:11:20.042962 UTC|
UserID : CS-PAdmin
ClientAddress : 172.29.90.25
Severity : 0
EventType : UserLogin
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : UserLogin
ComponentID : VOSS Automate
AuditDetails : Login with Mongo from 172.29.90.25 using interface None
App ID: VOSS Automate

API,Logout,2019-10-29T21:11:11+00:00 VOSS audit: Oct 29 2019 21:11:11.449544 UTC|
UserID : CS-PAdmin
ClientAddress : 172.29.90.25
Severity : 0
EventType : AuthLogout
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : AuthLogout
ComponentID : VOSS Automate
AuditDetails : Logged out from 172.29.90.25
App ID: VOSS Automate

API,Access Control Bypass,2019-10-29T21:14:36+00:00 VOSS audit: Oct 29 2019 21:14:36.016777 UTC|
UserID : CS-PAdmin sys.hcs.CS-P
ClientAddress : 172.29.90.25
Severity : 0
EventType : PermissionError
ResourceAccessed : Application REST API
EventStatus : Failed
CompulsoryEvent : No
AuditCategory : PermissionError
ComponentID : VOSS Automate
AuditDetails : Read operation on model type data/Countries
App ID: VOSS Automate

API,Data Model Add,2019-10-29T21:31:33+00:00 VOSS audit: Oct 29 2019 21:31:33.872904 UTC|
UserID : CS-PAdmin sys.hcs.CS-P
ClientAddress : 172.31.252.1
Severity : 0
EventType : DataModelAdd
ResourceAccessed : Application REST API
EventStatus : Success
CompulsoryEvent : No
AuditCategory : DataModelAdd
ComponentID : VOSS Automate
   AuditDetails : Resource type data/Role named
Name: Test
App ID: VOSS Automate

CLI,User Add,
"2019-10-29T21:45:42+00:00
VOSS audispd:
  node=VOSS
  type=ADD_GROUP
msg=audit(1572385542.608:242353):
  pid=421859
  uid=0
  auid=1401
  ses=4
  msg='op=adding group acct=""testuser"" exe=""/usr/sbin/useradd"" hostname=? addr=? terminal=pts/0 res=success'

2019-10-29T21:45:42+00:00
VOSS audispd:
  node=VOSS
  type=USER_CHAUTHTOK
msg=audit(1572385542.736:242401):
  pid=421872
  uid=0
  auid=1401
  ses=4
  msg='op=PAM:chauthtok acct=""testuser"" exe=""/usr/sbin/chpasswd"" hostname=? addr=? terminal=? res=success'

2019-10-29T21:45:42+00:00
VOSS audispd:
  node=VOSS
  type=PATH
msg=audit(1572385542.764:242413):
  item=0
  name=""/opt/platform/users/testuser""
  inode=1654786
  dev=08:12
  mode=040700
  ouid=0
  ogid=0
  rdev=00:00
  nametype=NORMAL

2019-10-29T21:45:42+00:00
VOSS audispd:
  node=VOSS
  type=PATH
  msg=audit(1572385542.768:242417):
    item=0
    name=""/opt/platform/users/testuser/media""
    inode=1654788
    dev=08:12
    mode=040500
    ouid=0
    ogid=0
    rdev=00:00
    nametype=NORMAL


2021-05-26T15:27:33.715215+00:00 VOSS audit: May 26 2021 15:27:33.714993 UTC|
UserID : system
ClientAddress : 172.29.90.57
Severity : 0
EventType : SecurityEvent
ResourceAccessed : Application REST API
EventStatus : Failed
CompulsoryEvent : No
AuditCategory : SecurityEvent
ComponentID : VOSS Automate
AuditDetails : Password retry limit reached. Locking account with username john_smith.
App ID: VOSS Automate

...