.. _audit_log_format_and_details: .. rst-class:: chapter-with-expand Audit Log Format and Details ---------------------------- .. _21.1|VOSS-643|EKB-8451: .. _21.1|VOSS-643|EKB-8452: .. _21.3|VOSS-911|EKB-11962: The following is the format of an audit log entry. Line breaks have been added here for readability. :: %b %d %Y %H:%M:%S.%f %Z| UserID : %s ClientAddress : %s Severity : %s EventType : %s ResourceAccessed: %s EventStatus : %s CompulsoryEvent : No AuditCategory : %s ComponentID : VOSS Automate AuditDetails : %s App ID: %s The first entry is the string format of the timestamp, while the ``%s`` is a variable for a value. An example of the timestamp would be: :: Oct 23 2015 10:54:28.615377 UTC * Audit logs include logs for ``auditd`` and ``audispd`` which include system events. If system events are not required, they must be filtered by the client. * All remote syslog streaming from VOSS Automate is via TCP. UDP is not supported. The tables below show key and example descriptions in the audit log. .. tabularcolumns:: |p{5cm}|p{10cm}| =========================== =============================================================================================================================== ``UserID`` Username =========================== =============================================================================================================================== johnB Username on CLI or database johnB prov1.cust1 GUI username and hierarchy ProviderUser@Provider.com User email address from GUI login ``hidden`` Invalid username =========================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ========================== ========================================================================================================================= ``ClientAddress`` IP address / pseudo terminal ========================== ========================================================================================================================= 102.29.232.50:/dev/pts/1 From IP: 102.29.232.50 and pseudo terminal /dev/pts/1 ``127.0.0.1`` Internal API user ``102.29.232.50`` IP of GUI or API. Also Bulk Load, JSON import. ========================== ========================================================================================================================= .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``Severity`` 0-2. Higher is more severe ==================== =============================================================================================================================== 0 Basic log activity on the CLI. All log activity on the GUI or API. 1 All Rootshell activity 2 CLI: ``AuditCategory : Priviliged``, ``AuditDetails : user list`` and ``App ID: CLI`` - user may not run **user list** command ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``EventType`` Type of event ==================== =============================================================================================================================== ``UserLogging`` Login, logout, expiry activity ``FileDetection`` File checksum activity GUI or API event type is the AuditCategory ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ======================== =============================================================================================================================== ``ResourceAccessed`` Resource accessed ======================== =============================================================================================================================== ``CLI`` CLI transaction ``DB`` Database logging ``Application REST API`` GUI or API resource ======================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``EventStatus`` Status of the event ==================== =============================================================================================================================== ``Success`` Successful transaction ``Failed`` Failed transaction ``Unknown`` Note: Mongo successful login has this status ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``CompulsoryEvent`` Not in use ==================== =============================================================================================================================== ``No`` Currently always ``No`` ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ========================== =================================================================================================================================== ``AuditCategory`` Activity category ========================== =================================================================================================================================== ``AdministrativeEvent`` non-privileged CLI command ``Privileged`` CLI transactions as root user, and commands by any user from the list below. ``SecurityEvent`` Login or logout to CLI, database, ``PrivilegedDataModelAdd`` e.g. GUI or API system user, including the type and operation. Type can also be ``Mod`` and ``Del``. Details in ``AuditDetails``. ``DataModelAdd`` e.g. GUI or API ordinary user, including the type and operation. Type can also be ``Mod`` and ``Del``. Details in ``AuditDetails``. ``UserRoleChange`` Transactions on the GUI, API flagged as privileged, including the type and operation. Details in ``AuditDetails``. ``UserLogin`` Login on the GUI, API. ``UserLogout`` Logout on the GUI, API. ``MultipleSourceLogin`` Simultaneous login on GUI, API. Multiple sources in ``AuditDetails``. ========================== =================================================================================================================================== The CLI commands that are flagged as ``Privileged``, are: * **user** (and any parameters, such as **user del**) * **voss unlock_sysadmin_account** * **voss cleardown** * **system password** * **system reboot** * **system shutdown** The GUI and API commands flagged as privileged, are: * carried out by a system user * operations on the models: * ``data/AccessProfile`` * ``data/CredentialPolicy`` * ``data/HierarchyDefault`` * ``data/Role`` * ``data/User`` * ``data/Settings`` * ``data/Application`` * ``data/UnityConnection`` * ``data/CallManager`` * ``data/AuthorizedAdminHierarchy`` Audit Category for GUI and API transaction on a data model can be: *[Privileged]DataModel(Add|Delete|Update)* .. tabularcolumns:: |p{5cm}|p{10cm}| ==================== =============================================================================================================================== ``ComponentID`` Identifier ==================== =============================================================================================================================== ``VOSS Automate`` The value is always ``VOSS Automate`` ==================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ===================== =============================================================================================================================== ``App ID`` Application ===================== =============================================================================================================================== ``VOSS Automate`` The application GUI and API interface ``CLI`` CLI command ``VOSS Automate CLI`` Rootshell login ``VOSS Automate SSH`` SSH login ``VOSS Automate DB`` Database, for example Mongo connect, login, logout ===================== =============================================================================================================================== .. tabularcolumns:: |p{5cm}|p{10cm}| ============================================================== ===================================================================================================================================================================== ``Audit Details`` Details of transaction ============================================================== ===================================================================================================================================================================== ``Login`` CLI or database login Login from 172.29.232.88 GUI or API login also shows IP address ``Logout`` CLI or database logout ``Login Invalid User`` CLI or database login ``Login Invalid Password`` CLI or database login ``User account locked - {} / {}`` CLI or database login. Account locked after failed_login_attempts / allowed_attempts ``User account expired`` CLI or database login. Account expired ``RootShell login`` Root shell login ``RootShell logout`` Root shell logout ``File checksum initialized`` File checksum process initialized. The EventType is ``FileDetection``. ** The CLI command that is run Resource type data/User named User Name: Joe Example of a create transaction on the ``data/User`` model. User Joe role updated to admin Example of a role update on a user. Login failed with Unknown from 172.29.232.88 [Basic|NonInteractive|SSO|LDAP] Authentication on Log [in|out] Login or log out by a user using the indicated credentials (Basic, NonInteractive, SSO, LDAP). The log entry includes Client Address for source of the login. Session Expired Session timeout Permission Error Access control error: the user has no permission for an operation on a resource type from a hierarchy. Invalid Request If the request URL is not found (HTTP response is 400, 404) Password retry limit reached. Locking account with username .. When an account is locked due to failed password attempts Unlocking account with username .. When an account is unlocked Locking account with username .. When an account is locked ============================================================== ===================================================================================================================================================================== Example Syslog Messages ....................... The following are example audit log entries. .. note:: Line breaks have been added for readability. :: API,Login,2019-10-29T21:11:20+00:00 VOSS audit: Oct 29 2019 21:11:20.042962 UTC| UserID : CS-PAdmin ClientAddress : 172.29.90.25 Severity : 0 EventType : UserLogin ResourceAccessed : Application REST API EventStatus : Success CompulsoryEvent : No AuditCategory : UserLogin ComponentID : VOSS Automate AuditDetails : Login with Mongo from 172.29.90.25 using interface None App ID: VOSS Automate API,Logout,2019-10-29T21:11:11+00:00 VOSS audit: Oct 29 2019 21:11:11.449544 UTC| UserID : CS-PAdmin ClientAddress : 172.29.90.25 Severity : 0 EventType : AuthLogout ResourceAccessed : Application REST API EventStatus : Success CompulsoryEvent : No AuditCategory : AuthLogout ComponentID : VOSS Automate AuditDetails : Logged out from 172.29.90.25 App ID: VOSS Automate API,Access Control Bypass,2019-10-29T21:14:36+00:00 VOSS audit: Oct 29 2019 21:14:36.016777 UTC| UserID : CS-PAdmin sys.hcs.CS-P ClientAddress : 172.29.90.25 Severity : 0 EventType : PermissionError ResourceAccessed : Application REST API EventStatus : Failed CompulsoryEvent : No AuditCategory : PermissionError ComponentID : VOSS Automate AuditDetails : Read operation on model type data/Countries App ID: VOSS Automate API,Data Model Add,2019-10-29T21:31:33+00:00 VOSS audit: Oct 29 2019 21:31:33.872904 UTC| UserID : CS-PAdmin sys.hcs.CS-P ClientAddress : 172.31.252.1 Severity : 0 EventType : DataModelAdd ResourceAccessed : Application REST API EventStatus : Success CompulsoryEvent : No AuditCategory : DataModelAdd ComponentID : VOSS Automate AuditDetails : Resource type data/Role named Name: Test App ID: VOSS Automate CLI,User Add, "2019-10-29T21:45:42+00:00 VOSS audispd: node=VOSS type=ADD_GROUP msg=audit(1572385542.608:242353): pid=421859 uid=0 auid=1401 ses=4 msg='op=adding group acct=""testuser"" exe=""/usr/sbin/useradd"" hostname=? addr=? terminal=pts/0 res=success' 2019-10-29T21:45:42+00:00 VOSS audispd: node=VOSS type=USER_CHAUTHTOK msg=audit(1572385542.736:242401): pid=421872 uid=0 auid=1401 ses=4 msg='op=PAM:chauthtok acct=""testuser"" exe=""/usr/sbin/chpasswd"" hostname=? addr=? terminal=? res=success' 2019-10-29T21:45:42+00:00 VOSS audispd: node=VOSS type=PATH msg=audit(1572385542.764:242413): item=0 name=""/opt/platform/users/testuser"" inode=1654786 dev=08:12 mode=040700 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL 2019-10-29T21:45:42+00:00 VOSS audispd: node=VOSS type=PATH msg=audit(1572385542.768:242417): item=0 name=""/opt/platform/users/testuser/media"" inode=1654788 dev=08:12 mode=040500 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL 2021-05-26T15:27:33.715215+00:00 VOSS audit: May 26 2021 15:27:33.714993 UTC| UserID : system ClientAddress : 172.29.90.57 Severity : 0 EventType : SecurityEvent ResourceAccessed : Application REST API EventStatus : Failed CompulsoryEvent : No AuditCategory : SecurityEvent ComponentID : VOSS Automate AuditDetails : Password retry limit reached. Locking account with username john_smith. App ID: VOSS Automate ... .. |VOSS Automate| replace:: VOSS Automate .. |Unified CM| replace:: Unified CM