View audit logs

Mikhail Serov
Contents

Audit results are stored in a log file that is located at <container mount volume>/log/audit.log (for example, /opt/adcm/log/audit.log).

The audit.log file is continuously generated every day until midnight. At midnight, the postfix is added to the log file name. At the same moment, a new empty audit.log file is created to accumulate logs for the coming day.

Inside the log file the data is stored in the CEF format. The CEF format includes the following fields: Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension. The fields are described in the table below.

CEF format fields
Field name Description

Version

CEF format version

Device Vendor, Device Product, Device Version

Fields that uniquely identify the source of events. There are no products that have the same set of these three values

Signature ID

Event type unique identifier

Name

Human-readable event description

Severity

Event severity (from 0 to 10)

Extension

Set of key/value pairs. Each product itself defines a dictionary of keys

The Extension field is, in fact, a set of fields (key/value pairs) that are designed specifically for ADCM. You can find the detailed description of extensions fields in the table below.

Extension keys description
Extension key Description

actor

The user under which the action was performed (operation or authorization)

act

The type of ADCM operation. Can take the following values: create, update, delete. This key is used only for operations

operation

ADCM operation name. In case of authorization, the operation name will always be User logged

resource

The name of the ADCM object on which the operation is performed. This key is not used when writing authentication data or background jobs. This key can be empty if act equals "create" and result equals 'fail' or 'denied'

result

The result of authorization operation. Can take the following values: success, fail, denied. The success value means the operation has finished successfully (Severity = 1). The fail value means the operation has finished unsuccessfully (Severity = 1). The denied value means that someone has attempted to launch a operation while having no permissions to do so (Severity = 3).

timestamp

Date and time of ADCM operation

address

The last IP address in HTTP_X_FORWARDED_FOR if available, otherwise REMOTE_ADDR, or null if neither is present

Example

You can view the log file using the tail command:

$ tail -100f  /opt/adcm/log/audit.log

The result is:

CEF: 0|Arenadata Software|Arenadata Cluster Manager|2022.10.04.17|api/v1/provider/<int:provider_id>/host/|Host created|1|actor="admin" act="create" operation="Host created" resource="my-host-1" result="success" timestamp="2022-10-14 13:32:03.389458+00:00"
Found a mistake? Seleсt text and press Ctrl+Enter to report it