View audit logs


Audit results are stored in a log file that is located at <container mount volume>/log/audit.log (for example, /opt/adcm/log/audit.log).

The audit.log file is continuously generated every day until midnight. At midnight, the postfix is added to the log file name. At the same moment, a new empty audit.log file is created to accumulate logs for the coming day.

Inside the log file the data is stored in the CEF format. The CEF format includes the following fields: Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension. The fields are described in the table below.

CEF format fields
Field name Description


CEF format version

Device Vendor, Device Product, Device Version

Fields that uniquely identify the source of events. There are no products that have the same set of these three values

Signature ID

Event type unique identifier


Human-readable event description


Event severity (from 0 to 10)


Set of key/value pairs. Each product itself defines a dictionary of keys

The Extension field is, in fact, a set of fields (key/value pairs) that are designed specifically for ADCM. You can find the detailed description of extensions fields in the table below.

Extension keys description
Extension key Description


The user under which the action was performed (operation or authorization)


The type of ADCM operation. Can take the following values: create, update, delete. This key is used only for operations


ADCM operation name. In case of authorization, the operation name will always be User logged


The name of the ADCM object on which the operation is performed. This key is not used when writing authentication data or background jobs. This key can be empty if act equals "create" and result equals 'fail' or 'denied'


The result of authorization operation. Can take the following values: success, fail, denied. The success value means the operation has finished successfully (Severity = 1). The fail value means the operation has finished unsuccessfully (Severity = 1). The denied value means that someone has attempted to launch a operation while having no permissions to do so (Severity = 3).


Date and time of ADCM operation


The last IP address in HTTP_X_FORWARDED_FOR if available, otherwise REMOTE_ADDR, or null if neither is present


You can view the log file using the tail command:

$ tail -100f  /opt/adcm/log/audit.log

The result is:

CEF: 0|Arenadata Software|Arenadata Cluster Manager|2022.10.04.17|api/v1/provider/<int:provider_id>/host/|Host created|1|actor="admin" act="create" operation="Host created" resource="my-host-1" result="success" timestamp="2022-10-14 13:32:03.389458+00:00"
Found a mistake? Seleсt text and press Ctrl+Enter to report it