View audit logs
Audit results are stored in a log file that is located at <container mount volume>/log/audit.log (for example, /opt/adcm/log/audit.log).
The audit.log file is continuously generated every day until midnight. At midnight, the postfix is added to the log file name. At the same moment, a new empty audit.log file is created to accumulate logs for the coming day.
Inside the log file the data is stored in the CEF format. The CEF format includes the following fields: Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
. The fields are described in the table below.
Field name | Description |
---|---|
Version |
CEF format version |
Device Vendor, Device Product, Device Version |
Fields that uniquely identify the source of events. There are no products that have the same set of these three values |
Signature ID |
Event type unique identifier |
Name |
Human-readable event description |
Severity |
Event severity (from |
Extension |
Set of key/value pairs. Each product itself defines a dictionary of keys |
The Extension
field is, in fact, a set of fields (key/value pairs) that are designed specifically for ADCM. You can find the detailed description of extensions fields in the table below.
Extension key | Description |
---|---|
actor |
The user under which the action was performed (operation or authorization) |
act |
The type of ADCM operation. Can take the following values: |
operation |
ADCM operation name. In case of authorization, the operation name will always be |
resource |
The name of the ADCM object on which the operation is performed. This key is not used when writing authentication data or background jobs. This key can be empty if |
result |
The result of authorization operation. Can take the following values: |
timestamp |
Date and time of ADCM operation |
address |
The last IP address in |
Example
You can view the log file using the tail
command:
$ tail -100f /opt/adcm/log/audit.log
The result is:
CEF: 0|Arenadata Software|Arenadata Cluster Manager|2022.10.04.17|api/v1/provider/<int:provider_id>/host/|Host created|1|actor="admin" act="create" operation="Host created" resource="my-host-1" result="success" timestamp="2022-10-14 13:32:03.389458+00:00"