Logging and Auditing
Contents
Introduction
There are three top-level categories of audit records:
- Security administration audit records
- Domain administration audit records
- Cloud administration audit records
Security Administrators are able to view all audit records. Other administrators are only be able to access audit records for the administrative groups for which they are members. For example, assume that there are two Cloud VM Set groups "HR" and "Legal" and that:
- Joe is a Cloud VM Set Admin in the "HR" group.
- Bill is a Cloud VM Set Admin in the "Legal" group.
Any activity with in "HR" group that generates audit records will be visible by Joe but not by Bill. Likewise, any activity within the "Legal" group that generates audit records will be visible by Bill but not by Joe. Both Joe and Bill will not see audit records generated as a result of activity in any VM group for which they are not members as with any non-VM group and any Security Administrator actions.
Viewing Audit Records
The audit records that are visible to a specific administrator can be viewed by clicking the Audit Log link at the top right of each screen as follows:
Records are displayed with the most recent audit record first. The following screen shows an example of a set of audit records:
There are simple controls that can be used for navigating through the set of audit records:
- Pagesize can be changed to select the number of records displayed per page.
- The Previous and Next buttons navigate through the list of pages.
- The EXPORT AUDIT LOG button can be used to download the audit log file. This is automatically downloaded and stored locally as audit_log.xml.
The downloaded audit file is XML-formatted. Each audit record is referenced by the tag <audrec>. An example of the first two audit records displayed above is shown below:
Exporting audit records to an external syslog server
Audit records can also be posted to an external log server through the standard syslog protocol. To configure this support, from the SECURITY tab, select EDIT DEFAULT SETTINGS and then scroll down to the section on DEFAULT AUDIT LOG SETTINGS as follows:
Assuming you have default settings on your syslog server, simply enter the name / IP address of the server.
The syslog server should be configured to allow messages to be received from each of the KeyControl nodes in the cluster. The syslogd flags that specify the KeyControl nodes should specify names that are resolvable. Either make sure that your /etc/hosts file is set up correctly, that you enter IP addresses for your KeyControl nodes or if you use hostnames, ensure that reverse lookups work on the syslog server.
Audit messages will be tagged with hcs_audit and should be added to your syslog.conf file. The FreeBSD example below directs all hcs_audit messages to go to the log file /var/log/hcs_audit.log:
!hcs_audit *.* /var/log/hcs_audit.log !-hcs_audit
You should create the file and make it writeable by root only. For example:
# touch /var/log/hcs_audit.log # chmod 0600 /var/log/hcs_audit.log
You will need to configure your rc.conf file. For example, the following should be set prior to changing to syslog.conf:
syslogd_enable="YES" syslogd_flags="-a kps1.domain -a kps2.domain -v"
You should restart the syslog daemon and audit records generated by any KeyControl node should get written to the hcs_audit.log file. For example, you can test easily by simply logging out and back in again. This will generate two audit records. Displaying the last part of the hcs_audit.log file will display entries similar to:
Jan 19 01:08:26 <1.5> kps1.hcs.int hcs_audit: date=01/19/2012; time=01:08:26:49; category=Groups; \
host=192.168.140.151; content=User secroot logged out from ipaddr 192.168.140.1;
Jan 19 01:08:34 <1.5> kps1.hcs.int hcs_audit: date=01/19/2012; time=01:08:34:29; category=Groups; \
host=192.168.140.151; content=User secroot logged in from ipaddr 192.168.140.1;
We recommend that you consult the syslog server settings on your server to ensure that things are set up correctly. If you have set syslog up and still fail to see messages arriving in the hcs_audit.log file, try using tcpdump to make sure that packets are in fact arriving at the server.