VMmanager 6 saves information about the operation of services in log files. You can view the log files of each service individually or group them.
Audit service log files contain information about platform security events and configuration changes. For example:
- attempts to log in with email and password;
- password reset attempts;
- attempts to log in via LDAP;
- creation, deletion and editing of platform users;
- changing access rights of platform users.
Each event record contains:
- a unique sequence number;
- event date and time;
- event type;
- information about the success of the action.
If the action is performed by an authorized user, the log displays the user ID.
Audit event logs are protected from deletion and editing. Deleting or modifying logs via API and web interface of the platform is not supported.
Preparing the platform server
The platform stores log files of authorization services in the auth, ldap, and vm_box containers. To combine audit records into one stream, you can configure logging in the journald service:
- Connect to the server with the platform via SSH. For more information about connecting via SSH, see Workstation setup.
-
Create a patch file /opt/ispsystem/vm/journald.yaml with the contents:
version: "3.5" services: auth_back4: volumes: - /var/run/systemd/journal/:/var/run/systemd/journal/ ldap: volumes: - /var/run/systemd/journal/:/var/run/systemd/journal/ vm_box: volumes: - /opt/ispsystem/vm/backup:/opt/ispsystem/vm/backup - /opt/ispsystem/license:/opt/ispsystem/license - /opt/ispsystem/vm/socket/:/opt/ispsystem/vm/vmbox/ - /var/run/systemd/journal/:/var/run/systemd/journal/
-
Apply the patch:
vm add-patch -p journald -f /opt/ispsystem/vm/journald.yaml
- To read logs in JSON format, install the jq utility:
apt install jq || dnf install jq
Viewing audit event logs
To view the audit services logs, enter the command:
- auth, ldap containers (auth_back4, ldap services): Line-by-line output
journalctl -f ACOD=3
Output in JSON formatjournalctl -f -o json ACOD=3 | jq
- vm_box container (vm_back, gosockify services): Line-by-line output
journalctl | grep vm_security
Output in JSON formatjournalctl -f -o json | grep vm_security | jq
Output examples
Useful tips
Related topics: