VMmanager: Administrator guide

Audit event logging

VMmanager 6 saves information about the operation of services in log files. You can view the log files of each service individually or group them.

Audit service log files contain information about platform security events and configuration changes. For example:

  • attempts to log in with email and password;
  • password reset attempts;
  • attempts to log in via LDAP;
  • creation, deletion and editing of platform users;
  • changing access rights of platform users.

Each event record contains:

  • a unique sequence number;
  • event date and time;
  • event type;
  • information about the success of the action.

If the action is performed by an authorized user, the log displays the user ID.

Audit event logs are protected from deletion and editing. Deleting or modifying logs via API and web interface of the platform is not supported.

Preparing the platform server

The platform stores log files of authorization services in the authldap, and vm_box containers. To combine audit records into one stream, you can configure logging in the journald service:

  1. Connect to the server with the platform via SSH. For more information about connecting via SSH, see Workstation setup.
  2. Create a patch file /opt/ispsystem/vm/journald.yaml with the contents: 

    version: "3.5"
    services:
      auth_back4:
        volumes: 
        - /var/run/systemd/journal/:/var/run/systemd/journal/
      ldap:
        volumes:
        - /var/run/systemd/journal/:/var/run/systemd/journal/
      vm_box:
        volumes:
        - /opt/ispsystem/vm/backup:/opt/ispsystem/vm/backup
        - /opt/ispsystem/license:/opt/ispsystem/license
        - /opt/ispsystem/vm/socket/:/opt/ispsystem/vm/vmbox/
        - /var/run/systemd/journal/:/var/run/systemd/journal/
  3. Apply the patch:

    vm add-patch -p journald -f /opt/ispsystem/vm/journald.yaml
  4. To read logs in JSON format, install the jq utility:
    apt install jq || dnf install jq

Viewing audit event logs

To view the audit services logs, enter the command:

  • auth, ldap containers (auth_back4ldap services):
    Line-by-line output
    journalctl -f ACOD=3
    Output in JSON format
    journalctl -f -o json ACOD=3 | jq
  • vm_box container (vm_backgosockify services): 
    Line-by-line output
    journalctl | grep vm_security
    Output in JSON format
    journalctl -f -o json | grep vm_security | jq
Output examples


Useful tips

Related topics: