VMmanager: Administrator guide
Documentation
/
VMmanager: Administrator guide
/
Internal operation logic
/
Audit event logging

Audit event logging

VMmanager 6 saves information about the operation of services in log files. You can view the log files of each service individually or group them.

Audit service log files contain information about:

  • attempts to log in with email and password;
  • password reset attempts;
  • attempts to log in via LDAP;
  • creation, deletion and editing of platform users;
  • changing access rights of platform users.

Each event record contains:

  • a unique sequence number;
  • event date and time;
  • event type;
  • information about the success of the action.

If the action is performed by an authorized user, the log displays the user ID.

Audit event logs are protected from deletion and editing. Deleting or modifying logs via API and web interface of the platform is not supported.

Preparing the platform server

The platform stores log files of authorization services in the auth and ldap containers. To combine audit records into one stream, you can configure logging in the journald service:

  1. Connect to the server with the platform via SSH.

  2. Create a patch file /opt/ispsystem/vm/journald.yaml with the contents: 

    version: "3.5"
services:
  auth_back4:
    volumes: 
    - /var/run/systemd/journal/:/var/run/systemd/journal/
  ldap:
    volumes:
    - /var/run/systemd/journal/:/var/run/systemd/journal/
  vm_box:
    volumes:
    - /opt/ispsystem/vm/backup:/opt/ispsystem/vm/backup
    - /opt/ispsystem/license:/opt/ispsystem/license
    - /opt/ispsystem/vm/socket/:/opt/ispsystem/vm/vmbox/
    - /var/run/systemd/journal/:/var/run/systemd/journal/

  3. Apply the patch:

    vm add-patch -p journald -f /opt/ispsystem/vm/journald.yaml
  4. To read logs in JSON format, install the jq utility:
    Ubuntu
    apt install jq
    AlmaLinux
    yum install jq

Viewing audit event logs

To view the audit services logs, enter the command:

journalctl -f ACOD=3
Example output
Aug 15 18:54:02 vm6.example.ru compat_auth[2548213]: Authenticate user using username and password started
Aug 15 18:54:02 vm6.example.ru compat_auth[2548213]: Authenticate user using username and password with params: {"email":"ex@example.com","password":"*"}
Aug 15 18:54:02 vm6.example.ru compat_auth[2548213]: Authenticate user using username and password completed successfully

To view the event log properties in JSON format, enter the command:

journalctl -f -o json ACOD=3 | jq
Example of logging in JSON format
{
  "__CURSOR": "s=55a46089db814f7a8eb756313f401409;i=8c0df;b=5fd75abf7431452abd6a8baa161755ce;m=ec702229675;t=61fbb7466e2eb;x=48af8e5c04657ccf",
  "__REALTIME_TIMESTAMP": "1723739832509163",
  "__MONOTONIC_TIMESTAMP": "16247897101941",
  "_BOOT_ID": "5fd75abf7431452abd6a8baa161755ce",
  "PRODUCT": "",
  "PROCESS": "compat_auth",
  "_TRANSPORT": "journal",
  "_UID": "0",
  "_GID": "0",
  "_COMM": "compat_auth",
  "_EXE": "/opt/ispsystem/auth/bin/compat_auth",
  "_CAP_EFFECTIVE": "a80425fb",
  "_SYSTEMD_CGROUP": "/docker/839554eb13dc482ea66f8d56e65a4ff84c8168c34321e0490847b85e8569c438",
  "_SYSTEMD_SLICE": "-.slice",
  "_MACHINE_ID": "00000000000000000000000000000000",
  "_HOSTNAME": "vm6.example.ru",
  "PRIORITY": "6",
  "_CMDLINE": "/opt/ispsystem/auth/bin/compat_auth --mode writer --port /tmp/proxy.auth_v4/writer/global.sock --address 127.0.0.1",
  "ACOD": "3",
  "ACCOUNT_ID": "2",
  "MESSAGE": "Edit user 2 completed successfully",
  "_PID": "2502197",
  "REMOTE_IP": "10.10.1.1",
  "REQUEST_ID": "c9e11e8df8599c9d0c62153954d0e036",
  "AUDIT_ACTION_ID": "1723739832500",
  "_SOURCE_REALTIME_TIMESTAMP": "1723739832508589"
}


Useful tips

Related topics: