Audit event logging

VMmanager 6 saves information about the operation of services in log files. You can view the log files of each service individually or group them.

Audit service log files contain information about platform security events and configuration changes. For example:

• attempts to log in with email and password;
• password reset attempts;
• attempts to log in via LDAP;
• creation, deletion and editing of platform users;
• changing access rights of platform users.

Each event record contains:

• a unique sequence number;
• event date and time;
• event type;
• information about the success of the action.

If the action is performed by an authorized user, the log displays the user ID.

Preparing the platform server

The platform stores log files of authorization services in the auth, ldap, and vm_box containers. To combine audit records into one stream, you can configure logging in the journald service:

1. Connect to the server with the platform via SSH. For more information about connecting via SSH, see Workstation setup.

2. Create a patch file /opt/ispsystem/vm/journald.yaml with the contents: 

   version: "3.5"
   services:
     auth_back4:
       volumes: 
       - /var/run/systemd/journal/:/var/run/systemd/journal/
     ldap:
       volumes:
       - /var/run/systemd/journal/:/var/run/systemd/journal/
     vm_box:
       volumes:
       - /opt/ispsystem/vm/backup:/opt/ispsystem/vm/backup
       - /opt/ispsystem/license:/opt/ispsystem/license
       - /opt/ispsystem/vm/socket/:/opt/ispsystem/vm/vmbox/
       - /var/run/systemd/journal/:/var/run/systemd/journal/

3. Apply the patch:

   vm add-patch -p journald -f /opt/ispsystem/vm/journald.yaml

4. To read logs in JSON format, install the jq utility:
   

   apt install jq || dnf install jq

Viewing audit event logs

To view the audit services logs, enter the command:

• auth, ldap containers (auth_back4, ldap services):
  Line-by-line output

  journalctl -f ACOD=3

  Output in JSON format

  journalctl -f -o json ACOD=3 | jq

• vm_box container (vm_back, gosockify services): 
  Line-by-line output

  journalctl | grep vm_security

  Output in JSON format

  journalctl -f -o json | grep vm_security | jq

Aug 15 18:54:02 vm6.example.ru compat_auth[2548213]: Authenticate user using username and password started
Aug 15 18:54:02 vm6.example.ru compat_auth[2548213]: Authenticate user using username and password with params: {"email":"ex@example.com","password":"*"}
Aug 15 18:54:02 vm6.example.ru compat_auth[2548213]: Authenticate user using username and password completed successfully

{
  "__CURSOR": "s=55a46089db814f7a8eb756313f401409;i=8c0df;b=5fd75abf7431452abd6a8baa161755ce;m=ec702229675;t=61fbb7466e2eb;x=48af8e5c04657ccf",
  "__REALTIME_TIMESTAMP": "1723739832509163",
  "__MONOTONIC_TIMESTAMP": "16247897101941",
  "_BOOT_ID": "5fd75abf7431452abd6a8baa161755ce",
  "PRODUCT": "",
  "PROCESS": "compat_auth",
  "_TRANSPORT": "journal",
  "_UID": "0",
  "_GID": "0",
  "_COMM": "compat_auth",
  "_EXE": "/opt/ispsystem/auth/bin/compat_auth",
  "_CAP_EFFECTIVE": "a80425fb",
  "_SYSTEMD_CGROUP": "/docker/839554eb13dc482ea66f8d56e65a4ff84c8168c34321e0490847b85e8569c438",
  "_SYSTEMD_SLICE": "-.slice",
  "_MACHINE_ID": "00000000000000000000000000000000",
  "_HOSTNAME": "vm6.example.ru",
  "PRIORITY": "6",
  "_CMDLINE": "/opt/ispsystem/auth/bin/compat_auth --mode writer --port /tmp/proxy.auth_v4/writer/global.sock --address 127.0.0.1",
  "ACOD": "3",
  "ACCOUNT_ID": "2",
  "MESSAGE": "Edit user 2 completed successfully",
  "_PID": "2502197",
  "REMOTE_IP": "10.10.1.1",
  "REQUEST_ID": "c9e11e8df8599c9d0c62153954d0e036",
  "AUDIT_ACTION_ID": "1723739832500",
  "_SOURCE_REALTIME_TIMESTAMP": "1723739832508589"
}