6:51 p.m.
This is a multi-part message in MIME format.
--------------000306080908080906080609
Content-Type: text/plain; charset=ISO-8859-2; format=flowed
Content-Transfer-Encoding: 7bit
Hello,
I am curious how to audit user actions in oVirt web interface. From
engine.log we are able to extract when user logged in, when he updated
vnicProfile and so, but we can not get exact changes (behavior).
Right now I can get logs like:
2013-12-05 16:35:46,270 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-6) Correlation ID: 7e60ae1, Call Stack: null,
Custom Event ID: -1, Message: Interface nic1 (VirtIO) was updated for VM
test.test.org. (User: user1)
But it would be nice to get logs like:
2013-12-05 16:35:46,270 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-6) Correlation ID: 7e60ae1, Call Stack: null,
Custom Event ID: -1, Message: Interface nic1 (VirtIO) was updated for VM
test.test.org *from secure_vlan to unsecure_vlan*. (User: user1)
My point is to have a feature which can give us possibility to construct
exact user behavior and action in managing oVirt. It could be useful not
even in hunting bugs, but primary in security problem hunting.
Thank you.
Jakub Bittner
--------------000306080908080906080609
Content-Type: text/html; charset=ISO-8859-2
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-2">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
I am curious how to audit user actions in oVirt web interface. From
engine.log we are able to extract when user logged in, when he
updated vnicProfile and so, but we can not get exact changes
(behavior).<br>
<br>
Right now I can get logs like:<br>
<br>
2013-12-05 16:35:46,270 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-6) Correlation ID: 7e60ae1, Call Stack: null,
Custom Event ID: -1, Message: Interface nic1 (VirtIO) was updated
for VM test.test.org. (User: user1)
<br>
<br>
But it would be nice to get logs like:<br>
<br>
2013-12-05 16:35:46,270 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-6) Correlation ID: 7e60ae1, Call Stack: null,
Custom Event ID: -1, Message: Interface nic1 (VirtIO) was updated
for VM test.test.org <b>from secure_vlan to unsecure_vlan</b>.
(User: user1)
<br>
<br>
My point is to have a feature which can give us possibility to
construct exact user behavior and action in managing oVirt. It could
be useful not even in hunting bugs, but primary in security problem
hunting.<br>
<br>
Thank you.<br>
<br>
Jakub Bittner<br>
</body>
</html>
--------------000306080908080906080609--
7 p.m.
Is this something you could use https://<your engine host>/api/events for?
On Thu, Dec 5, 2013 at 4:51 PM, Jakub Bittner <j.bittner(a)nbu.cz> wrote:
Hello,
I am curious how to audit user actions in oVirt web interface. From
engine.log we are able to extract when user logged in, when he updated
vnicProfile and so, but we can not get exact changes (behavior).
Right now I can get logs like:
2013-12-05 16:35:46,270 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-6) Correlation ID: 7e60ae1, Call Stack: null, Custom
Event ID: -1, Message: Interface nic1 (VirtIO) was updated for VM
test.test.org. (User: user1)
But it would be nice to get logs like:
2013-12-05 16:35:46,270 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-6) Correlation ID: 7e60ae1, Call Stack: null, Custom
Event ID: -1, Message: Interface nic1 (VirtIO) was updated for VM
test.test.org from secure_vlan to unsecure_vlan. (User: user1)
My point is to have a feature which can give us possibility to construct
exact user behavior and action in managing oVirt. It could be useful not
even in hunting bugs, but primary in security problem hunting.
Thank you.
Jakub Bittner
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
7:13 p.m.
Dne 5.12.2013 17:00, Sander Grendelman napsal(a):
https://<your engine host>/api/events
Great, I did not
know about this page, it is better(formated) source
than logs, but it still has the same issue. I can get info about what
happened, but not exact info about what was done.
<event href="/api/events/5341" id="5341">
<description>Interface nic1 (VirtIO) was updated for VM
server1.test.org. (User: user1)</description>
<code>934</code>
<severity>normal</severity>
<time>2013-12-05T16:35:46.263+01:00</time>
<correlation_id>7e60ae1</correlation_id>
<user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d"
id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/>
<vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9"
id="cc821292-80c0-4b85-a832-0b8a969c22c9"/>
<cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95"
id="99408929-82cf-4dc7-a532-9d998063fa95"/>
<data_center
href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3"
id="5849b030-612e-47cb-ad90-3ce782d831b3"/>
<origin>oVirt</origin>
<custom_id>-1</custom_id>
<flood_rate>30</flood_rate>
</event>
8:34 p.m.
On 12/05/2013 06:13 PM, Jakub Bittner wrote:
Dne 5.12.2013 17:00, Sander Grendelman napsal(a):
> https://<your engine host>/api/events
Great, I did not know about this page, it is better(formated) source
than logs, but it still has the same issue. I can get info about what
happened, but not exact info about what was done.
just btw, this is the "events" log from the webadmin.
it covers actions done by users, not content of the edit operation
(something piotr started looking into).
with the move of the gui to work over the rest api, maybe just auditing
the api payload for these actions would be good enough?
<event href="/api/events/5341" id="5341">
<description>Interface nic1 (VirtIO) was updated for VM
server1.test.org. (User: user1)</description>
<code>934</code>
<severity>normal</severity>
<time>2013-12-05T16:35:46.263+01:00</time>
<correlation_id>7e60ae1</correlation_id>
<user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d"
id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/>
<vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9"
id="cc821292-80c0-4b85-a832-0b8a969c22c9"/>
<cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95"
id="99408929-82cf-4dc7-a532-9d998063fa95"/>
<data_center
href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3"
id="5849b030-612e-47cb-ad90-3ce782d831b3"/>
<origin>oVirt</origin>
<custom_id>-1</custom_id>
<flood_rate>30</flood_rate>
</event>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
10:08 a.m.
This is a multi-part message in MIME format.
--------------080800030908050608050204
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Dne 5.12.2013 18:34, Itamar Heim napsal(a):
On 12/05/2013 06:13 PM, Jakub Bittner wrote:
> Dne 5.12.2013 17:00, Sander Grendelman napsal(a):
>> https://<your engine host>/api/events
> Great, I did not know about this page, it is better(formated) source
> than logs, but it still has the same issue. I can get info about what
> happened, but not exact info about what was done.
just btw, this is the "events" log from the webadmin.
it covers actions done by users, not content of the edit operation
(something piotr started looking into).
with the move of the gui to work over the rest api, maybe just
auditing the api payload for these actions would be good enough?
>
> <event href="/api/events/5341" id="5341">
> <description>Interface nic1 (VirtIO) was updated for VM
> server1.test.org. (User: user1)</description>
> <code>934</code>
> <severity>normal</severity>
> <time>2013-12-05T16:35:46.263+01:00</time>
> <correlation_id>7e60ae1</correlation_id>
> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d"
> id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/>
> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9"
> id="cc821292-80c0-4b85-a832-0b8a969c22c9"/>
> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95"
> id="99408929-82cf-4dc7-a532-9d998063fa95"/>
> <data_center
> href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3"
> id="5849b030-612e-47cb-ad90-3ce782d831b3"/>
> <origin>oVirt</origin>
> <custom_id>-1</custom_id>
> <flood_rate>30</flood_rate>
> </event>
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
If I can have an suggestion, we discus audit log and for our siem it
would be great format like:
user: user1 action: powered off vm: VM1.test.com host: ovirt.test.com
user: user1 action: logged in
user: user1 action: initiated console session VM: VM5.test.com
user: user1 action: changed network interface detail: secure_vlan to
insecure_vlan on vnic1 vm: testserver.test.com
--------------080800030908050608050204
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Dne 5.12.2013 18:34, Itamar Heim
napsal(a):<br>
</div>
<blockquote cite="mid:52A0B91D.20505@redhat.com"
type="cite">On
12/05/2013 06:13 PM, Jakub Bittner wrote:
<br>
<blockquote type="cite">Dne 5.12.2013 17:00, Sander Grendelman
napsal(a):
<br>
<blockquote type="cite"><a
class="moz-txt-link-freetext"
href="https://">https://</a><your engine
host>/api/events
<br>
</blockquote>
Great, I did not know about this page, it is better(formated)
source
<br>
than logs, but it still has the same issue. I can get info about
what
<br>
happened, but not exact info about what was done.
<br>
</blockquote>
<br>
just btw, this is the "events" log from the webadmin.
<br>
it covers actions done by users, not content of the edit operation
(something piotr started looking into).
<br>
<br>
with the move of the gui to work over the rest api, maybe just
auditing the api payload for these actions would be good enough?
<br>
<br>
<br>
<blockquote type="cite">
<br>
<event href="/api/events/5341" id="5341">
<br>
<description>Interface nic1 (VirtIO) was updated for VM
<br>
server1.test.org. (User: user1)</description>
<br>
<code>934</code>
<br>
<severity>normal</severity>
<br>
<time>2013-12-05T16:35:46.263+01:00</time>
<br>
<correlation_id>7e60ae1</correlation_id>
<br>
<user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d"
<br>
id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/>
<br>
<vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9"
<br>
id="cc821292-80c0-4b85-a832-0b8a969c22c9"/>
<br>
<cluster
href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95"
<br>
id="99408929-82cf-4dc7-a532-9d998063fa95"/>
<br>
<data_center
<br>
href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3"
<br>
id="5849b030-612e-47cb-ad90-3ce782d831b3"/>
<br>
<origin>oVirt</origin>
<br>
<custom_id>-1</custom_id>
<br>
<flood_rate>30</flood_rate>
<br>
</event>
<br>
<br>
<br>
_______________________________________________
<br>
Users mailing list
<br>
<a class="moz-txt-link-abbreviated"
href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<br>
<a class="moz-txt-link-freetext"
href="http://lists.ovirt.org/mailman/listinfo/users">http://...
<br>
</blockquote>
<br>
</blockquote>
<br>
If I can have an suggestion, we discus audit log and for our siem it
would be great format like:<br>
<br>
user: user1 action: powered off vm: VM1<span style="color: rgb(0, 0,
0); font-family: monospace; font-size: 13px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing: normal;
line-height: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;
display: inline !important; float: none;"><span style="color:
rgb(0, 0, 0); font-family: monospace; font-size: 13px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; display: inline !important;
float: none;"><span style="color: rgb(0, 0, 0); font-family:
monospace; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal;
line-height: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width:
0px; display: inline !important; float:
none;">.test.com</span></span></span>
host: <span style="color: rgb(0, 0, 0); font-family: monospace;
font-size: 13px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline
!important; float: none;"><span style="color: rgb(0, 0, 0);
font-family: monospace; font-size: 13px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;
display: inline !important; float: none;"><span style="color:
rgb(0, 0, 0); font-family: monospace; font-size: 13px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; display: inline !important;
float: none;">ovirt.test.com<br>
<br>
user: </span></span></span>user1 action: <span
style="color:
rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style:
normal; font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;
display: inline !important; float: none;">logged in<br>
<br>
user: </span>user1 action: <span style="color: rgb(0, 0, 0);
font-family: monospace; font-size: 13px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing: normal;
line-height: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;
display: inline !important; float: none;">initiated console
session</span> <span style="color: rgb(0, 0, 0); font-family:
monospace; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline
!important; float: none;">VM: </span><span style="color:
rgb(0,
0, 0); font-family: monospace; font-size: 13px; font-style:
normal; font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;
display: inline !important; float: none;"><span style="color:
rgb(0, 0, 0); font-family: monospace; font-size: 13px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; display: inline !important;
float: none;"><span style="color: rgb(0, 0, 0); font-family:
monospace; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal;
line-height: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width:
0px; display: inline !important; float: none;">VM5.test.com<br>
<br>
user: user1 action: changed network interface detail:
secure_vlan to insecure_vlan on vnic1 vm: testserver.test.com<br>
</span></span></span>
</body>
</html>
--------------080800030908050608050204--
11:09 a.m.
----- Original Message -----
From: "Jakub Bittner" <j.bittner(a)nbu.cz>
To: "Itamar Heim" <iheim(a)redhat.com>, "Sander Grendelman"
<sander(a)grendelman.com>
Cc: users(a)ovirt.org, "Piotr Kliczewski" <pkliczew(a)redhat.com>
Sent: Friday, December 6, 2013 8:08:17 AM
Subject: Re: [Users] oVirt auditing
Dne 5.12.2013 18:34, Itamar Heim napsal(a):
> On 12/05/2013 06:13 PM, Jakub Bittner wrote:
>> Dne 5.12.2013 17:00, Sander Grendelman napsal(a):
>>> https://<your engine host>/api/events
>> Great, I did not know about this page, it is better(formated) source
>> than logs, but it still has the same issue. I can get info about what
>> happened, but not exact info about what was done.
>
> just btw, this is the "events" log from the webadmin.
> it covers actions done by users, not content of the edit operation
> (something piotr started looking into).
>
> with the move of the gui to work over the rest api, maybe just
> auditing the api payload for these actions would be good enough?
>
>
>>
>> <event href="/api/events/5341" id="5341">
>> <description>Interface nic1 (VirtIO) was updated for VM
>> server1.test.org. (User: user1)</description>
>> <code>934</code>
>> <severity>normal</severity>
>> <time>2013-12-05T16:35:46.263+01:00</time>
>> <correlation_id>7e60ae1</correlation_id>
>> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d"
>> id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/>
>> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9"
>> id="cc821292-80c0-4b85-a832-0b8a969c22c9"/>
>> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95"
>> id="99408929-82cf-4dc7-a532-9d998063fa95"/>
>> <data_center
>> href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3"
>> id="5849b030-612e-47cb-ad90-3ce782d831b3"/>
>> <origin>oVirt</origin>
>> <custom_id>-1</custom_id>
>> <flood_rate>30</flood_rate>
>> </event>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
If I can have an suggestion, we discus audit log and for our siem it
would be great format like:
user: user1 action: powered off vm: VM1.test.com host: ovirt.test.com
user: user1 action: logged in
user: user1 action: initiated console session VM: VM5.test.com
user: user1 action: changed network interface detail: secure_vlan to
insecure_vlan on vnic1 vm: testserver.test.com
I focused on modifications and used json for it looking like:
{ object='objectName'propertyName='name' oldValue='previousValue'
newValue='newValue'}
You could have multiple properties modified, removed and created. What do you think about
this format?
11:23 a.m.
Dne 6.12.2013 09:09, Piotr Kliczewski napsal(a):
----- Original Message -----
> From: "Jakub Bittner" <j.bittner(a)nbu.cz>
> To: "Itamar Heim" <iheim(a)redhat.com>, "Sander Grendelman"
<sander(a)grendelman.com>
> Cc: users(a)ovirt.org, "Piotr Kliczewski" <pkliczew(a)redhat.com>
> Sent: Friday, December 6, 2013 8:08:17 AM
> Subject: Re: [Users] oVirt auditing
>
> Dne 5.12.2013 18:34, Itamar Heim napsal(a):
>> On 12/05/2013 06:13 PM, Jakub Bittner wrote:
>>> Dne 5.12.2013 17:00, Sander Grendelman napsal(a):
>>>> https://<your engine host>/api/events
>>> Great, I did not know about this page, it is better(formated) source
>>> than logs, but it still has the same issue. I can get info about what
>>> happened, but not exact info about what was done.
>> just btw, this is the "events" log from the webadmin.
>> it covers actions done by users, not content of the edit operation
>> (something piotr started looking into).
>>
>> with the move of the gui to work over the rest api, maybe just
>> auditing the api payload for these actions would be good enough?
>>
>>
>>> <event href="/api/events/5341" id="5341">
>>> <description>Interface nic1 (VirtIO) was updated for VM
>>> server1.test.org. (User: user1)</description>
>>> <code>934</code>
>>> <severity>normal</severity>
>>> <time>2013-12-05T16:35:46.263+01:00</time>
>>> <correlation_id>7e60ae1</correlation_id>
>>> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d"
>>> id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/>
>>> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9"
>>> id="cc821292-80c0-4b85-a832-0b8a969c22c9"/>
>>> <cluster
href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95"
>>> id="99408929-82cf-4dc7-a532-9d998063fa95"/>
>>> <data_center
>>> href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3"
>>> id="5849b030-612e-47cb-ad90-3ce782d831b3"/>
>>> <origin>oVirt</origin>
>>> <custom_id>-1</custom_id>
>>> <flood_rate>30</flood_rate>
>>> </event>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
> If I can have an suggestion, we discus audit log and for our siem it
> would be great format like:
>
> user: user1 action: powered off vm: VM1.test.com host: ovirt.test.com
>
> user: user1 action: logged in
>
> user: user1 action: initiated console session VM: VM5.test.com
>
> user: user1 action: changed network interface detail: secure_vlan to
> insecure_vlan on vnic1 vm: testserver.test.com
>
I focused on modifications and used json for it looking like:
{ object='objectName'propertyName='name' oldValue='previousValue'
newValue='newValue'}
You could have multiple properties modified, removed and created. What do you think
about
this format?
This format looks great. If you need further testing we can help.
Thanks.
4004
days inactive
4005
days old
6 comments
4 participants
participants (4)
-
Itamar Heim -
Jakub Bittner -
Piotr Kliczewski -
Sander Grendelman