
This is a multi-part message in MIME format. --------------080800030908050608050204 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Dne 5.12.2013 18:34, Itamar Heim napsal(a):
On 12/05/2013 06:13 PM, Jakub Bittner wrote:
https://<your engine host>/api/events Great, I did not know about this page, it is better(formated) source
Dne 5.12.2013 17:00, Sander Grendelman napsal(a): than logs, but it still has the same issue. I can get info about what happened, but not exact info about what was done.
just btw, this is the "events" log from the webadmin. it covers actions done by users, not content of the edit operation (something piotr started looking into).
with the move of the gui to work over the rest api, maybe just auditing the api payload for these actions would be good enough?
<event href="/api/events/5341" id="5341"> <description>Interface nic1 (VirtIO) was updated for VM server1.test.org. (User: user1)</description> <code>934</code> <severity>normal</severity> <time>2013-12-05T16:35:46.263+01:00</time> <correlation_id>7e60ae1</correlation_id> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d" id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9" id="cc821292-80c0-4b85-a832-0b8a969c22c9"/> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95" id="99408929-82cf-4dc7-a532-9d998063fa95"/> <data_center href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3" id="5849b030-612e-47cb-ad90-3ce782d831b3"/> <origin>oVirt</origin> <custom_id>-1</custom_id> <flood_rate>30</flood_rate> </event>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
If I can have an suggestion, we discus audit log and for our siem it would be great format like: user: user1 action: powered off vm: VM1.test.com host: ovirt.test.com user: user1 action: logged in user: user1 action: initiated console session VM: VM5.test.com user: user1 action: changed network interface detail: secure_vlan to insecure_vlan on vnic1 vm: testserver.test.com --------------080800030908050608050204 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">Dne 5.12.2013 18:34, Itamar Heim napsal(a):<br> </div> <blockquote cite="mid:52A0B91D.20505@redhat.com" type="cite">On 12/05/2013 06:13 PM, Jakub Bittner wrote: <br> <blockquote type="cite">Dne 5.12.2013 17:00, Sander Grendelman napsal(a): <br> <blockquote type="cite"><a class="moz-txt-link-freetext" href="https://">https://</a><your engine host>/api/events <br> </blockquote> Great, I did not know about this page, it is better(formated) source <br> than logs, but it still has the same issue. I can get info about what <br> happened, but not exact info about what was done. <br> </blockquote> <br> just btw, this is the "events" log from the webadmin. <br> it covers actions done by users, not content of the edit operation (something piotr started looking into). <br> <br> with the move of the gui to work over the rest api, maybe just auditing the api payload for these actions would be good enough? <br> <br> <br> <blockquote type="cite"> <br> <event href="/api/events/5341" id="5341"> <br> <description>Interface nic1 (VirtIO) was updated for VM <br> server1.test.org. (User: user1)</description> <br> <code>934</code> <br> <severity>normal</severity> <br> <time>2013-12-05T16:35:46.263+01:00</time> <br> <correlation_id>7e60ae1</correlation_id> <br> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d" <br> id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/> <br> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9" <br> id="cc821292-80c0-4b85-a832-0b8a969c22c9"/> <br> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95" <br> id="99408929-82cf-4dc7-a532-9d998063fa95"/> <br> <data_center <br> href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3" <br> id="5849b030-612e-47cb-ad90-3ce782d831b3"/> <br> <origin>oVirt</origin> <br> <custom_id>-1</custom_id> <br> <flood_rate>30</flood_rate> <br> </event> <br> <br> <br> _______________________________________________ <br> Users mailing list <br> <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a> <br> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a> <br> </blockquote> <br> </blockquote> <br> If I can have an suggestion, we discus audit log and for our siem it would be great format like:<br> <br> user: user1 action: powered off vm: VM1<span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"><span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"><span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">.test.com</span></span></span> host: <span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"><span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"><span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">ovirt.test.com<br> <br> user: </span></span></span>user1 action: <span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">logged in<br> <br> user: </span>user1 action: <span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">initiated console session</span> <span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">VM: </span><span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"><span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"><span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">VM5.test.com<br> <br> user: user1 action: changed network interface detail: secure_vlan to insecure_vlan on vnic1 vm: testserver.test.com<br> </span></span></span> </body> </html> --------------080800030908050608050204--