----- Original Message -----
From: "Jakub Bittner" <j.bittner@nbu.cz> To: "Itamar Heim" <iheim@redhat.com>, "Sander Grendelman" <sander@grendelman.com> Cc: users@ovirt.org, "Piotr Kliczewski" <pkliczew@redhat.com> Sent: Friday, December 6, 2013 8:08:17 AM Subject: Re: [Users] oVirt auditing
Dne 5.12.2013 18:34, Itamar Heim napsal(a):
On 12/05/2013 06:13 PM, Jakub Bittner wrote:
https://<your engine host>/api/events Great, I did not know about this page, it is better(formated) source
Dne 5.12.2013 17:00, Sander Grendelman napsal(a): than logs, but it still has the same issue. I can get info about what happened, but not exact info about what was done.
just btw, this is the "events" log from the webadmin. it covers actions done by users, not content of the edit operation (something piotr started looking into).
with the move of the gui to work over the rest api, maybe just auditing the api payload for these actions would be good enough?
<event href="/api/events/5341" id="5341"> <description>Interface nic1 (VirtIO) was updated for VM server1.test.org. (User: user1)</description> <code>934</code> <severity>normal</severity> <time>2013-12-05T16:35:46.263+01:00</time> <correlation_id>7e60ae1</correlation_id> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d" id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9" id="cc821292-80c0-4b85-a832-0b8a969c22c9"/> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95" id="99408929-82cf-4dc7-a532-9d998063fa95"/> <data_center href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3" id="5849b030-612e-47cb-ad90-3ce782d831b3"/> <origin>oVirt</origin> <custom_id>-1</custom_id> <flood_rate>30</flood_rate> </event>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
If I can have an suggestion, we discus audit log and for our siem it would be great format like:
user: user1 action: powered off vm: VM1.test.com host: ovirt.test.com
user: user1 action: logged in
user: user1 action: initiated console session VM: VM5.test.com
user: user1 action: changed network interface detail: secure_vlan to insecure_vlan on vnic1 vm: testserver.test.com
I focused on modifications and used json for it looking like: { object='objectName'propertyName='name' oldValue='previousValue' newValue='newValue'} You could have multiple properties modified, removed and created. What do you think about this format?