[Users] oVirt auditing

This is a multi-part message in MIME format. --------------000306080908080906080609 Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Hello, I am curious how to audit user actions in oVirt web interface. From engine.log we are able to extract when user logged in, when he updated vnicProfile and so, but we can not get exact changes (behavior). Right now I can get logs like: 2013-12-05 16:35:46,270 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-6) Correlation ID: 7e60ae1, Call Stack: null, Custom Event ID: -1, Message: Interface nic1 (VirtIO) was updated for VM test.test.org. (User: user1) But it would be nice to get logs like: 2013-12-05 16:35:46,270 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-6) Correlation ID: 7e60ae1, Call Stack: null, Custom Event ID: -1, Message: Interface nic1 (VirtIO) was updated for VM test.test.org *from secure_vlan to unsecure_vlan*. (User: user1) My point is to have a feature which can give us possibility to construct exact user behavior and action in managing oVirt. It could be useful not even in hunting bugs, but primary in security problem hunting. Thank you. Jakub Bittner --------------000306080908080906080609 Content-Type: text/html; charset=ISO-8859-2 Content-Transfer-Encoding: 8bit <html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-2"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hello,<br> <br> I am curious how to audit user actions in oVirt web interface. From engine.log we are able to extract when user logged in, when he updated vnicProfile and so, but we can not get exact changes (behavior).<br> <br> Right now I can get logs like:<br> <br> 2013-12-05 16:35:46,270 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-6) Correlation ID: 7e60ae1, Call Stack: null, Custom Event ID: -1, Message: Interface nic1 (VirtIO) was updated for VM test.test.org. (User: user1) <br> <br> But it would be nice to get logs like:<br> <br> 2013-12-05 16:35:46,270 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-6) Correlation ID: 7e60ae1, Call Stack: null, Custom Event ID: -1, Message: Interface nic1 (VirtIO) was updated for VM test.test.org <b>from secure_vlan to unsecure_vlan</b>. (User: user1) <br> <br> My point is to have a feature which can give us possibility to construct exact user behavior and action in managing oVirt. It could be useful not even in hunting bugs, but primary in security problem hunting.<br> <br> Thank you.<br> <br> Jakub Bittner<br> </body> </html> --------------000306080908080906080609--

Is this something you could use https://<your engine host>/api/events for? On Thu, Dec 5, 2013 at 4:51 PM, Jakub Bittner <j.bittner@nbu.cz> wrote:
Hello,
I am curious how to audit user actions in oVirt web interface. From engine.log we are able to extract when user logged in, when he updated vnicProfile and so, but we can not get exact changes (behavior).
Right now I can get logs like:
2013-12-05 16:35:46,270 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-6) Correlation ID: 7e60ae1, Call Stack: null, Custom Event ID: -1, Message: Interface nic1 (VirtIO) was updated for VM test.test.org. (User: user1)
But it would be nice to get logs like:
2013-12-05 16:35:46,270 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-6) Correlation ID: 7e60ae1, Call Stack: null, Custom Event ID: -1, Message: Interface nic1 (VirtIO) was updated for VM test.test.org from secure_vlan to unsecure_vlan. (User: user1)
My point is to have a feature which can give us possibility to construct exact user behavior and action in managing oVirt. It could be useful not even in hunting bugs, but primary in security problem hunting.
Thank you.
Jakub Bittner
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

https://<your engine host>/api/events Great, I did not know about this page, it is better(formated) source
Dne 5.12.2013 17:00, Sander Grendelman napsal(a): than logs, but it still has the same issue. I can get info about what happened, but not exact info about what was done. <event href="/api/events/5341" id="5341"> <description>Interface nic1 (VirtIO) was updated for VM server1.test.org. (User: user1)</description> <code>934</code> <severity>normal</severity> <time>2013-12-05T16:35:46.263+01:00</time> <correlation_id>7e60ae1</correlation_id> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d" id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9" id="cc821292-80c0-4b85-a832-0b8a969c22c9"/> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95" id="99408929-82cf-4dc7-a532-9d998063fa95"/> <data_center href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3" id="5849b030-612e-47cb-ad90-3ce782d831b3"/> <origin>oVirt</origin> <custom_id>-1</custom_id> <flood_rate>30</flood_rate> </event>

On 12/05/2013 06:13 PM, Jakub Bittner wrote:
https://<your engine host>/api/events Great, I did not know about this page, it is better(formated) source
Dne 5.12.2013 17:00, Sander Grendelman napsal(a): than logs, but it still has the same issue. I can get info about what happened, but not exact info about what was done.
just btw, this is the "events" log from the webadmin. it covers actions done by users, not content of the edit operation (something piotr started looking into). with the move of the gui to work over the rest api, maybe just auditing the api payload for these actions would be good enough?
<event href="/api/events/5341" id="5341"> <description>Interface nic1 (VirtIO) was updated for VM server1.test.org. (User: user1)</description> <code>934</code> <severity>normal</severity> <time>2013-12-05T16:35:46.263+01:00</time> <correlation_id>7e60ae1</correlation_id> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d" id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9" id="cc821292-80c0-4b85-a832-0b8a969c22c9"/> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95" id="99408929-82cf-4dc7-a532-9d998063fa95"/> <data_center href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3" id="5849b030-612e-47cb-ad90-3ce782d831b3"/> <origin>oVirt</origin> <custom_id>-1</custom_id> <flood_rate>30</flood_rate> </event>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

This is a multi-part message in MIME format. --------------080800030908050608050204 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Dne 5.12.2013 18:34, Itamar Heim napsal(a):
On 12/05/2013 06:13 PM, Jakub Bittner wrote:
https://<your engine host>/api/events Great, I did not know about this page, it is better(formated) source
Dne 5.12.2013 17:00, Sander Grendelman napsal(a): than logs, but it still has the same issue. I can get info about what happened, but not exact info about what was done.
just btw, this is the "events" log from the webadmin. it covers actions done by users, not content of the edit operation (something piotr started looking into).
with the move of the gui to work over the rest api, maybe just auditing the api payload for these actions would be good enough?
<event href="/api/events/5341" id="5341"> <description>Interface nic1 (VirtIO) was updated for VM server1.test.org. (User: user1)</description> <code>934</code> <severity>normal</severity> <time>2013-12-05T16:35:46.263+01:00</time> <correlation_id>7e60ae1</correlation_id> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d" id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9" id="cc821292-80c0-4b85-a832-0b8a969c22c9"/> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95" id="99408929-82cf-4dc7-a532-9d998063fa95"/> <data_center href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3" id="5849b030-612e-47cb-ad90-3ce782d831b3"/> <origin>oVirt</origin> <custom_id>-1</custom_id> <flood_rate>30</flood_rate> </event>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
If I can have an suggestion, we discus audit log and for our siem it would be great format like: user: user1 action: powered off vm: VM1.test.com host: ovirt.test.com user: user1 action: logged in user: user1 action: initiated console session VM: VM5.test.com user: user1 action: changed network interface detail: secure_vlan to insecure_vlan on vnic1 vm: testserver.test.com --------------080800030908050608050204 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">Dne 5.12.2013 18:34, Itamar Heim napsal(a):<br> </div> <blockquote cite="mid:52A0B91D.20505@redhat.com" type="cite">On 12/05/2013 06:13 PM, Jakub Bittner wrote: <br> <blockquote type="cite">Dne 5.12.2013 17:00, Sander Grendelman napsal(a): <br> <blockquote type="cite"><a class="moz-txt-link-freetext" href="https://">https://</a><your engine host>/api/events <br> </blockquote> Great, I did not know about this page, it is better(formated) source <br> than logs, but it still has the same issue. I can get info about what <br> happened, but not exact info about what was done. <br> </blockquote> <br> just btw, this is the "events" log from the webadmin. <br> it covers actions done by users, not content of the edit operation (something piotr started looking into). <br> <br> with the move of the gui to work over the rest api, maybe just auditing the api payload for these actions would be good enough? <br> <br> <br> <blockquote type="cite"> <br> <event href="/api/events/5341" id="5341"> <br> <description>Interface nic1 (VirtIO) was updated for VM <br> server1.test.org. (User: user1)</description> <br> <code>934</code> <br> <severity>normal</severity> <br> <time>2013-12-05T16:35:46.263+01:00</time> <br> <correlation_id>7e60ae1</correlation_id> <br> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d" <br> id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/> <br> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9" <br> id="cc821292-80c0-4b85-a832-0b8a969c22c9"/> <br> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95" <br> id="99408929-82cf-4dc7-a532-9d998063fa95"/> <br> <data_center <br> href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3" <br> id="5849b030-612e-47cb-ad90-3ce782d831b3"/> <br> <origin>oVirt</origin> <br> <custom_id>-1</custom_id> <br> <flood_rate>30</flood_rate> <br> </event> <br> <br> <br> _______________________________________________ <br> Users mailing list <br> <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a> <br> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a> <br> </blockquote> <br> </blockquote> <br> If I can have an suggestion, we discus audit log and for our siem it would be great format like:<br> <br> user: user1 action: powered off vm: VM1<span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"><span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"><span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">.test.com</span></span></span> host: <span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"><span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"><span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">ovirt.test.com<br> <br> user: </span></span></span>user1 action: <span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">logged in<br> <br> user: </span>user1 action: <span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">initiated console session</span> <span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">VM: </span><span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"><span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"><span style="color: rgb(0, 0, 0); font-family: monospace; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">VM5.test.com<br> <br> user: user1 action: changed network interface detail: secure_vlan to insecure_vlan on vnic1 vm: testserver.test.com<br> </span></span></span> </body> </html> --------------080800030908050608050204--

----- Original Message -----
From: "Jakub Bittner" <j.bittner@nbu.cz> To: "Itamar Heim" <iheim@redhat.com>, "Sander Grendelman" <sander@grendelman.com> Cc: users@ovirt.org, "Piotr Kliczewski" <pkliczew@redhat.com> Sent: Friday, December 6, 2013 8:08:17 AM Subject: Re: [Users] oVirt auditing
Dne 5.12.2013 18:34, Itamar Heim napsal(a):
On 12/05/2013 06:13 PM, Jakub Bittner wrote:
https://<your engine host>/api/events Great, I did not know about this page, it is better(formated) source
Dne 5.12.2013 17:00, Sander Grendelman napsal(a): than logs, but it still has the same issue. I can get info about what happened, but not exact info about what was done.
just btw, this is the "events" log from the webadmin. it covers actions done by users, not content of the edit operation (something piotr started looking into).
with the move of the gui to work over the rest api, maybe just auditing the api payload for these actions would be good enough?
<event href="/api/events/5341" id="5341"> <description>Interface nic1 (VirtIO) was updated for VM server1.test.org. (User: user1)</description> <code>934</code> <severity>normal</severity> <time>2013-12-05T16:35:46.263+01:00</time> <correlation_id>7e60ae1</correlation_id> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d" id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9" id="cc821292-80c0-4b85-a832-0b8a969c22c9"/> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95" id="99408929-82cf-4dc7-a532-9d998063fa95"/> <data_center href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3" id="5849b030-612e-47cb-ad90-3ce782d831b3"/> <origin>oVirt</origin> <custom_id>-1</custom_id> <flood_rate>30</flood_rate> </event>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
If I can have an suggestion, we discus audit log and for our siem it would be great format like:
user: user1 action: powered off vm: VM1.test.com host: ovirt.test.com
user: user1 action: logged in
user: user1 action: initiated console session VM: VM5.test.com
user: user1 action: changed network interface detail: secure_vlan to insecure_vlan on vnic1 vm: testserver.test.com
I focused on modifications and used json for it looking like: { object='objectName'propertyName='name' oldValue='previousValue' newValue='newValue'} You could have multiple properties modified, removed and created. What do you think about this format?

Dne 6.12.2013 09:09, Piotr Kliczewski napsal(a):
----- Original Message -----
From: "Jakub Bittner" <j.bittner@nbu.cz> To: "Itamar Heim" <iheim@redhat.com>, "Sander Grendelman" <sander@grendelman.com> Cc: users@ovirt.org, "Piotr Kliczewski" <pkliczew@redhat.com> Sent: Friday, December 6, 2013 8:08:17 AM Subject: Re: [Users] oVirt auditing
Dne 5.12.2013 18:34, Itamar Heim napsal(a):
On 12/05/2013 06:13 PM, Jakub Bittner wrote:
https://<your engine host>/api/events Great, I did not know about this page, it is better(formated) source
Dne 5.12.2013 17:00, Sander Grendelman napsal(a): than logs, but it still has the same issue. I can get info about what happened, but not exact info about what was done. just btw, this is the "events" log from the webadmin. it covers actions done by users, not content of the edit operation (something piotr started looking into).
with the move of the gui to work over the rest api, maybe just auditing the api payload for these actions would be good enough?
<event href="/api/events/5341" id="5341"> <description>Interface nic1 (VirtIO) was updated for VM server1.test.org. (User: user1)</description> <code>934</code> <severity>normal</severity> <time>2013-12-05T16:35:46.263+01:00</time> <correlation_id>7e60ae1</correlation_id> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d" id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9" id="cc821292-80c0-4b85-a832-0b8a969c22c9"/> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95" id="99408929-82cf-4dc7-a532-9d998063fa95"/> <data_center href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3" id="5849b030-612e-47cb-ad90-3ce782d831b3"/> <origin>oVirt</origin> <custom_id>-1</custom_id> <flood_rate>30</flood_rate> </event>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users If I can have an suggestion, we discus audit log and for our siem it would be great format like:
user: user1 action: powered off vm: VM1.test.com host: ovirt.test.com
user: user1 action: logged in
user: user1 action: initiated console session VM: VM5.test.com
user: user1 action: changed network interface detail: secure_vlan to insecure_vlan on vnic1 vm: testserver.test.com
I focused on modifications and used json for it looking like:
{ object='objectName'propertyName='name' oldValue='previousValue' newValue='newValue'}
You could have multiple properties modified, removed and created. What do you think about this format?
This format looks great. If you need further testing we can help. Thanks.
participants (4)
-
Itamar Heim
-
Jakub Bittner
-
Piotr Kliczewski
-
Sander Grendelman