[Users] oVirt auditing

Piotr Kliczewski pkliczew at redhat.com
Fri Dec 6 03:09:26 EST 2013





----- Original Message -----
> From: "Jakub Bittner" <j.bittner at nbu.cz>
> To: "Itamar Heim" <iheim at redhat.com>, "Sander Grendelman" <sander at grendelman.com>
> Cc: users at ovirt.org, "Piotr Kliczewski" <pkliczew at redhat.com>
> Sent: Friday, December 6, 2013 8:08:17 AM
> Subject: Re: [Users] oVirt auditing
> 
> Dne 5.12.2013 18:34, Itamar Heim napsal(a):
> > On 12/05/2013 06:13 PM, Jakub Bittner wrote:
> >> Dne 5.12.2013 17:00, Sander Grendelman napsal(a):
> >>> https://<your engine host>/api/events
> >> Great, I did not know about this page, it is better(formated) source
> >> than logs, but it still has the same issue. I can get info about what
> >> happened, but not exact info about what was done.
> >
> > just btw, this is the "events" log from the webadmin.
> > it covers actions done by users, not content of the edit operation
> > (something piotr started looking into).
> >
> > with the move of the gui to work over the rest api, maybe just
> > auditing the api payload for these actions would be good enough?
> >
> >
> >>
> >> <event href="/api/events/5341" id="5341">
> >> <description>Interface nic1 (VirtIO) was updated for VM
> >> server1.test.org.   (User: user1)</description>
> >> <code>934</code>
> >> <severity>normal</severity>
> >> <time>2013-12-05T16:35:46.263+01:00</time>
> >> <correlation_id>7e60ae1</correlation_id>
> >> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d"
> >> id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/>
> >> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9"
> >> id="cc821292-80c0-4b85-a832-0b8a969c22c9"/>
> >> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95"
> >> id="99408929-82cf-4dc7-a532-9d998063fa95"/>
> >> <data_center
> >> href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3"
> >> id="5849b030-612e-47cb-ad90-3ce782d831b3"/>
> >> <origin>oVirt</origin>
> >> <custom_id>-1</custom_id>
> >> <flood_rate>30</flood_rate>
> >> </event>
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >
> 
> If I can have an suggestion, we discus audit log and for our siem it
> would be great format like:
> 
> user: user1 action: powered off vm: VM1.test.com host: ovirt.test.com
> 
> user: user1 action: logged in
> 
> user: user1 action: initiated console session VM: VM5.test.com
> 
> user: user1 action: changed network interface detail: secure_vlan to
> insecure_vlan on vnic1 vm: testserver.test.com
> 

I focused on modifications and used json for it looking like:

{ object='objectName'propertyName='name' oldValue='previousValue' newValue='newValue'}

You could have multiple properties modified, removed and created. What do you think about 
this format?





More information about the Users mailing list