[Users] oVirt auditing

Jakub Bittner j.bittner at nbu.cz
Fri Dec 6 07:08:17 UTC 2013

Dne 5.12.2013 18:34, Itamar Heim napsal(a):
> On 12/05/2013 06:13 PM, Jakub Bittner wrote:
>> Dne 5.12.2013 17:00, Sander Grendelman napsal(a):
>>> https://<your engine host>/api/events
>> Great, I did not know about this page, it is better(formated) source
>> than logs, but it still has the same issue. I can get info about what
>> happened, but not exact info about what was done.
> just btw, this is the "events" log from the webadmin.
> it covers actions done by users, not content of the edit operation 
> (something piotr started looking into).
> with the move of the gui to work over the rest api, maybe just 
> auditing the api payload for these actions would be good enough?
>> <event href="/api/events/5341" id="5341">
>> <description>Interface nic1 (VirtIO) was updated for VM
>> server1.test.org.   (User: user1)</description>
>> <code>934</code>
>> <severity>normal</severity>
>> <time>2013-12-05T16:35:46.263+01:00</time>
>> <correlation_id>7e60ae1</correlation_id>
>> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d"
>> id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/>
>> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9"
>> id="cc821292-80c0-4b85-a832-0b8a969c22c9"/>
>> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95"
>> id="99408929-82cf-4dc7-a532-9d998063fa95"/>
>> <data_center
>> href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3"
>> id="5849b030-612e-47cb-ad90-3ce782d831b3"/>
>> <origin>oVirt</origin>
>> <custom_id>-1</custom_id>
>> <flood_rate>30</flood_rate>
>> </event>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users

If I can have an suggestion, we discus audit log and for our siem it 
would be great format like:

user: user1 action: powered off vm: VM1.test.com host: ovirt.test.com

user: user1 action: logged in

user: user1 action: initiated console session VM: VM5.test.com

user: user1 action: changed network interface detail: secure_vlan to 
insecure_vlan on vnic1 vm: testserver.test.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20131206/61337662/attachment-0001.html>

More information about the Users mailing list