[Users] oVirt auditing
Jakub Bittner
j.bittner at nbu.cz
Fri Dec 6 08:23:26 UTC 2013
Dne 6.12.2013 09:09, Piotr Kliczewski napsal(a):
>
>
>
> ----- Original Message -----
>> From: "Jakub Bittner" <j.bittner at nbu.cz>
>> To: "Itamar Heim" <iheim at redhat.com>, "Sander Grendelman" <sander at grendelman.com>
>> Cc: users at ovirt.org, "Piotr Kliczewski" <pkliczew at redhat.com>
>> Sent: Friday, December 6, 2013 8:08:17 AM
>> Subject: Re: [Users] oVirt auditing
>>
>> Dne 5.12.2013 18:34, Itamar Heim napsal(a):
>>> On 12/05/2013 06:13 PM, Jakub Bittner wrote:
>>>> Dne 5.12.2013 17:00, Sander Grendelman napsal(a):
>>>>> https://<your engine host>/api/events
>>>> Great, I did not know about this page, it is better(formated) source
>>>> than logs, but it still has the same issue. I can get info about what
>>>> happened, but not exact info about what was done.
>>> just btw, this is the "events" log from the webadmin.
>>> it covers actions done by users, not content of the edit operation
>>> (something piotr started looking into).
>>>
>>> with the move of the gui to work over the rest api, maybe just
>>> auditing the api payload for these actions would be good enough?
>>>
>>>
>>>> <event href="/api/events/5341" id="5341">
>>>> <description>Interface nic1 (VirtIO) was updated for VM
>>>> server1.test.org. (User: user1)</description>
>>>> <code>934</code>
>>>> <severity>normal</severity>
>>>> <time>2013-12-05T16:35:46.263+01:00</time>
>>>> <correlation_id>7e60ae1</correlation_id>
>>>> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d"
>>>> id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/>
>>>> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9"
>>>> id="cc821292-80c0-4b85-a832-0b8a969c22c9"/>
>>>> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95"
>>>> id="99408929-82cf-4dc7-a532-9d998063fa95"/>
>>>> <data_center
>>>> href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3"
>>>> id="5849b030-612e-47cb-ad90-3ce782d831b3"/>
>>>> <origin>oVirt</origin>
>>>> <custom_id>-1</custom_id>
>>>> <flood_rate>30</flood_rate>
>>>> </event>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>> If I can have an suggestion, we discus audit log and for our siem it
>> would be great format like:
>>
>> user: user1 action: powered off vm: VM1.test.com host: ovirt.test.com
>>
>> user: user1 action: logged in
>>
>> user: user1 action: initiated console session VM: VM5.test.com
>>
>> user: user1 action: changed network interface detail: secure_vlan to
>> insecure_vlan on vnic1 vm: testserver.test.com
>>
> I focused on modifications and used json for it looking like:
>
> { object='objectName'propertyName='name' oldValue='previousValue' newValue='newValue'}
>
> You could have multiple properties modified, removed and created. What do you think about
> this format?
>
>
>
This format looks great. If you need further testing we can help.
Thanks.
More information about the Users
mailing list