Audit Logging
Moogsoft Onprem provides logging of the following information:
You can also view changes in the severity of Situations.
Audit log entry details
Audit log entries contain the following markers:
CONFIG_AUDIT
: Configuration changes including creating and updating system configuration properties, and updating user properties.SESSION_AUDIT
: User sessions and authentication.PERMISSIONS_AUDIT
: Creating and updating users, changing roles and teams.
User sessions and authentication
Moogsoft Onprem logs all of the following for user sessions and for all uses of authentication subsystems, regardless of whether authentication is successful, whether acting as a client or a server, or of the underlying protocol.
These log entries contain the SESSION_AUDIT
marker:
User (DB/SAML/Graze) session creation.
User (DB/SAML/Graze) session expiry.
User logging out from UI.
User login failure.
Access session log information using Graze and MoogDb v2
You can use the following Graze endpoints or MoogDb v2 methods to access session audit log information:
Description | Graze Endpoint | MoogDb V2 Method |
---|---|---|
Return session information for users over a period of time. | ||
Return session information for an individual user. |
Authorization changes
Moogsoft Onprem logs all of the following authorization changes with the PERMISSIONS_AUDIT
marker:
Creating or deleting principals, including usernames, teams, and roles.
Modifying privileges, team assignments, or other "marks of authority" associated with principals.
Creating or deleting teams, roles, or other names for authorization categories.
Modifying privileges or access associated with teams, roles, or users.
Configuration changes by administrators
Moogsoft Onprem logs all of the following administrative changes with the CONFIG_AUDIT
marker:
Creating a new user and updating a user.
Creating a new team and updating a team.
Adding and editing a Cookbook.
Adding, deleting, and editing a Recipe.
Toggling/editing Tempus.
Toggling and retraining Probable Root Cause.
Adding, deleting, and updating merge groups.
Creating, editing and deleting link definitions.
Adding, editing, and disabling Situation and alert columns.
Customization changes.
Online help and support changes.
Changes to Hotkeys.
Changes to Chatops.
Adding, editing, and deleting action states.
Creating, editing, and deleting Situation client tools, Situation server tools, alert client tools, alert server tools, and generic server tools.
Updating the system config file.
Restarting Moogfarmd
Enable audit logging
Audit logging is disabled by default. To enable it, follow these steps:
Locate the log file of the component for which you want to add audit logging. See Configure Logging for details.
Add a
RollingFile
section to theconfiguration.appenders
section of the file. For example:"RollingFile": { "name": "AUDIT", "fileName": "/tmp/audit.log", "filePattern": "audit.log-%d{MM-dd-yy}-%i.gz", "PatternLayout": { "pattern": "%-5level: [%thread][%date{yyyMMdd HH:mm:ss.SSS Z}] [%file:%line] +|%message|+%n" }, "Policies": { "SizeBasedTriggeringPolicy": { "size": "500M" } }, "DefaultRolloverStrategy": { "max": "40" }, "filters": { "MarkerFilter": { "marker": "AUDIT", "onMatch": "ACCEPT", "onMismatch": "DENY" } } }
Replace the original
loggers
block in the same log file:"loggers": { "Logger": { "name": "com.moogsoft", "additivity": false, "AppenderRef": [ { "ref": "STDOUT" }], "level": "info" } }
with the following:
"loggers": { "Logger": [ { "name": "com.moogsoft", "additivity": false, "AppenderRef": [ { "ref": "STDOUT" }], "level": "info" }, { "name": "com.moogsoft", "additivity": false, "AppenderRef": [ { "ref": "AUDIT" }], "level": "trace" }] }
Situation severity changes
You can use the Graze endpoint getSituationSeverityChanges
to return the changes in severity for a Situation. The highest severity of any of the alerts in a Situation determines the severity of the Situation. This endpoint returns increases in severity and a change to a severity of 0 (Clear).
If a Situation has closed, this endpoint returns a severity of 0 (Clear) and the timestamp when the Situation was closed. The endpoint does not return any further changes in severity after it has returned to 0 (Clear).
See getSituationSeverityChanges for more information.
Examples
Example log file entries with the CONFIG_AUDIT
marker:
DEBUG: [http-apr-8085-exec-1][20191004 11:40:44.703 +0100] [CMoogSvr.java:703] +|Admin request: [createUser] called by [admin]|+ DEBUG: [http-apr-8085-exec-11][20191004 11:44:21.078 +0100] [CCreateSystemConfig.java:105] +|Admin request: [createSystemConfig] called by [admin]|+ DEBUG: [http-apr-8085-exec-3][20191004 11:44:28.721 +0100] [CDeleteSystemConfig.java:111] +|Admin request: [deleteSystemConfig] called by [admin]|+ DEBUG: [http-apr-8085-exec-8][20191004 11:44:39.936 +0100] [CUpdateSystemConfig.java:109] +|Admin request: [updateSystemConfig] called by [admin]|+ DEBUG: [http-apr-8085-exec-7][20191004 11:54:49.054 +0100] [CMoogSvr.java:703] +|Admin request: [manageAlertColumns] called by [admin]|+ DEBUG: [http-apr-8085-exec-8][20191004 11:56:05.710 +0100] [CMoogSvr.java:703] +|Admin request: [getTempus] called by [admin]|+ DEBUG: [http-apr-8085-exec-7][20191004 12:08:31.005 +0100] [CUpdateSystemConfig.java:109] +|Admin request: [updateSystemConfig] called by [admin]|+ WARN : [http-apr-8085-exec-11][20191004 12:09:34.142 +0100] [CSecurityUtils.java:373] +|User [admin] login failed|+ DEBUG: [http-apr-8085-exec-3][20191004 12:09:46.173 +0100] [CSecurityUtils.java:368] +|Create session: started [username: [admin]; session: [...6f40ab08]]|+ DEBUG: [http-apr-8085-exec-1][20191004 12:11:16.243 +0100] [CMoogSvr.java:703] +|Admin request: [setFeatureToggleState] called by [admin]|+
Example log file entries with the SESSION_AUDIT
marker:
WARN : [http-apr-8085-exec-4][20191001 15:12:15.399 +0100] [CSecurityUtils.java:385] +|User [aa] account unknown|+ WARN : [http-apr-8085-exec-9][20191001 15:12:24.018 +0100] [CSecurityUtils.java:373] +|User [admin] login failed|+ DEBUG: [http-apr-8085-exec-9][20191001 15:23:23.666 +0100] [CSecurityUtils.java:498] +|Create session: started [username: [ava]; session: [...141fe68b]]|+ DEBUG: [0:AdapterHandler][20191001 15:25:06.983 +0100] [CSecurityUtilsConfig.java:279] +|Seession [username: [ava]; session: [...141fe68b]] expired.|+ WARN : [http-apr-8085-exec-6][20191001 15:25:21.720 +0100] [CSecurityUtils.java:398] +|User [admin] login failed|+ DEBUG: [http-apr-8085-exec-3][20191001 15:26:58.446 +0100] [CSecurityUtils.java:498] +|Create session: started [username: [isaac]; session: [...e22b6fa0]]|+ DEBUG: [http-apr-8085-exec-4][20191001 15:29:10.686 +0100] [CSubject.java:263] +|Session username: [isaac]; session: [...e22b6fa0] was closed - user logged out.|+ WARN : [http-apr-8085-exec-7][20191001 15:29:34.546 +0100] [CSecurityUtils.java:398] +|User [aloo] login failed|+ DEBUG: [http-apr-8085-exec-8][20191001 15:35:16.658 +0100] [CSecurityUtils.java:368] +|Create session: started [username: [admin]; session: [...1f8a886f]]|+ DEBUG: [http-apr-8085-exec-1][20191001 15:35:21.893 +0100] [CSubject.java:263] +|Session username: [admin]; session: [...1f8a886f] was closed - user logged out.|+ WARN : [http-apr-8085-exec-7][20191001 15:35:28.212 +0100] [CSecurityUtils.java:398] +|User [admin] login failed|+
Example log file entries with the PERMISSIONS_AUDIT
marker:
DEBUG: [http-apr-8085-exec-8][20200512 17:19:42.525 +0100] [CMoogSvr.java:727] +|Admin request: [createUser] called by [admin]|+ DEBUG: [http-apr-8085-exec-8][20200512 17:19:42.755 +0100] [CDbUserDAO.java:2116] +|User with Id: [5] and name: [newuser] roles changed, new roles are: [[4]].|+ DEBUG: [http-apr-8085-exec-8][20200512 17:19:42.758 +0100] [CDbUserDAO.java:396] +|Created user [newuser]|+ DEBUG: [http-apr-8085-exec-9][20200512 17:20:12.953 +0100] [CMoogSvr.java:727] +|Admin request: [createTeam] called by [admin]|+ DEBUG: [http-apr-8085-exec-9][20200512 17:20:12.997 +0100] [CTeamUpdateServices.java:698] +|Team [my new team 123] created with ID [2]|+ DEBUG: [http-apr-8085-exec-10][20200512 17:20:35.153 +0100] [CMoogSvr.java:727] +|Admin request: [updateRole] called by [admin]|+ DEBUG: [http-apr-8085-exec-10][20200512 17:20:35.156 +0100] [CRoleDao.java:189] +|Updated role: ID: [4], name: [Operator], permissions: [[sig_visualize, sig_modify, sig_resolve, thread_create, add_media, alert_assign, alert_modify, alert_close, filters, prc_feedback, all_data, manage_maint, moolet_informs, view_summary, collect_insights, collab_write, collab_read]].|+