Console audit log
Enabling account audit logs enables Console Audit Logs,IAM Audit logs, and Account API Audit logs . Before you enable them, become familiar with the account audit logs. For more information, see Example of account API audit log structure.
Example of Account API audit log structure
{ `"ApiEvent": { EventName: “<eventname>”, Version: “2”, Request: { AccountName: “service account name”, AccessKey: “<accesskey>”, RequestTime: “<hh:mm:ss>”, RequestParams: { …. Parameters.. or Body }, SourceIP: “XXYYXX” }, Response: { ResponseTime: “<response time>”, ResponseCode: “<response code>”, ResponseError: “<error>”, ResponseBody: { … body…. (with secret redacted) … } }
Event name | API action |
---|---|
| Authenticate and get a session token |
| Test a session token for validity |
| Get historical storage usage by month |
| Get current month storage usage |
| List permissions |
| Create a new permission |
| Get permission by id |
| Delete a permission by id |
| Update a permission |
| List service accounts |
| Create a new service account |
| Get service account data by id |
| Delete a service account by id |
| Update a service account |
| Enable a service account |
| Disable a service account |
| Enable Audit logging on a bucket |
| Disable Audit logging on a bucket |
Example of an account audit log
The following is an example of the console audit log file.
{ "ConsoleVersion": "DEVELOPMENT", "DeploymentID": "dell2", "LoginTime": "2021-01-25T09:19:11.622206Z", "UserIdentity": { "EventSource": "https://dell2.console.localhost:32428", "UserName": "john.doe@email.com", "Role": "admin", "IPAddress": "10.244.142.100:34310" }, "ConsoleEvent": { "Eventname": "add-new-notification-recipient", "Status": "Error while inserting data to table: ", "StatusCode": 13, "EventResponse": "{\"Action\":\"Add NotificationRecipient\",\"FirstName\":\"Fname\",\"LastName\":\"Lname\",\"Email\":\"john.doe@email.com\",\"Partner\":\"dell2\",\"AddedBy\":\"john.doe@email.com\"}", "EventTime": "2021-01-25 09:37:01.505980988 +0000 UTC m=+1421.228517562" } }
The following table includes console operations recorded in the console audit log. The Event name column displays the names inside the console audit log as an eventname
parameter value.
Event name | Console operation |
---|---|
| Create bucket |
| Delete bucket |
| Create permission |
| Set object immutability |
| Create permission from an imported file |
| Edit permission |
| Delete permission |
| Create service account |
| Edit service account |
| Service account status change |
| Delete service account |
| Add user |
| User password reset |
| Edit user |
| User enabled/disabled |
| User log out |
| Create support ticket |
| Edit support ticket |
| New comment |
| Add new notification recipient |
| Remove notification recipient |
| Edit notification recipient |
| On/off S3 API audit log |
| On/off Console audit log |
| S3 API audit log setting |
| S3 API audit log bucket setting |
The following table describes the parameters specified in the console audit log file.
Parameter name | Description |
---|---|
| Displays the console version |
| The unique deployment identifier |
| The timestamp in UTC zone |
| The console URL path |
| The login ID of the user |
| The Lyve Cloud user role |
| The user identity IP address |
| Specifies the console operation |
| Displays the human-readable message |
| Displays the status numeric code. For more information, see Status Code table. |
| Displays the resulting action performed by the event name |
| Displays the timestamp in UTC zone |
Status code
The following tables provide descriptions for the StatusCode
parameter.
Status code | Error | Error details |
---|---|---|
0 | OK Code | OK is returned on success. |
1 | Cancelled Code | The operation is cancelled by the client. |
2 | Unknown Code | Specifies an unknown error. For example, errors raised by APIs that do not return enough error information. |
3 | InvalidArgument Code | The client specifies an invalid argument. |
4 | DeadlineExceeded Code | The operation has expired before completion. This error may be returned even if the operation has completed successfully, however, the response is delayed. For example, a successful response from a server could have been delayed long enough for the deadline to expire. |
5 | NotFound Code | Requested entity (file or directory) was not found. |
6 | AlreadyExists CodeA | An attempt to create an entity failed because one entity already exists. |
7 | PermissionDenied Code | The caller does not have permission to execute the specified operation. |
8 | ResourceExhausted Code | Some resource has exhausted. |
9 | FailedPrecondition Code | The operation was rejected because the system is not in a state to execute the operation. For example, directory to be deleted may not be empty. |
10 | Aborted CodeT | The operation was aborted due to a concurrent issue like sequencer check failures, transaction aborts, etc. |
11 | OutOfRange Code | The operation was attempted past the valid range. For example, seeking or reading past end of a file. |
12 | Unimplemented Code | The operation is not implemented, supported, or enabled for this service. |
13 | Internal Code | Indicates internal errors, where some invariants have broken. |
14 | Unavailable Code | The service is currently unavailable. |
15 | DataLoss Code | Indicates unrecoverable data loss or corruption. |
16 | Unauthenticated Code | The request does not have valid authentication credentials for the operation. |
Example of an IAM audit log
The following is an example of an IAM audit log file.
{ "created_date":"2021-01-20T02:04:12.000Z", "organization":"random-org", "org_type":"TENANT", "source":"console", "created_by":"IAM", "content":{ "date": "2016-02-23T19:57:29.532Z", "type": "sapi", "description": "", "connection": "", "connection_id": "", "client_id": "AaiyAPdpYdesoKnqjj8HJqRn4T5titww", "client_name": "My application Name", "ip": "190.257.209.19", "hostname": "190.257.209.19", "user_id": "auth0|56c75c4e42b6359e98374bc2", "user_name": "", "audience": "", "scope": "", "strategy": "", "strategy_type": "", "log_id": "", "isMobile": false, "details": {}, "user_agent": "", "location_info": { "country_code": "", "country_code3": "", "country_name": "", "city_name": "", "latitude": "", "longitude": "", "time_zone": "", "continent_code": "" } } "bucket_name":"" }
The following table describes the parameters of IAM audit log file.
Parameter name | Description |
---|---|
| Date when the event occurred in ISO 8601 format. |
| Name of the account. |
| Displays the type of organization Partner|Tenant. |
| Displays source of the Log. |
| Displays which service created the log. |
| IAM log content. |
| Target bucket name where the log files are stored. Optional and can be left blank. |
The following table describes the data field for contents
in the IAM audit log file.
Parameter name | Description |
---|---|
| Date when the event occurred in ISO 8601 format. |
| Type of event. For more information, see Event code list associated with each log event. |
| Description of the event. |
| Name of the connection for the event. |
| ID of the connection for the event. |
| ID of the client (application). |
| Name of the client (application). |
| The IP address of the log event source. |
| Hostname where the event is applied. |
| User ID involved in the event. |
| User name involved in the event. |
| API audience for whom the event is applied. |
| Scope permissions applied to the event. |
| Name of the strategy involved in the event. |
| Type of strategy involved in the event. |
| Unique identifier of the event. |
| Specifies if the client is a mobile device (true), desktop, laptop, or server (false). |
| Additional details about the event (the structure is dependent upon event type). |
| User agents details from the client device that caused the event. |
| Displays information about the location that triggered this event based on the IP. |
The following table describes the data field for location_info
.
Parameter name | Description |
---|---|
| Displays the country code in two-letter |
| Displays the country code in a three-letter |
| Full country name. |
| Full city name. |
| Global latitude (horizontal) position. |
| Global longitude (vertical) position. |
| Time zone name. |
| Displays continent of the country. For example, AF (Africa), AN (Antarctica), AS (Asia), EU (Europe), NA (North America), OC (Oceania) or SA (South America). |
The following table describes the event code associated with each log event.
Event Code | Description |
---|---|
| Update launched. |
| The maximum number of requests to the authentication API in given time has been reached. |
| Passwordless login code/link has been sent. |
| AD/LDAP connector is offline. |
| AD/LDAP connector is online and working. |
| Passwordless login code has been sent. |
| Deprecation notice. |
| User has been deleted. |
| Failed login. |
| Failed by connector. |
| Failed to change user email. |
| Origin is not in the allowed origins list for the specified application. |
| Failed cross-origin authentication. |
| Failed change password. |
| Failed post change password hook. |
| Failed change phone number. |
| Failed change password request. |
| ailed to provision a AD/LDAP connector. |
| Failed to change username. |
| Failed to generate delegation token. |
| Failed to activate device. |
| Device authorization request failed. |
| User did not confirm device. |
| Failed user deletion. |
| Failed to exchange authorization code for access token. |
| Failed exchange of access token for a client credentials grant. |
| Failed to exchange device code for access token. |
| Failed exchange for native social login. |
| Failed exchange of password and OOB challenge for access token. |
| Failed exchange of password and OTP challenge for access token. |
| Failed exchange of password for access token. |
| Failed exchange of passwordless OTP for access token. |
| Failed exchange of password and MFA recovery code for access token. |
| Failed exchange of refresh token for access token. |
| Failed exchange of rotating refresh token. |
| User logout failed. |
| Failed to send email notification. |
| Failed login (incorrect password). |
| Failed signup. |
| Failed silent auth. |
| Failed login (invalid email/username). |
| Failed to import users. |
| Failed to send verification email. |
| Failed to process verification email request. |
| Multi-factor authentication failed. This could happen due to a wrong code entered for SMS/Voice/Email/TOTP factors, or a system failure. |
| A user rejected a Multi-factor authentication request via push-notification. |
| Multi-factor authentication success. |
| A first time MFA user has successfully enrolled using one of the factors. |
| A user, during enrollment or authentication, enters an incorrect code more than the maximum allowed number of times. Ex: A user enrolling in SMS enters the 6-digit code wrong more than 10 times in a row. |
| A user enters a wrong recovery code when attempting to authenticate. |
| A user enters a wrong recovery code too many times. |
| A user successfully authenticates with a recovery code. |
| Push notification for MFA sent successfully sent. |
| SMS for MFA successfully sent. |
| Attempt to send SMS for MFA failed. |
| Voice call for MFA successfully made. |
| Attempt to make Voice call for MFA failed. |
| Second factor authentication event started for MFA. |
| Multi-factor authentication enroll has started. |
| Guardian tenant update. |
| Device used for second factor authentication has been unenrolled. |
| Device used for second factor authentication has been updated. |
| Rate limit exceeded to |
| An IP address is blocked with 100 failed login attempts using different usernames, all with incorrect passwords in 24 hours, or 50 sign-up attempts per minute from the same IP address. |
| An IP address is blocked with 10 failed login attempts into a single account from the same IP address. |
| Someone behind the IP address: |
| Successful sign-on event. |
| Success API operation. |
| Success change email. |
| Success cross-origin authentication. |
| Success change password. |
| Success post change password hook. |
| Success change phone number. |
| Success change password request. |
| Success change username. |
| Success delegation. |
| User successfully deleted. |
| Successful exchange of authorization code for access token. |
| Successful exchange of access token for a client credentials grant. |
| Successful exchange of device code for access token. |
| Native social login. |
| Successful exchange of password and OOB challenge for access token. |
| Successful exchange of password and OTP challenge for access token. |
| Successful exchange of password for access token. |
| Successful exchange of password and MFA recovery code for access token. |
| Successful exchange of refresh token for access token. |
| Successfully revoked a refresh token. |
| User successfully signed out. |
| Success signup. |
| Silent auth. |
| Successfully imported users. |
| Verification email. |
| Verification email request. |
| Update ended. |
| Update started. |
| Update ended. |
| Update started. |
| User block setup by anomaly detection has been released. |
| Warnings during login. |
On the left-hand menu, select Settings.
On the Settings page, set Account Audit Logs to ON.
On the Audit Log Target Bucket dialog, select the target bucket from the list to store the logs.
You must set the target bucket only if you are setting the target bucket to write audit logs for the first time. However, if you have set the target bucket while enabling S3 API audit logs, you are not forced to select the target bucket again.
Only the buckets that are in immutable are displayed in the list.
Select Save.
Disabling account audit logs
On the left-hand menu, select Settings.
On the Settings page, set Account Audit Logs to Off.
After you disable audit logs:
Logs are no longer saved to the target bucket.
The target bucket is still visible in the Audit Logs Target Bucket section.
Editing audit log target bucket
While editing the target bucket to save audit logs, only immutable buckets are displayed for selection.
On the left-hand menu, select Settings.
In the Audit Log Target Bucket section, select Edit.
On the Edit Audit Log Target Bucket dialog, select the target bucket from the Select bucket list and select Save.