Skip to main content

Lyve Cloud Documentation

Console audit log

Enabling account audit logs enables Console Audit Logs,IAM Audit logs, and Account API Audit logs . Before you enable them, become familiar with the account audit logs. For more information, see Example of account API audit log structure.

Account_audit_log.png
Example of Account API audit log structure

{
`"ApiEvent":
{
           EventName: “<eventname>”,
           Version: “2”,
Request: {
            AccountName: “service account name”,
            AccessKey: “<accesskey>”,
            RequestTime: “<hh:mm:ss>”,
            RequestParams: {          
                                …. Parameters.. or Body
                            },
SourceIP: “XXYYXX”

},

Response: {

               ResponseTime: “<response time>”,
               ResponseCode: “<response code>”,
               ResponseError: “<error>”,
               ResponseBody: {                                          …
                                body…. (with secret redacted) …
}
}

Event name

API action

authenticate-and-get-session-token

Authenticate and get a session token

Test-a-session-token-for-validity

Test a session token for validity

get-historical-storage-usage-by-month

Get historical storage usage by month

get-current-month-storage-usage

Get current month storage usage

list-permissions

List permissions

create-a-new-permission

Create a new permission

get-permission-by-id

Get permission by id

delete-a-permission-by-id

Delete a permission by id

update-a-permission

Update a permission

list-service-accounts

List service accounts

create-a-new-service-account

Create a new service account

get-service-account-data-by-id

Get service account data by id

delete-a-service-account-by-id

Delete a service account by id

update-a-service-account

Update a service account

enable-a-service-account

Enable a service account

disable-a-service-account

Disable a service account

enable-audit-logging-on-a-bucket

Enable Audit logging on a bucket

disable-audit-logging-on-a-bucket

Disable Audit logging on a bucket

Example of an account audit log

The following is an example of the console audit log file.

{    
"ConsoleVersion": "DEVELOPMENT",    
"DeploymentID": "dell2",    
"LoginTime": "2021-01-25T09:19:11.622206Z",    
"UserIdentity": {       
    "EventSource": "https://dell2.console.localhost:32428",       
    "UserName": "john.doe@email.com",       
    "Role": "admin",       
    "IPAddress": "10.244.142.100:34310"   
     },    
    "ConsoleEvent": 
    {      
     "Eventname": "add-new-notification-recipient",      
     "Status": "Error while inserting data to table: ",       
    "StatusCode": 13,       
    "EventResponse": "{\"Action\":\"Add NotificationRecipient\",\"FirstName\":\"Fname\",\"LastName\":\"Lname\",\"Email\":\"john.doe@email.com\",\"Partner\":\"dell2\",\"AddedBy\":\"john.doe@email.com\"}",       
    "EventTime": "2021-01-25 09:37:01.505980988 +0000 UTC m=+1421.228517562"  
    } 
}  

The following table includes console operations recorded in the console audit log. The Event name column displays the names inside the console audit log as an eventname parameter value.

Event name

Console operation

create-bucket

Create bucket

delete-bucket

Delete bucket

create-permission

Create permission

set-object-immutablility

Set object immutability

create-permission-from- imported-file

Create permission from an imported file

edit-permission

Edit permission

delete-permission

Delete permission

create-service-account

Create service account

edit-service-account

Edit service account

service-account-status-change

Service account status change

service-account-deletion

Delete service account

add-user

Add user

user-password-reset

User password reset

edit-user

Edit user

user-enabled-disabled

User enabled/disabled

user-logout

User log out

create-support-ticket

Create support ticket

edit-support-ticket

Edit support ticket

new-comment

New comment

add-new-notification- recipient

Add new notification recipient

remove-notification-recipient

Remove notification recipient

edit-notification-recipient

Edit notification recipient

on-off-s3-api-audit-log

On/off S3 API audit log

on-off-s3-console-audit-log

On/off Console audit log

s3-api-audit-log-setting

S3 API audit log setting

s3-api-audit-log-bucket-setting

S3 API audit log bucket setting

The following table describes the parameters specified in the console audit log file.

Parameter name

Description

consoleVersion

Displays the console version

deploymentid

The unique deployment identifier

loginTime

The timestamp in UTC zone

eventSource

The console URL path

userName

The login ID of the user

role

The Lyve Cloud user role

ipAddress

The user identity IP address

eventname

Specifies the console operation

status

Displays the human-readable message

statusCode

Displays the status numeric code. For more information, see Status Code table.

eventResponse

Displays the resulting action performed by the event name

eventTime

Displays the timestamp in UTC zone

Status code

The following tables provide descriptions for the StatusCode parameter.

Status code

Error

Error details

0

OK Code

OK is returned on success.

1

Cancelled Code

The operation is cancelled by the client.

2

Unknown Code

Specifies an unknown error.

For example, errors raised by APIs that do not return enough error information.

3

InvalidArgument Code

The client specifies an invalid argument.

4

DeadlineExceeded Code

The operation has expired before completion.

This error may be returned even if the operation has completed successfully, however, the response is delayed.

For example, a successful response from a server could have been delayed long enough for the deadline to expire.

5

NotFound Code

Requested entity (file or directory) was not found.

6

AlreadyExists CodeA

An attempt to create an entity failed because one entity already exists.

7

PermissionDenied Code

The caller does not have permission to execute the specified operation.

8

ResourceExhausted Code

Some resource has exhausted.

9

FailedPrecondition Code

The operation was rejected because the system is not in a state to execute the operation.

For example, directory to be deleted may not be empty.

10

Aborted CodeT

The operation was aborted due to a concurrent issue like sequencer check failures, transaction aborts, etc.

11

OutOfRange Code

The operation was attempted past the valid range.

For example, seeking or reading past end of a file.

12

Unimplemented Code

The operation is not implemented, supported, or

enabled for this service.

13

Internal Code

Indicates internal errors, where some invariants have broken.

14

Unavailable Code

The service is currently unavailable.

15

DataLoss Code

Indicates unrecoverable data loss or corruption.

16

Unauthenticated Code

The request does not have valid authentication credentials for the operation.

Example of an IAM audit log

The following is an example of an IAM audit log file.

{  
"created_date":"2021-01-20T02:04:12.000Z",  
"organization":"random-org",  
"org_type":"TENANT",  
"source":"console",  
"created_by":"IAM",  
"content":{    
    "date": "2016-02-23T19:57:29.532Z",    
    "type": "sapi",    
    "description": "",    
    "connection": "",    
    "connection_id": "",    
    "client_id": "AaiyAPdpYdesoKnqjj8HJqRn4T5titww",    
    "client_name": "My application Name",    
    "ip": "190.257.209.19",    
    "hostname": "190.257.209.19",    
    "user_id": "auth0|56c75c4e42b6359e98374bc2",    
    "user_name": "",    
    "audience": "",    
    "scope": "",    
    "strategy": "",    
    "strategy_type": "",    
    "log_id": "",    
    "isMobile": false,    
    "details": {},    
    "user_agent": "",    
    "location_info": {      
    "country_code": "",      
    "country_code3": "",      
    "country_name": "",      
    "city_name": "",      
    "latitude": "",      
    "longitude": "",      
    "time_zone": "",      
    "continent_code": ""    
    }  
  }  
"bucket_name":""
}

The following table describes the parameters of IAM audit log file.

Parameter name

Description

created_date

Date when the event occurred in ISO 8601 format.

organization

Name of the account.

org_type

Displays the type of organization Partner|Tenant.

source

Displays source of the Log.

created_by

Displays which service created the log.

content

IAM log content.

bucket_name

Target bucket name where the log files are stored.

Optional and can be left blank.

The following table describes the data field for contents in the IAM audit log file.

Parameter name

Description

date

Date when the event occurred in ISO 8601 format.

type

Type of event. For more information, see Event code list associated with each log event.

description

Description of the event.

connection

Name of the connection for the event.

connection_id

ID of the connection for the event.

client_id

ID of the client (application).

client_name

Name of the client (application).

ip

The IP address of the log event source.

hostname

Hostname where the event is applied.

user_id

User ID involved in the event.

user_name

User name involved in the event.

audience

API audience for whom the event is applied.

scope

Scope permissions applied to the event.

strategy

Name of the strategy involved in the event.

strategy_type

Type of strategy involved in the event.

log_id

Unique identifier of the event.

isMobile

Specifies if the client is a mobile device (true), desktop, laptop, or server (false).

details

Additional details about the event (the structure is dependent upon event type).

user_agent

User agents details from the client device that caused the event.

location_info

Displays information about the location that triggered this event based on the IP.

The following table describes the data field for location_info.

Parameter name

Description

country_code

Displays the country code in two-letter Alpha-2 ISO 3166-1 format.

country_code3

Displays the country code in a three-letter Alpha-3 ISO 3166-1 format.

country_name

Full country name.

city_name

Full city name.

latitude

Global latitude (horizontal) position.

longitude

Global longitude (vertical) position.

time_zone

Time zone name.

continent_cide

Displays continent of the country.

For example, AF (Africa), AN (Antarctica), AS (Asia), EU (Europe), NA (North America), OC (Oceania) or SA (South America).

The following table describes the event code associated with each log event.

Event Code

Description

admin_update_launch

Update launched.

api_limit

The maximum number of requests to the

authentication API in given time has been reached.

cls

Passwordless login code/link has been sent.

coff

AD/LDAP connector is offline.

con

AD/LDAP connector is online and working.

cs

Passwordless login code has been sent.

depnote

Deprecation notice.

du

User has been deleted.

f

Failed login.

fc

Failed by connector.

fce

Failed to change user email.

fco

Origin is not in the allowed origins list for the specified application.

fcoa

Failed cross-origin authentication.

fcp

Failed change password.

fcph

Failed post change password hook.

fcpn

Failed change phone number.

fcpr

Failed change password request.

fcpro

ailed to provision a AD/LDAP connector.

fcu

Failed to change username.

fd

Failed to generate delegation token.

fdeac

Failed to activate device.

fdeaz

Device authorization request failed.

fdecc

User did not confirm device.

fdu

Failed user deletion.

feacft

Failed to exchange authorization code for access token.

feccft

Failed exchange of access token for a client credentials grant.

fede

Failed to exchange device code for access token.

fens

Failed exchange for native social login.

feoobft

Failed exchange of password and OOB challenge for access token.

feotpft

Failed exchange of password and OTP challenge for access token.

fepft

Failed exchange of password for access token.

fepotpft

Failed exchange of passwordless OTP for access token.

fercft

Failed exchange of password and MFA recovery code for access token.

fertft

Failed exchange of refresh token for access token.

ferrt

Failed exchange of rotating refresh token.

flo

User logout failed.

fn

Failed to send email notification.

fp

Failed login (incorrect password).

fs

Failed signup.

fsa

Failed silent auth.

fu

Failed login (invalid email/username).

fui

Failed to import users.

fv

Failed to send verification email.

fvr

Failed to process verification email request.

gd_auth_failed

Multi-factor authentication failed. This could happen due to a wrong code entered for SMS/Voice/Email/TOTP factors, or a system failure.

gd_auth_rejected

A user rejected a Multi-factor authentication request via push-notification.

gd_auth_succeed

Multi-factor authentication success.

gd_enrollment_complete

A first time MFA user has successfully enrolled using one of the factors.

gd_otp_rate_limit_exceed

A user, during enrollment or authentication, enters an incorrect

code more than the maximum allowed number of times. Ex: A user enrolling in SMS enters the 6-digit code wrong more than 10 times in a row.

gd_recovery_failed

A user enters a wrong recovery code when attempting to authenticate.

gd_recovery_rate_limit_exceed

A user enters a wrong recovery code too many times.

gd_recovery_succeed

A user successfully authenticates with a recovery code.

gd_send_pn

Push notification for MFA sent successfully sent.

gd_send_sms

SMS for MFA successfully sent.

gd_send_sms_failure

Attempt to send SMS for MFA failed.

gd_send_voice

Voice call for MFA successfully made.

gd_send_voice_failure

Attempt to make Voice call for MFA failed.

gd_start_auth

Second factor authentication event started for MFA.

gd_start_enroll

Multi-factor authentication enroll has started.

gd_tenant_update

Guardian tenant update.

gd_unenroll

Device used for second factor authentication has been

unenrolled.

gd_update_device_account

Device used for second factor authentication has been

updated.

limit_delegation

Rate limit exceeded to /delegation endpoint.

limit_mu

An IP address is blocked with 100 failed login

attempts using different usernames, all with incorrect passwords in 24 hours, or 50 sign-up attempts per minute from the same IP address.

limit_wc

An IP address is blocked with 10 failed login

attempts into a single account from the same IP address.

pwd_leak

Someone behind the IP address: ip attempted to login with a leaked password.

s

Successful sign-on event.

sapi

Success API operation.

sce

Success change email.

scoa

Success cross-origin authentication.

scp

Success change password.

scph

Success post change password hook.

scpn

Success change phone number.

scpr

Success change password request.

scu

Success change username.

sd

Success delegation.

sdu

User successfully deleted.

seacft

Successful exchange of authorization code for access token.

seccft

Successful exchange of access token for a client credentials grant.

sede

Successful exchange of device code for access token.

sens

Native social login.

seoobft

Successful exchange of password and OOB challenge for access token.

seotpft

Successful exchange of password and OTP challenge for access token.

sepft

Successful exchange of password for access token.

sercft

Successful exchange of password and MFA recovery code for access token.

sertft

Successful exchange of refresh token for access token.

srrt

Successfully revoked a refresh token.

slo

User successfully signed out.

ss

Success signup.

ssa

Silent auth.

sui

Successfully imported users.

sv

Verification email.

svr

Verification email request.

sys_os_update_end

Update ended.

sys_os_update_start

Update started.

sys_update_end

Update ended.

sys_update_start

Update started.

ublkdu

User block setup by anomaly detection has been released.

w

Warnings during login.

Procedure. To enable the account audit log:
  1. On the left-hand menu, select Settings.

  2. On the Settings page, set Account Audit Logs to ON.

  3. On the Audit Log Target Bucket dialog, select the target bucket from the list to store the logs.

    You must set the target bucket only if you are setting the target bucket to write audit logs for the first time. However, if you have set the target bucket while enabling S3 API audit logs, you are not forced to select the target bucket again.

    Only the buckets that are in immutable are displayed in the list.

  4. Select Save.

Disabling account audit logs
Procedure. To disable account audit logs:
  1. On the left-hand menu, select Settings.

  2. On the Settings page, set Account Audit Logs to Off.

After you disable audit logs:

  • Logs are no longer saved to the target bucket.

  • The target bucket is still visible in the Audit Logs Target Bucket section.

Editing audit log target bucket

While editing the target bucket to save audit logs, only immutable buckets are displayed for selection.

Procedure. To edit console audit logs:
  1. On the left-hand menu, select Settings.

  2. In the Audit Log Target Bucket section, select Edit.

    Edit_Target_bucket.png
  3. On the Edit Audit Log Target Bucket dialog, select the target bucket from the Select bucket list and select Save.