Turbonomic 6.0 introduced an audit log, intended to help security-conscious customers monitor Turbonomic and the actions that it takes in downstream targets. The audit log is designed to be incorporated into a third party auditing system or SIEM, such as Spunk, ArcSight, or AlienVault.
This rotating file is located at /var/log/tomcat/audit.log
Example Log entry:
2018-01-17T16:15:17,048 [***.***.***.***] [administrator] TURBONOMICAUDIT: "2018-01-17 16:15:17", "***.***.***.***", "Login", "LoginManager", "result=Success", "Login with one-time password successful for user: administrator"
Log format, for parsing:
- Datetime of the event from the system's clock.
- Local IP
- Initiating user
- Application (TURBONOMICAUDIT)
- Datetime of any application clock. Generally matches the system clock but not guaranteed.
- Remote initiating IP
- Action name (e.g. Login, Logout, etc.)
- Success or failure indication
- Additional details for any log reviewer
Non-exhaustive list of actions that are logged, with success or failure:
- Login / Logout
- API calls into the REST API
- Entity actions in targets:
- Power on / Power off
- Delete entity
- Execute Action
- LDAP / AD changes