Audit Log (6.0+)

Document created by costlow Expert on Feb 22, 2018
Version 1Show Document
  • View in full screen mode

Turbonomic 6.0 introduced an audit log, intended to help security-conscious customers monitor Turbonomic and the actions that it takes in downstream targets. The audit log is designed to be incorporated into a third party auditing system or SIEM, such as Spunk, ArcSight, or AlienVault.

This rotating file is located at /var/log/tomcat/audit.log

 

Example Log entry:

2018-01-17T16:15:17,048 [***.***.***.***] [administrator] TURBONOMICAUDIT: "2018-01-17 16:15:17", "***.***.***.***", "Login", "LoginManager", "result=Success", "Login with one-time password successful for user: administrator"

Log format, for parsing:

  • Datetime of the event from the system's clock.
  • Local IP
  • Initiating user
  • Application (TURBONOMICAUDIT)
  • Datetime of any application clock. Generally matches the system clock but not guaranteed.
  • Remote initiating IP
  • Action name (e.g. Login, Logout, etc.)
  • Success or failure indication
  • Additional details for any log reviewer

 

 

Non-exhaustive list of actions that are logged, with success or failure:

  • Login / Logout
  • API calls into the REST API
  • Entity actions in targets:
    • Power on / Power off
    • Delete entity
    • Suspend
    • Execute Action
    • LDAP / AD changes
  • Etc.
2 people found this helpful

Attachments

    Outcomes