----- Original Message ----- > From: "Jakub Bittner" <[email protected]> > To: "Itamar Heim" <[email protected]>, "Sander Grendelman" > <[email protected]> > Cc: [email protected], "Piotr Kliczewski" <[email protected]> > Sent: Friday, December 6, 2013 8:08:17 AM > Subject: Re: [Users] oVirt auditing > > Dne 5.12.2013 18:34, Itamar Heim napsal(a): > > On 12/05/2013 06:13 PM, Jakub Bittner wrote: > >> Dne 5.12.2013 17:00, Sander Grendelman napsal(a): > >>> https://<your engine host>/api/events > >> Great, I did not know about this page, it is better(formated) source > >> than logs, but it still has the same issue. I can get info about what > >> happened, but not exact info about what was done. > > > > just btw, this is the "events" log from the webadmin. > > it covers actions done by users, not content of the edit operation > > (something piotr started looking into). > > > > with the move of the gui to work over the rest api, maybe just > > auditing the api payload for these actions would be good enough? > > > > > >> > >> <event href="/api/events/5341" id="5341"> > >> <description>Interface nic1 (VirtIO) was updated for VM > >> server1.test.org. (User: user1)</description> > >> <code>934</code> > >> <severity>normal</severity> > >> <time>2013-12-05T16:35:46.263+01:00</time> > >> <correlation_id>7e60ae1</correlation_id> > >> <user href="/api/users/6d8fd48a-1072-11e3-b3ea-001a4ag8039d" > >> id="6d8fd48a-1072-11e3-c3ea-001a4aa8039d"/> > >> <vm href="/api/vms/cc821292-80c0-4b85-a912-0b8a969c22c9" > >> id="cc821292-80c0-4b85-a832-0b8a969c22c9"/> > >> <cluster href="/api/clusters/99408929-78cf-4dc7-a532-9d998063fa95" > >> id="99408929-82cf-4dc7-a532-9d998063fa95"/> > >> <data_center > >> href="/api/datacenters/5849b030-626e-47cb-ad90-3ce782d831b3" > >> id="5849b030-612e-47cb-ad90-3ce782d831b3"/> > >> <origin>oVirt</origin> > >> <custom_id>-1</custom_id> > >> <flood_rate>30</flood_rate> > >> </event> > >> > >> > >> _______________________________________________ > >> Users mailing list > >> [email protected] > >> http://lists.ovirt.org/mailman/listinfo/users > > > > If I can have an suggestion, we discus audit log and for our siem it > would be great format like: > > user: user1 action: powered off vm: VM1.test.com host: ovirt.test.com > > user: user1 action: logged in > > user: user1 action: initiated console session VM: VM5.test.com > > user: user1 action: changed network interface detail: secure_vlan to > insecure_vlan on vnic1 vm: testserver.test.com > I focused on modifications and used json for it looking like: { object='objectName'propertyName='name' oldValue='previousValue' newValue='newValue'} You could have multiple properties modified, removed and created. What do you think about this format? _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
