Audit logging

The audit logging capabilities within IBM Cloud Pak for AIOps provide you with the capability to track changes that were made to your system, when the changes were made, and by whom. The recorded audit logs include the record of actions that were completed or attempted by users or services of your IBM Cloud Pak for AIOps system. This auditing helps you with ensuring accountability, trackability, and regulatory compliance for data access, modification, and security within your IBM Cloud Pak for AIOps environment.

If you require that your environment supports the Federal Regulatory Compliance Standard (FISMA), you need to ensure that your environment has audit logging.

What is audited in IBM Cloud Pak for AIOps?

IBM Cloud Pak for AIOps capabilities audit the following types of actions, which can return, manage, manipulate, or access sensitive data:

  • Successful and unsuccessful login attempts
  • Authentication checks
  • Authorization checks
  • Account management events
  • Object access
  • Policy changes
  • Privileged functions
  • Data access
  • Data changes
  • Process tracking
  • System events
  • Administrator activities
  • Permission changes

For more information and details about what is logged for IBM Cloud Pak for AIOps, see Logged actions and data for auditing.

How do you configure audit logging?

Application logging

For IBM Cloud Pak for AIOps capabilities, audit logging is configured and enabled by default.

For Infrastructure Automation, you need to enable audit logging during installation. For the list of audit-related installation parameters, see Installation parameters.

IBM Cloud Pak for AIOps uses the IBM Cloud Pak foundational services Identity Management (IM) and Integrated UI (Platform UI Zen) services. For more information about auditing logging for these services, see Auditing IM service.

Platform logging

If you have a deployment of IBM Cloud Pak for AIOps or Infrastructure Automation on Red Hat OpenShift, then you must configure audit logging for platform level calls. For Red Hat OpenShift Container Platform audit logging, see the Red Hat OpenShift Container Platform documentation Viewing audit logs.

If you have a deployment of IBM Cloud Pak for AIOps on Linux®, then platform logging is enabled by default. Logs are stored in the aiopsctl directory on each control plane node. Logs are retained for up to 30 days, with a maximum total log size of 1GB.

How do you view a record of audit logs?

  • For IBM Cloud Pak for AIOps capabilities, the audit logs for all recorded actions are written to standard output stdout in JSON format.

    Viewing audit logs for a deployment on Red Hat OpenShift

    You can view an audit log for a pod by using the oc logs command.

    If you want to, or need to, view multiple audit logs, you can ingest and view the logs with a log aggregator, such as the logging subsystem for Red Hat OpenShift. With this logging subsystem, you can aggregate all the logs from your OpenShift Container Platform cluster, including IBM Cloud Pak for AIOps audit logs. You can then view the logs with the Kibana web console. For more information about the logging subsystem for Red Hat OpenShift, see the Red Hat OpenShift documentation Installing the logging subsystem for Red Hat OpenShift.

    You can also use other services for log aggregation, such as Falcon Logscale or an Elasticsearch, Logstash, and Kibana (ELK) stack.

    Run the following command to view the API audit logs, which are stored in the ibm-nginx pod logs:

    oc logs -l component=ibm-nginx -c ibm-nginx-container | grep eventTime

    Viewing audit logs for a deployment on Linux

    To review the audit logs, run the following command on a control plane node:

    ls ~/.aiopsctl/logs/

    Example output:

    aiopsctl.log  audit-2024-09-18T15-17-26.791.log  audit-2024-09-18T16-11-15.367.log  audit.log

  • For Infrastructure Automation, Infrastructure management appliances use the systemd logger, journalctl for audit logging. Appliances that run UI workers log the UI requests. Appliances that run the web services role log the API requests.

    Logging for podified deployments use the standard output stdout logger. You can view these logs through an oc logs command. To view a log, you need to specify the correct UI or web service pod.

What is included in an audit log

The audit log messages for a recorded action or event in IBM Cloud Pak for AIOps include information to identify the action or event that occurred, when the action or event occurred, the action or event source and outcome, and the identity of the associated user or service.

For the more information about what is included in audit log messages, including example messages, see Audit log messages.