Audit log messages

For IBM Cloud Pak for AIOps capabilities, the log message entries for a recorded action or event include information to identify the action or event that occurred, when the action or event occurred, the action or event source and outcome, and the identity of the associated user or service.

Note: Some audit-specific fields, such as the username, are part of a generic message field and are not broken out into a dedicated field.

For Infrastructure Automation Infratructure management, the audit log messages include the HTTP method, username, role, request ID, session ID, requested URL path, and details for any specific privilege checks.

For example, a request to load the dashboard at /dashboard/show logs the show action and the privilege check (dashboard_view) for that page. Some pages can have multiple privilege checks as the UI determines what data a user can view or act upon.

Log messages

Log messages can include the following details:

Table. Log message details
Field Name Required (IBM Cloud Pak for AIOps) Required (UI) Required (API) Description Example Jsonpath in logging (API)
logType Yes Yes Yes An indicator of the fact that this is an audit message. This is used for allowing easy identifying audit versus other log messages. This is always set to audit audit
id No No No The unique ID for the request 271bfd04-a625-48ec-b33c-c7e9958f646c
initiator.id Yes Yes Yes ID of the identity or user that initiated the action. User IAM ID
API key
.request.headers.audit-initiator-id
initiator.name Yes Yes Yes Name of the identity or user that initiated the action. username for users
system
policy-service for policy actions.
.request.headers.audit-initiator-name
initiator.typeURI Yes Yes Yes CADF URI description of the initiator type. For UI audit logs, this URI is most likely the user. security/account/user for cookie or user initiated actions
security/account/service or security/account/admin for apikey or service or system initiated actions.
.request.headers.audit-initiator-typeuri
initiator.credential.type Yes Yes Yes Type of authentication provided by the initiator. For UI audit logs, the value is often cookie. token
user
apikey
cookie
unknown
.request.headers.audit-initiator-credential-type
initiator.credential.identity_status No No No Status of the identity authentication for the initiator or user. Confirmed
Denied
Unknown
request.headers.audit-initiator-credential-identity_status
initiator.host.address No No No Source IP from where the request originated. IP address of the Red Hat OpenShift Load Balancer. .client_ip
initiator.host.agent N/A N/A Yes The client type of API request curl/7.61.1
HTTPie/2.4.0
.request.headers.user-agent
target.name Yes Yes Yes The name of the service that is accepting the request. For UI audit logs, this is populated as an environment variable in the deployed UI server (AUDIT_SERVICE_NAME) service; resource
api.acme.com
.service.host
target.id Yes No Yes CRN of the service accepting this request. For UI audit logs, this value is populated as an environment variable in the deployed UI server (AUDIT_SERVICE_CRN) b7dd7db9-45f2-4c05-abb5-01466c2abcdf .service.host
target.typeURI Yes No Yes This is a constant value that is stored in AUDIT_RESOURCE_CADF_URI. service for HTTP/Ansible
system for Script
service
requestData.path Yes Yes Yes The request path, such as the API, which indicates the specific request being made of the service. api/v2/inventories/
d220b490-7c75-11ed-b6f3-23388646a3b9
.request.uri
requestData.type No Yes No The request method, which indicates whether this is a view, create, update, or delete. GET
PUT
DELETE
POST
.request.method
requestData.actionId No No No Automation/Action ID. c6ccc725-3e54-493d-a114-de5130e7c64b
action Yes No Yes The action that triggers an event. This is superceded by requestData.method. create
update
delete
deploy
authenticate
view
create
outcome Yes Yes Yes Was the action succesful? success
pending
failure
unknown
success
reason.reasonCode Yes Yes Yes The HTTP response code of the result. 200 for success. .response.status
reason.reasonSize Yes Yes Yes The HTTP response size of the result. 116 .response.size
reason.message Yes No Yes The HTTP response message explaining the result. For API, Follow Format 'action [custom data] [outcome]' OK for success. view success
eventTime Yes Yes Yes The time, date, and time zone of the event in Coordinated Universal Time (UTC) 2022-11-14T11:28:54.753Z .started_at
attachments.content.correlation_id No No No An optional ID that can be used to correlate multi-part audit logs. ccccccc-eeee-dddd-aaaa-bbbbbbbbbbbb

Examples

Example: Policy action audit log

The following message is an example audit log message for policy actions:

{
  "eventTime": "2024-05-21T15:22:23+00:00",
  "initiator": {
    "credential.type": "token",
    "id": "1000331001",
    "name": "cpadmin",
    "typeURI": "security/account/user"
  },
  "logType": "audit",
  "reason": {
    "reasonCode": "200"
  },
  "requestData": {
    "path": "/aiops/api/issue-resolution/v1/alerts",
    "type": "GET"
  },
  "target": {
    "name": "cpd-cp4waiops.example.com",
    "typeURI": "service"
  }
}

Example: UI audit log

The following JSON is an example of audit log message for UI pod:

{
  "logType": "audit",
  "initiator": {
    "id": "1000331001",
    "name": "cpadmin",
    "typeURI": "security/account/user",
    "credential": {
      "type": "cookie",
      "identity_status": "Confirmed"
    },
  },
  "requestData": {
    "path": "/aiops/homepage/api/application",
    "type": "GET"
  },
  "target": {
    "name": "--"
  },
  "outcome": "success",
  "reason": {
    "reasonCode": 200,
    "message": "OK"
  },
  "eventTime": "2024-11-01T03:13:06.747Z"
}

Example: Automation audit log

The following JSON is an example of automation audit log message:

{
"logType": "audit",
"attachments": {
  "content": {
  "correlation_id": "c8084070-9aca-11ef-a826-21984ee4e499",
  "context": "runbook:302457ed-cd0d-4634-b5df-ae332562fcd4,runbookinstance:c8cb3d062ab8d7b0783cbf47e45761d5"
},
"type": "application/json"
},
"initiator": {
  "id": "ld",
  "name": "user123@mymail.com",
  "typeURI": "security/account/user"
},
"level": 30,
"target": {
  "name": "mytarget@example.com",
  "typeURI": "service"
},
"requestData": {
  "path": "/json",
  "type": "GET",
  "actionId": "95735585-61fa-4544-a865-57652188dd00",
  "action": "http.execute"
},
"eventTime": "2024-11-04T16:35:20.326Z",
"reason": {
  "reasonCode": 200,
  "message": "OK"
},
"outcome": "success",
"msg": "Security Audit Log Record",
"time": "2024-11-04T16:35:20.883Z",
"v": 0
}

Example: API audit log

The following JSON is an example of API audit log message:

{
    "outcome": "success",
    "eventTime": "2023-02-03T06:13:17Z",
    "reason": {
        "reasonSize": 438,
        "message": "view success",
        "reasonCode": 200
    },
    "initiator": {
        "name": "admin",
        "host": {
            "agent": "curl/7.61.1",
            "address": "10.9.5.41"
        },
        "id": "1000330999",
        "typeURI": "security/account/user",
        "credential": {
            "idenity_status": "Confirmed",
            "type": "token"
        }
    },
    "requestData": {
        "type": "GET",
        "path": "/aiops/api/application-manager/topology-rest-observer/v1/healthcheck"
    },
    "target": {
        "id": "aiops-topology-rest-observer.katamari.9104.svc",
        "typeURI": "service",
        "name": "aiops-topology-rest-observer.katamari.9104.svc"
    },
    "action": "view"
}

Example: Infrastructure Management audit log

The following example log shows an audit log that includes log entries for successful requests, logon failures, requests that failed due to missing product features, and an invalid (stale) session.

[----] W, [2023-01-27T10:02:29.500256 #17089:5a398]  WARN -- audit: <AuditFailure> Username [blah], from: [Base.audit_failure], Authentication failed for userid blah
[----] I, [2023-01-27T10:02:36.633339 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [admin], from: [Base.audit_success], User admin successfully validated by EVM
[----] I, [2023-01-27T10:02:36.636510 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [admin], from: [Base.audit_success], Authentication successful for user admin
[----] I, [2023-01-27T10:02:37.045266 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [e35c5068-9cee-41c9-89c7-a12024b61e82], Method [GET], Path [/dashboard/show] Action: show
[----] I, [2023-01-27T10:02:37.045501 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [e35c5068-9cee-41c9-89c7-a12024b61e82], Method [GET], Path [/dashboard/show] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:39.294107 #17089:66d00]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [387576de-5e70-4517-867e-9d10259b8b73], Method [GET], Path [/dashboard/widget_chart_data/48] Action: widget_chart_data
[----] I, [2023-01-27T10:02:39.294856 #17089:66d00]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [387576de-5e70-4517-867e-9d10259b8b73], Method [GET], Path [/dashboard/widget_chart_data/48] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:39.440698 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [4f302068-b92a-497f-8c20-4c3e99c33057], Method [GET], Path [/dashboard/widget_report_data/19] Action: widget_report_data
[----] I, [2023-01-27T10:02:39.443928 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [4f302068-b92a-497f-8c20-4c3e99c33057], Method [GET], Path [/dashboard/widget_report_data/19] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:39.647895 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [efaa6a1e-ad5c-4f9f-9daf-e95be6cd1af5], Method [GET], Path [/dashboard/widget_report_data/17] Action: widget_report_data
[----] I, [2023-01-27T10:02:39.649264 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [efaa6a1e-ad5c-4f9f-9daf-e95be6cd1af5], Method [GET], Path [/dashboard/widget_report_data/17] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:39.934904 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [5912f12d-3a7c-497e-9766-9c62e18ea247], Method [GET], Path [/dashboard/widget_menu_data/34] Action: widget_menu_data
[----] I, [2023-01-27T10:02:39.935245 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [5912f12d-3a7c-497e-9766-9c62e18ea247], Method [GET], Path [/dashboard/widget_menu_data/34] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:39.990627 #17089:66d00]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [1a7b7ec1-8d37-44ee-bd1a-6b857e4d5de0], Method [GET], Path [/dashboard/widget_chart_data/100] Action: widget_chart_data
[----] I, [2023-01-27T10:02:39.993080 #17089:66d00]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [1a7b7ec1-8d37-44ee-bd1a-6b857e4d5de0], Method [GET], Path [/dashboard/widget_chart_data/100] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:40.183948 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [33b791e5-2ba9-4493-af46-4a66e91978eb], Method [GET], Path [/dashboard/widget_report_data/20] Action: widget_report_data
[----] I, [2023-01-27T10:02:40.184786 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [33b791e5-2ba9-4493-af46-4a66e91978eb], Method [GET], Path [/dashboard/widget_report_data/20] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:40.395302 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [37b40523-d8e0-4db2-8450-e1d20947f5c9], Method [GET], Path [/dashboard/widget_chart_data/6] Action: widget_chart_data
[----] I, [2023-01-27T10:02:40.395566 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [37b40523-d8e0-4db2-8450-e1d20947f5c9], Method [GET], Path [/dashboard/widget_chart_data/6] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:40.441604 #17089:66d00]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [7615b645-1426-49c2-bede-cc6ab2ff0043], Method [GET], Path [/dashboard/widget_chart_data/74] Action: widget_chart_data
[----] I, [2023-01-27T10:02:40.442043 #17089:66d00]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [7615b645-1426-49c2-bede-cc6ab2ff0043], Method [GET], Path [/dashboard/widget_chart_data/74] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:40.665204 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [dd1cbac8-db78-4026-9582-3c8eb227d01f], Method [GET], Path [/dashboard/widget_report_data/16] Action: widget_report_data
[----] I, [2023-01-27T10:02:40.666085 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [dd1cbac8-db78-4026-9582-3c8eb227d01f], Method [GET], Path [/dashboard/widget_report_data/16] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:41.652177 #17089:66d00]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [8cecb5c5-13da-4404-b6c5-1a0bec224cfb], Method [GET], Path [/dashboard/widget_report_data/18] Action: widget_report_data
[----] I, [2023-01-27T10:02:41.652878 #17089:66d00]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [8cecb5c5-13da-4404-b6c5-1a0bec224cfb], Method [GET], Path [/dashboard/widget_report_data/18] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:21.677049 #17089:66d00]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [16bfe549-1d36-49bc-9ce5-6ec260c91021], Method [GET], Path [/ems_configuration/show_list] Action: show_list
[----] I, [2023-01-27T10:07:25.466777 #17089:66d00]  INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [44f4f937-d391-4891-846e-95cf52939b47], Method [POST], Path [/ems_configuration/report_data] Action: report_data
[----] I, [2023-01-27T10:07:25.888963 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [admin], from: [User.logoff], User admin has logged off
[----] I, [2023-01-27T10:07:31.609288 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [joe], from: [Base.audit_success], User joe successfully validated by EVM
[----] I, [2023-01-27T10:07:31.612001 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [joe], from: [Base.audit_success], Authentication successful for user joe
[----] I, [2023-01-27T10:07:31.765188 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [39a967af-c46c-47ba-9e5b-1b22489593fc], Method [GET], Path [/dashboard/show] Action: show
[----] I, [2023-01-27T10:07:31.765429 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [39a967af-c46c-47ba-9e5b-1b22489593fc], Method [GET], Path [/dashboard/show] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.210210 #17089:66d00]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [59e3e495-6d25-4400-aff3-edbe48259f4a], Method [GET], Path [/dashboard/widget_report_data/19] Action: widget_report_data
[----] I, [2023-01-27T10:07:33.210718 #17089:66d00]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [59e3e495-6d25-4400-aff3-edbe48259f4a], Method [GET], Path [/dashboard/widget_report_data/19] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.272283 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [c25464a9-76f0-495e-a063-af52e727fddf], Method [GET], Path [/dashboard/widget_report_data/17] Action: widget_report_data
[----] I, [2023-01-27T10:07:33.272675 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [c25464a9-76f0-495e-a063-af52e727fddf], Method [GET], Path [/dashboard/widget_report_data/17] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.368293 #17089:5a398]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [2009ddce-eaa3-46fb-bc92-ea5fd67b3160], Method [GET], Path [/dashboard/widget_chart_data/6] Action: widget_chart_data
[----] I, [2023-01-27T10:07:33.368664 #17089:5a398]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [2009ddce-eaa3-46fb-bc92-ea5fd67b3160], Method [GET], Path [/dashboard/widget_chart_data/6] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.520539 #17089:13e0c]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [4f942385-cdae-448f-98a4-5ad34f2f7e2d], Method [GET], Path [/dashboard/widget_chart_data/5] Action: widget_chart_data
[----] I, [2023-01-27T10:07:33.521192 #17089:13e0c]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [4f942385-cdae-448f-98a4-5ad34f2f7e2d], Method [GET], Path [/dashboard/widget_chart_data/5] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.617704 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [6d4f162d-015a-4dc1-ad3b-9359b240e48d], Method [GET], Path [/dashboard/widget_chart_data/1] Action: widget_chart_data
[----] I, [2023-01-27T10:07:33.618119 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [6d4f162d-015a-4dc1-ad3b-9359b240e48d], Method [GET], Path [/dashboard/widget_chart_data/1] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.728720 #17089:66d00]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [b9f522e3-d590-4c27-8792-fabfb6b9ff11], Method [GET], Path [/dashboard/widget_report_data/20] Action: widget_report_data
[----] I, [2023-01-27T10:07:33.729039 #17089:66d00]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [b9f522e3-d590-4c27-8792-fabfb6b9ff11], Method [GET], Path [/dashboard/widget_report_data/20] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.817352 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [f12ff6f5-3c67-485a-8751-5526e33d40ca], Method [GET], Path [/dashboard/widget_report_data/18] Action: widget_report_data
[----] I, [2023-01-27T10:07:33.818016 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [f12ff6f5-3c67-485a-8751-5526e33d40ca], Method [GET], Path [/dashboard/widget_report_data/18] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.924635 #17089:13e0c]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [5ee0792a-4262-4184-96d0-49c4dd7a2c13], Method [GET], Path [/dashboard/widget_report_data/16] Action: widget_report_data
[----] I, [2023-01-27T10:07:33.924891 #17089:13e0c]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [5ee0792a-4262-4184-96d0-49c4dd7a2c13], Method [GET], Path [/dashboard/widget_report_data/16] Features checked: dashboard_view
[----] W, [2023-01-27T10:07:41.826427 #17089:5a5dc]  WARN -- audit: <AuditFailure> Username [joe], Role [EvmRole-user], Request [fbb15be3-4137-4f12-b10c-6ba4ab451652], Method [GET], Path [/ops/explorer] Action: explorer
[----] W, [2023-01-27T10:07:41.964517 #17089:5a5dc]  WARN -- audit: <AuditFailure> Username [joe], Role [EvmRole-user], Request [75430ae8-c62b-40f3-a0f9-fb8b1e43b611], Method [GET], Path [/dashboard/auth_error] Authentication Error Redirect
[----] I, [2023-01-27T10:07:55.728336 #17089:66cb0]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [8a36b777-e757-41d1-b90a-507fa97ab767], Method [GET], Path [/report/explorer] Action: explorer
[----] I, [2023-01-27T10:07:57.033934 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [919c4db0-ed64-4075-bc72-e22e85db77f5], Method [POST], Path [/report/tree_select?id=root&text=All%2520Saved%2520Reports] Action: tree_select
[----] I, [2023-01-27T10:07:57.035044 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [919c4db0-ed64-4075-bc72-e22e85db77f5], Method [POST], Path [/report/tree_select?id=root&text=All%2520Saved%2520Reports] Features checked: miq_report_saved_reports
[----] I, [2023-01-27T10:07:57.476854 #17089:5a5dc]  INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [833b8d0a-d8e5-4788-98d6-d7361a1c277a], Method [POST], Path [/report/report_data] Action: report_data
[----] I, [2023-01-27T10:07:59.567570 #17089:5a398]  INFO -- audit: <AuditSuccess> Username [joe], from: [User.logoff], User joe has logged off
[----] W, [2023-01-27T10:10:34.973016 #17089:66cb0]  WARN -- audit: <AuditFailure> Username [], Role [], Request [710978e7-20ec-4709-8678-5ea03718eb43], Method [GET], Path [/ops/explorer] Invalid Session