Audit log messages
For IBM Cloud Pak for AIOps capabilities, the log message entries for a recorded action or event include information to identify the action or event that occurred, when the action or event occurred, the action or event source and outcome, and the identity of the associated user or service.
Note: Some audit-specific fields, such as the username, are part of a generic message field and are not broken out into a dedicated field.
For Infrastructure Automation Infratructure management, the audit log messages include the HTTP method, username, role, request ID, session ID, requested URL path, and details for any specific privilege checks.
For example, a request to load the dashboard at /dashboard/show
logs the show
action and the privilege check (dashboard_view
) for that page. Some pages can have multiple privilege checks as the UI determines
what data a user can view or act upon.
Log messages
Log messages can include the following details:
Field Name | Required (IBM Cloud Pak for AIOps) | Required (UI) | Required (API) | Description | Example | Jsonpath in logging (API) |
---|---|---|---|---|---|---|
logType | Yes | Yes | Yes | An indicator of the fact that this is an audit message. This is used for allowing easy identifying audit versus other log messages. This is always set to audit |
audit |
|
id | No | No | No | The unique ID for the request | 271bfd04-a625-48ec-b33c-c7e9958f646c |
|
initiator.id | Yes | Yes | Yes | ID of the identity or user that initiated the action. | User IAM ID API key |
.request.headers.audit-initiator-id |
initiator.name | Yes | Yes | Yes | Name of the identity or user that initiated the action. | username for userssystem policy-service for policy actions. |
.request.headers.audit-initiator-name |
initiator.typeURI | Yes | Yes | Yes | CADF URI description of the initiator type. For UI audit logs, this URI is most likely the user. | security/account/user for cookie or user initiated actionssecurity/account/service or security/account/admin for apikey or service or system initiated actions. |
.request.headers.audit-initiator-typeuri |
initiator.credential.type | Yes | Yes | Yes | Type of authentication provided by the initiator. For UI audit logs, the value is often cookie . |
token user apikey cookie unknown |
.request.headers.audit-initiator-credential-type |
initiator.credential.identity_status | No | No | No | Status of the identity authentication for the initiator or user. | Confirmed Denied Unknown |
request.headers.audit-initiator-credential-identity_status |
initiator.host.address | No | No | No | Source IP from where the request originated. | IP address of the Red Hat OpenShift Load Balancer. | .client_ip |
initiator.host.agent | N/A | N/A | Yes | The client type of API request | curl/7.61.1 HTTPie/2.4.0 |
.request.headers.user-agent |
target.name | Yes | Yes | Yes | The name of the service that is accepting the request. For UI audit logs, this is populated as an environment variable in the deployed UI server (AUDIT_SERVICE_NAME ) |
service; resource api.acme.com |
.service.host |
target.id | Yes | No | Yes | CRN of the service accepting this request. For UI audit logs, this value is populated as an environment variable in the deployed UI server (AUDIT_SERVICE_CRN ) |
b7dd7db9-45f2-4c05-abb5-01466c2abcdf |
.service.host |
target.typeURI | Yes | No | Yes | This is a constant value that is stored in AUDIT_RESOURCE_CADF_URI . |
service for HTTP/Ansiblesystem for Script |
service |
requestData.path | Yes | Yes | Yes | The request path, such as the API, which indicates the specific request being made of the service. | api/v2/inventories/ d220b490-7c75-11ed-b6f3-23388646a3b9 |
.request.uri |
requestData.type | No | Yes | No | The request method, which indicates whether this is a view, create, update, or delete. | GET PUT DELETE POST |
.request.method |
requestData.actionId | No | No | No | Automation/Action ID. | c6ccc725-3e54-493d-a114-de5130e7c64b |
|
action | Yes | No | Yes | The action that triggers an event. This is superceded by requestData.method . |
create update delete deploy authenticate |
view create |
outcome | Yes | Yes | Yes | Was the action succesful? | success pending failure unknown |
success |
reason.reasonCode | Yes | Yes | Yes | The HTTP response code of the result. | 200 for success. |
.response.status |
reason.reasonSize | Yes | Yes | Yes | The HTTP response size of the result. | 116 |
.response.size |
reason.message | Yes | No | Yes | The HTTP response message explaining the result. For API, Follow Format 'action [custom data] [outcome]' | OK for success. |
view success |
eventTime | Yes | Yes | Yes | The time, date, and time zone of the event in Coordinated Universal Time (UTC) | 2022-11-14T11:28:54.753Z |
.started_at |
attachments.content.correlation_id | No | No | No | An optional ID that can be used to correlate multi-part audit logs. | ccccccc-eeee-dddd-aaaa-bbbbbbbbbbbb |
Examples
Example: Policy action audit log
The following message is an example audit log message for policy actions:
{
"eventTime": "2024-05-21T15:22:23+00:00",
"initiator": {
"credential.type": "token",
"id": "1000331001",
"name": "cpadmin",
"typeURI": "security/account/user"
},
"logType": "audit",
"reason": {
"reasonCode": "200"
},
"requestData": {
"path": "/aiops/api/issue-resolution/v1/alerts",
"type": "GET"
},
"target": {
"name": "cpd-cp4waiops.example.com",
"typeURI": "service"
}
}
Example: UI audit log
The following JSON is an example of audit log message for UI pod:
{
"logType": "audit",
"initiator": {
"id": "1000331001",
"name": "cpadmin",
"typeURI": "security/account/user",
"credential": {
"type": "cookie",
"identity_status": "Confirmed"
},
},
"requestData": {
"path": "/aiops/homepage/api/application",
"type": "GET"
},
"target": {
"name": "--"
},
"outcome": "success",
"reason": {
"reasonCode": 200,
"message": "OK"
},
"eventTime": "2024-11-01T03:13:06.747Z"
}
Example: Automation audit log
The following JSON is an example of automation audit log message:
{
"logType": "audit",
"attachments": {
"content": {
"correlation_id": "c8084070-9aca-11ef-a826-21984ee4e499",
"context": "runbook:302457ed-cd0d-4634-b5df-ae332562fcd4,runbookinstance:c8cb3d062ab8d7b0783cbf47e45761d5"
},
"type": "application/json"
},
"initiator": {
"id": "ld",
"name": "user123@mymail.com",
"typeURI": "security/account/user"
},
"level": 30,
"target": {
"name": "mytarget@example.com",
"typeURI": "service"
},
"requestData": {
"path": "/json",
"type": "GET",
"actionId": "95735585-61fa-4544-a865-57652188dd00",
"action": "http.execute"
},
"eventTime": "2024-11-04T16:35:20.326Z",
"reason": {
"reasonCode": 200,
"message": "OK"
},
"outcome": "success",
"msg": "Security Audit Log Record",
"time": "2024-11-04T16:35:20.883Z",
"v": 0
}
Example: API audit log
The following JSON is an example of API audit log message:
{
"outcome": "success",
"eventTime": "2023-02-03T06:13:17Z",
"reason": {
"reasonSize": 438,
"message": "view success",
"reasonCode": 200
},
"initiator": {
"name": "admin",
"host": {
"agent": "curl/7.61.1",
"address": "10.9.5.41"
},
"id": "1000330999",
"typeURI": "security/account/user",
"credential": {
"idenity_status": "Confirmed",
"type": "token"
}
},
"requestData": {
"type": "GET",
"path": "/aiops/api/application-manager/topology-rest-observer/v1/healthcheck"
},
"target": {
"id": "aiops-topology-rest-observer.katamari.9104.svc",
"typeURI": "service",
"name": "aiops-topology-rest-observer.katamari.9104.svc"
},
"action": "view"
}
Example: Infrastructure Management audit log
The following example log shows an audit log that includes log entries for successful requests, logon failures, requests that failed due to missing product features, and an invalid (stale) session.
[----] W, [2023-01-27T10:02:29.500256 #17089:5a398] WARN -- audit: <AuditFailure> Username [blah], from: [Base.audit_failure], Authentication failed for userid blah
[----] I, [2023-01-27T10:02:36.633339 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [admin], from: [Base.audit_success], User admin successfully validated by EVM
[----] I, [2023-01-27T10:02:36.636510 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [admin], from: [Base.audit_success], Authentication successful for user admin
[----] I, [2023-01-27T10:02:37.045266 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [e35c5068-9cee-41c9-89c7-a12024b61e82], Method [GET], Path [/dashboard/show] Action: show
[----] I, [2023-01-27T10:02:37.045501 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [e35c5068-9cee-41c9-89c7-a12024b61e82], Method [GET], Path [/dashboard/show] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:39.294107 #17089:66d00] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [387576de-5e70-4517-867e-9d10259b8b73], Method [GET], Path [/dashboard/widget_chart_data/48] Action: widget_chart_data
[----] I, [2023-01-27T10:02:39.294856 #17089:66d00] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [387576de-5e70-4517-867e-9d10259b8b73], Method [GET], Path [/dashboard/widget_chart_data/48] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:39.440698 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [4f302068-b92a-497f-8c20-4c3e99c33057], Method [GET], Path [/dashboard/widget_report_data/19] Action: widget_report_data
[----] I, [2023-01-27T10:02:39.443928 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [4f302068-b92a-497f-8c20-4c3e99c33057], Method [GET], Path [/dashboard/widget_report_data/19] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:39.647895 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [efaa6a1e-ad5c-4f9f-9daf-e95be6cd1af5], Method [GET], Path [/dashboard/widget_report_data/17] Action: widget_report_data
[----] I, [2023-01-27T10:02:39.649264 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [efaa6a1e-ad5c-4f9f-9daf-e95be6cd1af5], Method [GET], Path [/dashboard/widget_report_data/17] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:39.934904 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [5912f12d-3a7c-497e-9766-9c62e18ea247], Method [GET], Path [/dashboard/widget_menu_data/34] Action: widget_menu_data
[----] I, [2023-01-27T10:02:39.935245 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [5912f12d-3a7c-497e-9766-9c62e18ea247], Method [GET], Path [/dashboard/widget_menu_data/34] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:39.990627 #17089:66d00] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [1a7b7ec1-8d37-44ee-bd1a-6b857e4d5de0], Method [GET], Path [/dashboard/widget_chart_data/100] Action: widget_chart_data
[----] I, [2023-01-27T10:02:39.993080 #17089:66d00] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [1a7b7ec1-8d37-44ee-bd1a-6b857e4d5de0], Method [GET], Path [/dashboard/widget_chart_data/100] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:40.183948 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [33b791e5-2ba9-4493-af46-4a66e91978eb], Method [GET], Path [/dashboard/widget_report_data/20] Action: widget_report_data
[----] I, [2023-01-27T10:02:40.184786 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [33b791e5-2ba9-4493-af46-4a66e91978eb], Method [GET], Path [/dashboard/widget_report_data/20] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:40.395302 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [37b40523-d8e0-4db2-8450-e1d20947f5c9], Method [GET], Path [/dashboard/widget_chart_data/6] Action: widget_chart_data
[----] I, [2023-01-27T10:02:40.395566 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [37b40523-d8e0-4db2-8450-e1d20947f5c9], Method [GET], Path [/dashboard/widget_chart_data/6] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:40.441604 #17089:66d00] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [7615b645-1426-49c2-bede-cc6ab2ff0043], Method [GET], Path [/dashboard/widget_chart_data/74] Action: widget_chart_data
[----] I, [2023-01-27T10:02:40.442043 #17089:66d00] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [7615b645-1426-49c2-bede-cc6ab2ff0043], Method [GET], Path [/dashboard/widget_chart_data/74] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:40.665204 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [dd1cbac8-db78-4026-9582-3c8eb227d01f], Method [GET], Path [/dashboard/widget_report_data/16] Action: widget_report_data
[----] I, [2023-01-27T10:02:40.666085 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [dd1cbac8-db78-4026-9582-3c8eb227d01f], Method [GET], Path [/dashboard/widget_report_data/16] Features checked: dashboard_view
[----] I, [2023-01-27T10:02:41.652177 #17089:66d00] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [8cecb5c5-13da-4404-b6c5-1a0bec224cfb], Method [GET], Path [/dashboard/widget_report_data/18] Action: widget_report_data
[----] I, [2023-01-27T10:02:41.652878 #17089:66d00] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [8cecb5c5-13da-4404-b6c5-1a0bec224cfb], Method [GET], Path [/dashboard/widget_report_data/18] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:21.677049 #17089:66d00] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [16bfe549-1d36-49bc-9ce5-6ec260c91021], Method [GET], Path [/ems_configuration/show_list] Action: show_list
[----] I, [2023-01-27T10:07:25.466777 #17089:66d00] INFO -- audit: <AuditSuccess> Username [admin], Role [EvmRole-super_administrator], Request [44f4f937-d391-4891-846e-95cf52939b47], Method [POST], Path [/ems_configuration/report_data] Action: report_data
[----] I, [2023-01-27T10:07:25.888963 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [admin], from: [User.logoff], User admin has logged off
[----] I, [2023-01-27T10:07:31.609288 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [joe], from: [Base.audit_success], User joe successfully validated by EVM
[----] I, [2023-01-27T10:07:31.612001 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [joe], from: [Base.audit_success], Authentication successful for user joe
[----] I, [2023-01-27T10:07:31.765188 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [39a967af-c46c-47ba-9e5b-1b22489593fc], Method [GET], Path [/dashboard/show] Action: show
[----] I, [2023-01-27T10:07:31.765429 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [39a967af-c46c-47ba-9e5b-1b22489593fc], Method [GET], Path [/dashboard/show] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.210210 #17089:66d00] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [59e3e495-6d25-4400-aff3-edbe48259f4a], Method [GET], Path [/dashboard/widget_report_data/19] Action: widget_report_data
[----] I, [2023-01-27T10:07:33.210718 #17089:66d00] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [59e3e495-6d25-4400-aff3-edbe48259f4a], Method [GET], Path [/dashboard/widget_report_data/19] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.272283 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [c25464a9-76f0-495e-a063-af52e727fddf], Method [GET], Path [/dashboard/widget_report_data/17] Action: widget_report_data
[----] I, [2023-01-27T10:07:33.272675 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [c25464a9-76f0-495e-a063-af52e727fddf], Method [GET], Path [/dashboard/widget_report_data/17] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.368293 #17089:5a398] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [2009ddce-eaa3-46fb-bc92-ea5fd67b3160], Method [GET], Path [/dashboard/widget_chart_data/6] Action: widget_chart_data
[----] I, [2023-01-27T10:07:33.368664 #17089:5a398] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [2009ddce-eaa3-46fb-bc92-ea5fd67b3160], Method [GET], Path [/dashboard/widget_chart_data/6] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.520539 #17089:13e0c] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [4f942385-cdae-448f-98a4-5ad34f2f7e2d], Method [GET], Path [/dashboard/widget_chart_data/5] Action: widget_chart_data
[----] I, [2023-01-27T10:07:33.521192 #17089:13e0c] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [4f942385-cdae-448f-98a4-5ad34f2f7e2d], Method [GET], Path [/dashboard/widget_chart_data/5] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.617704 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [6d4f162d-015a-4dc1-ad3b-9359b240e48d], Method [GET], Path [/dashboard/widget_chart_data/1] Action: widget_chart_data
[----] I, [2023-01-27T10:07:33.618119 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [6d4f162d-015a-4dc1-ad3b-9359b240e48d], Method [GET], Path [/dashboard/widget_chart_data/1] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.728720 #17089:66d00] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [b9f522e3-d590-4c27-8792-fabfb6b9ff11], Method [GET], Path [/dashboard/widget_report_data/20] Action: widget_report_data
[----] I, [2023-01-27T10:07:33.729039 #17089:66d00] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [b9f522e3-d590-4c27-8792-fabfb6b9ff11], Method [GET], Path [/dashboard/widget_report_data/20] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.817352 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [f12ff6f5-3c67-485a-8751-5526e33d40ca], Method [GET], Path [/dashboard/widget_report_data/18] Action: widget_report_data
[----] I, [2023-01-27T10:07:33.818016 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [f12ff6f5-3c67-485a-8751-5526e33d40ca], Method [GET], Path [/dashboard/widget_report_data/18] Features checked: dashboard_view
[----] I, [2023-01-27T10:07:33.924635 #17089:13e0c] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [5ee0792a-4262-4184-96d0-49c4dd7a2c13], Method [GET], Path [/dashboard/widget_report_data/16] Action: widget_report_data
[----] I, [2023-01-27T10:07:33.924891 #17089:13e0c] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [5ee0792a-4262-4184-96d0-49c4dd7a2c13], Method [GET], Path [/dashboard/widget_report_data/16] Features checked: dashboard_view
[----] W, [2023-01-27T10:07:41.826427 #17089:5a5dc] WARN -- audit: <AuditFailure> Username [joe], Role [EvmRole-user], Request [fbb15be3-4137-4f12-b10c-6ba4ab451652], Method [GET], Path [/ops/explorer] Action: explorer
[----] W, [2023-01-27T10:07:41.964517 #17089:5a5dc] WARN -- audit: <AuditFailure> Username [joe], Role [EvmRole-user], Request [75430ae8-c62b-40f3-a0f9-fb8b1e43b611], Method [GET], Path [/dashboard/auth_error] Authentication Error Redirect
[----] I, [2023-01-27T10:07:55.728336 #17089:66cb0] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [8a36b777-e757-41d1-b90a-507fa97ab767], Method [GET], Path [/report/explorer] Action: explorer
[----] I, [2023-01-27T10:07:57.033934 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [919c4db0-ed64-4075-bc72-e22e85db77f5], Method [POST], Path [/report/tree_select?id=root&text=All%2520Saved%2520Reports] Action: tree_select
[----] I, [2023-01-27T10:07:57.035044 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [919c4db0-ed64-4075-bc72-e22e85db77f5], Method [POST], Path [/report/tree_select?id=root&text=All%2520Saved%2520Reports] Features checked: miq_report_saved_reports
[----] I, [2023-01-27T10:07:57.476854 #17089:5a5dc] INFO -- audit: <AuditSuccess> Username [joe], Role [EvmRole-user], Request [833b8d0a-d8e5-4788-98d6-d7361a1c277a], Method [POST], Path [/report/report_data] Action: report_data
[----] I, [2023-01-27T10:07:59.567570 #17089:5a398] INFO -- audit: <AuditSuccess> Username [joe], from: [User.logoff], User joe has logged off
[----] W, [2023-01-27T10:10:34.973016 #17089:66cb0] WARN -- audit: <AuditFailure> Username [], Role [], Request [710978e7-20ec-4709-8678-5ea03718eb43], Method [GET], Path [/ops/explorer] Invalid Session