Authentication and authorization audit logs
your product generates authentication and authorization audit logs. auth-idp service generates authentication audit events and auth-pdp service generates authorization audit logs.
The audit logs contain the following fields.
| Field name | Data saved | Description | Example |
|---|---|---|---|
| initiator.id | Source of an action | ID of the source that initiated the action | LDAP ID; ID of an API key |
| initiator.typeURI | URI of the source | URI of the source of action | service; user |
| initiator.credential.type | Type of ID | Type of ID of the source of action | token; API key |
| target.name | Target of an action | The endpoint on which the action is initiated. | service; resource |
| target.id | ID of the target | Cloud Resource Name (CRN) value of the service or resource | crn:v1:icp:private:platform-service:::core:service:metering-service |
| target.typeURI | URI of the target | URI of the target on which the action is initiated. | resource; API key; secret |
| action | Action that is requested | The action that triggers an event. | create; update; delete; deploy; authenticate |
| outcome | Result of the action | success; pending; failure | |
| reason.reasonCode | HTTP response code | The response code of the result. | 200 for success |
| severity | Severity level | The severity level of the event. | critical; normal |
| eventTime | Timestamp | The time, date, and time zone of the event. | 2018-04-20 20:15:00.32 +0000 UTC |
All create, read, update, and delete (CRUD) operations that are related to a directory, user, user group, and team are logged.
Each service that generates audit data writes audit records to a /var/log/audit/<service_name>-audit.log file inside of the audit sidecar container in the respective pod. For example:
- Authentication logs are saved to the
/var/log/audit/platform-identity-management-audit.logfile. - Authorization logs are saved to the
/app/logs/audit/pdp-audit.logfile.
The /var/log/audit directory is shared with the audit container, which is a sidecar container. An emptyDir volume is used for sharing the /var/log/audit directory between the two containers. The audit container
(also known as auto agent) sends the data to systemd journal.
Note that logging is disabled by default. To enable logging, you must set the AUDIT_ENABLED variable in the configmap to true. For information about generating audit logs, see Configuring your cluster to generate audit logs.
You can use a security information and event management (SIEM) tool of your choice to view these logs.