Authentication and authorization audit logs

your product generates authentication and authorization audit logs. auth-idp service generates authentication audit events and auth-pdp service generates authorization audit logs.

The audit logs contain the following fields.

Table 1. Authentication and authorization audit log data
Field name Data saved Description Example Source of an action ID of the source that initiated the action LDAP ID; ID of an API key
initiator.typeURI URI of the source URI of the source of action service; user
initiator.credential.type Type of ID Type of ID of the source of action token; API key Target of an action The endpoint on which the action is initiated. service; resource ID of the target Cloud Resource Name (CRN) value of the service or resource crn:v1:icp:private:platform-service:::core:service:metering-service
target.typeURI URI of the target URI of the target on which the action is initiated. resource; API key; secret
action Action that is requested The action that triggers an event. create; update; delete; deploy; authenticate
outcome Result of the action success; pending; failure
reason.reasonCode HTTP response code The response code of the result. 200 for success
severity Severity level The severity level of the event. critical; normal
eventTime Timestamp The time, date, and time zone of the event. 2018-04-20 20:15:00.32 +0000 UTC

All create, read, update, and delete (CRUD) operations that are related to a directory, user, user group, and team are logged.

Each service that generates audit data writes audit records to a /var/log/audit/<service_name>-audit.log file inside of the audit sidecar container in the respective pod. For example:

The /var/log/audit directory is shared with the audit container, which is a sidecar container. An emptyDir volume is used for sharing the /var/log/audit directory between the two containers. The audit container (also known as auto agent) sends the data to systemd journal.

Note that logging is disabled by default. To enable logging, you must set the AUDIT_ENABLED variable in the configmap to true. For information about generating audit logs, see Configuring your cluster to generate audit logs.

You can use a security information and event management (SIEM) tool of your choice to view these logs.