Content and format of an audit entry

jcanLogAuditProvider

This chapter describes the default formatting of the logging.yml file for the jcanLogAuditProvider. Each row of the audit log file corresponds to a separate audit event. The basic format for every event is:

timestamp header event

• The timestamp has the format "yyyy-mm-dd hh:mm:ss,mmm".
• The header consists of the following elements:
  • Severity (e.g., "INFO" or "ERROR")
  • Principal = ClientExtId or UserExtId (e.g., "100/99999157")
  • SessId = SSO session ID of the caller
  • Source = "nevisidm@[hostname]"
  • EntryId = SSO entry ID (the nevisProxy instance) of the caller
  • transferId = optrace transfer ID
  • clID = optrace client ID
• The event part contains the event type and some additional parameters.
  • Event = event type (e.g., "AUTHORIZATION _DENIED")
  • paramName = paramValue {paramName=paramValue} (e.g., RequiredRole="AccessControl.PropertyAllowedValueSearch")

Severity and audit event types

Each severity type corresponds with specific audit event types:

• The severity type "ERROR" marks all "AUTHORIZATION_DENIED"-type events. These events can be security relevant as they follow attempts of possible malicious user action.
• The severity type "INFO" refers to all normal data changes. These events could be security-relevant as they may record suspicious, unexpected user actions. Data changes have the following format: [Entity]_[CREATE,MODIFY,DELETE]

Entity refers to any data model entity. For example: "TEMPLATE_COLLECTION_DELETE", "ROLE_CREATE".

Format of an AUTHORIZATION_DENIED event

The severity type "ERROR" corresponds to all "AUTHORIZATION_DENIED"-type events. The following event body characterizes an "AUTHORIZATION_DENIED" event:

Event="AUTHORIZATION_DENIED"
Detail=""
RequiredRole=[elementary right]

Example:

2012-09-28 11:09:13,459 ERROR Principal="100/99999157"
SessId="hL_1yVwWTqMvsphsg0Wxs441YJrZs5MIFa8MvldEDOM" Source="[email protected]" EntryId="nevisidm-test.nevis-security.com" transferId="0a00d014-251b-
80993abe-13a0c22e929-00001210"
clID="24ab80993abefbTKRgWyC5ZkUk3tNpHwwIXJ2Lj+CKPXg/mL/zB7tfk\="
Event="AUTHORIZATION_DENIED" Detail=""
RequiredRole="AccessControl.PropertyAllowedValueSearch"

Format of a *_CREATE or *_DELETE event

The severity type "INFO" refers to all normal data changes. The following event body characterizes data changes of type (event) *_CREATE or *_DELETE:

Event=[*_CREATE , *_DELETE]
Detail=""
[fieldName=value {fieldName>=<value2}]

The fields are the database entity's fields, which are important for auditing.

Example:

2012-09-28 09:57:43,591 INFO Principal="100/98" SessId="N/A" Source="[email protected]" EntryId="N/A" transferId="" clID="" Event="CERTIFICATE_INFO_CREATE" Detail="" certInfoId="1042"
credentialId="99999160" subjectDn="CN\=test11 test11, O\=Nevis Security AG, C\=ch" issuerDn="CN\=UserCA (ejpdidmportal), O\=Nevis Security AG, C\=ch"
fingerprint="4D:BA:8F:2B:01:85:E9:D0:A0:2D:E7:51:24:B8:3D:7C:9C:71:20:0D" serial="2" subjectKeyIdentifier="c9e93e57af5ab29935aed670646d264620972e29"

Format of a *_MODIFY event

The severity type "INFO" refers to all normal data changes. The following event body characterizes data changes of type (event) *_MODIFY:

Event=[*_MODIFY]
Detail=""
[fieldName=value, {fieldName=value}] [fieldName=valueOld=>valueNew,
{fieldName=valueOld=>valueNew}]

The fields are the database entity's fields, which are important for auditing. The fields with two values (fieldName=valueOld=>valueNew) indicate the effective changes in the entity.

Example:

2012-11-14 13:25:23,786 INFO Principal="100/100" SessId="ECBBA7831867E1D161940165293BAEB5" Source="[email protected]" EntryId="standalone-dev" transferId="7f000001.4633.c0a80d42.0000001f"
clID="ECBBA7831867E1D161940165293BAEB5" Event="USER_MODIFY" Detail="" userId="88882268" extId="88882268" client="Default" state="active" name="1profile"=>"Betelgeuse" firstName="User" loginId="1profile" language="EN"
remarks="" title="" addressLine1="" addressLine2="" postalcode="2222" city="" country="" telephone="2222222222" telefax="" email="[email protected]"

JsonAuditProvider

This chapter describes the format of the audit log file for the jsonAuditProvider. Each row of the audit log file corresponds to a separate audit event. For better readability, the audit entries in the examples are formatted. The basic format for every JSON audit event is:

{
headerFields,
"client":{...},
"actor" :{...},
"eventData":{...}
}

When relevant to the audit event, the subject (user) is also included:

{
headerFields,
"client":{...},
"actor" :{...},
"subject" :{...},
"eventData":{...}
}

The header consists of the following fields:

• logVersion = "1"
• timestamp = ISO-8601 format timestamp
• source = "nevisidm@[hostname
• eventType = type of event data
• trID = unique transaction ID of the request
• sessionID = optrace client ID

The client contains the following nested fields:

• sessionId = SSO session ID of the caller
• entryPoint = SSO entry ID (the nevisProxy instance) of the caller

The actor contains the following nested fields:

• firstName
• lastName
• email
• loginId
• extId
• isTechnicalUser
• client (Includes the following nested fields):
  • extId
  • name
• unit (Includes the following nested fields):
  • profileExtId
  • extId
  • name
  • hierarchyName]

The subject contains the following nested fields:

• firstName
• lastName
• email
• loginId
• extId
• isTechnicalUser
• client (Includes the following nested fields):
  • extId
  • name

The eventData depends on the event type indicated in the header and the affected entity. It contains the following nested fields:

• newValues = the new or updated values of the entity
• oldValues = the old values of the entity before the update
• updatedState = all values of the entity after the update

In case of a *_CREATE event, there are no old values. In case of a *_DELETE event, there are no new values and no updated values.

Format of a *_CREATE event

If the eventType is *_CREATE, the _eventData consists of the updated or new values (in the field newValues) and all values of the entity after the update (in the field updatedState). See below:

{
 "logVersion":1,
 "timestamp":"2017-04-25T08:51:17.593+0200",
 "source":"[email protected]",
 "eventType":"PROFILE_CREATE",
 "trID":"7f000001.5e3d.c0a80fd3.00000004",
 "sessionID":"TJB9Iy8Rmb4ZcU2XlEMQHpmm",
 "client":{
  "sessionId":"TJB9Iy8Rmb4ZcU2XlEMQHpmm",
  "entryPoint":"standalone-dev"
},
"actor":{
 "firstName":"Boot",
 "lastName":"Strap",
 "email":"[email protected]",
 "loginId":"bootstrap",
 "extId":"100",
 "isTechnicalUser":false,
 "client":{
  "extId":"100",
  "name":"Default"
 },
 "unit":{
 "profileExtId":"100",
 "extId":"100",
 "name":"Default",
 "hierarchyName":"/100"
 }
},
 "subject": {
 "firstName": "John",
 "lastName": "Doe",
 "email": "[email protected]",
 "loginId": "john",
 "extId": "1000002267",
 "isTechnicalUser": false,
 "client": {
  "extId": "100",
  "name": "Default"
 }
},
"eventData":{
 "newValues":{
  "profileName":"Profile-john",
  "userExtId":"1000002267",
  "profileState":"active",
  "profileExtId":"1000000639",
  "clientName":"Default",
  "unitExtId":"100",
  "profileId":"1000000639",
  "profileRemarks":"Automatically generated profile for john"
 },
 "updatedState":{
  "profileName":"Profile-john",
  "userExtId":"1000002267",
  "profileState":"active",
  "profileExtId":"1000000639",
  "clientName":"Default",
  "unitExtId":"100",
  "profileId":"1000000639",
  "profileRemarks":"Automatically generated profile for john"
  }
 }
}

Format of a *_MODIFY event

If the eventType is *_MODIFY, the _eventData consists of the updated or new values (in the field newValues), the old values before the update (in the field oldValues) as well as all values of the entity after the update (in the field updatedState*). See the following example:

{
 "logVersion":1,
 "timestamp":"2017-04-25T08:52:05.652+0200",
 "source":"[email protected]",
 "eventType":"USER_MODIFY",
 "trID":"7f000001.5e3d.c0a80fd3.00000005",
 "sessionID":"TJB9Iy8Rmb4ZcU2XlEMQHpmm",
 "client":{
  "sessionId":"TJB9Iy8Rmb4ZcU2XlEMQHpmm",
  "entryPoint":"standalone-dev"
 },
 "actor":{
  "firstName":"Boot",
  "lastName":"Strap",
  "email":"[email protected]",
  "loginId":"bootstrap",
  "extId":"100",
  "isTechnicalUser":false,
  "client":{
   "extId":"100",
   "name":"Default"
  },
  "unit":{
   "profileExtId":"100",
   "extId":"100",
   "name":"Default",
   "hierarchyName":"/100"
  }
 },
 "subject": {
  "firstName": "John",
  "lastName": "Doe",
  "email": "[email protected]",
  "loginId": "john",
  "extId": "1000002267",
  "isTechnicalUser": false,
  "client": {
   "extId": "100",
   "name": "Default"
  }
 },
 "eventData":{
  "newValues":{
   "language":"DE"
  },
  "oldValues":{
   "language":"EN"
  },
  "updatedState":{
   "country":null,
   "loginId":"john",
   "city":"",
   "houseNumber":"",
   "stateChangeDetail":"",
   "language":"DE",
   "title":"",
   "stateChangeReasonCd":"",
   "dwellingNumber":"",
   "street":"",
   "postalCode":"",
   "postOfficeBoxText":"",
   "locality":"",
   "client":"Default",
   "state":"active",
   "email":"[email protected]",
   "mobile":"",
   "telephone":"",
   "postOfficeBoxNumber":"",
   "userId":"1000002267",
   "firstName":"John",
   "name":"Doe",
   "addressLine2":"",
   "addressLine1":"",
   "extId":"1000002267",
   "remarks":"",
   "telefax":""
  }
 }
}

Format of a *_DELETE event

If the eventType is *_DELETE, the _eventData consists of the old values only (in the field oldValues). See the following example:

{
 "logVersion":1,
 "timestamp":"2017-04-25T11:14:47.872+0200",
 "source":"[email protected]",
 "eventType":"PROFILE_DELETE",
 "trID":"7f000001.5e3d.c0a80fd3.0000001f",
 "sessionID":"ZQAW-xYdw6NyHrAUyi3reOMz",
 "client":{
  "sessionId":"ZQAW-xYdw6NyHrAUyi3reOMz",
  "entryPoint":"standalone-dev"
 },
 "actor":{
  "firstName":"Boot",
  "lastName":"Strap",
  "email":"[email protected]",
  "loginId":"bootstrap",
  "extId":"100",
  "isTechnicalUser":false,
  "client":{
   "extId":"100",
   "name":"Default"
  },
  "unit":{
   "profileExtId":"100",
   "extId":"100",
   "name":"Default",
   "hierarchyName":"/100"
  }
 },
 "subject": {
  "firstName": "John",
  "lastName": "Doe",
  "email": "[email protected]",
  "loginId": "john",
  "extId": "1000002267",
  "isTechnicalUser": false,
  "client": {
   "extId": "100",
   "name": "Default"
  }
 },
 "eventData":{
  "oldValues":{
   "profileName":"Profile-john",
   "userExtId":"1000002267",
   "profileState":"active",
   "profileExtId":"1000000639",
   "clientName":"Default",
   "unitExtId":"100",
   "profileId":"1000000639",
   "profileRemarks":"Automatically generated profile for john"
  }
 }
}

Format of an AUTHORIZATION_DENIED event

If the eventType is "AUTHORIZATION_DENIED", the eventData contains the required role (RequiredRole) in both the newValues field and the updatedState field. See the following example:

{
 "logVersion":1,
 "timestamp":"2017-04-25T09:44:01.731+0200",
 "source":"[email protected]",
 "eventType":"AUTHORIZATION_DENIED",
 "trID":"c0a80fd3.5e3d.c0a80fd3.00000012",
 "sessionID":"8Po1-s-OkmXRKngecmRmaBKW",
 "client":{
  "sessionId":"8Po1-s-OkmXRKngecmRmaBKW",
  "entryPoint":"standalone-dev"
 },
"actor":{
 "firstName":"John",
 "lastName":"Doe",
 "email":"[email protected]",
 "loginId":"john",
 "extId":"1000002267",
 "isTechnicalUser":false,
 "client":{
  "extId":"100",
  "name":"Default"
 },
 "unit":{
  "profileExtId":"100",
  "extId":"100",
  "name":"Default",
  "hierarchyName":"/100"
 }
},
"eventData":{
 "newValues":{
  "RequiredRole":"AccessControl.ClientView"
 },
 "updatedState":{
  "RequiredRole":"AccessControl.ClientView"
  }
 }
}