Skip to content

Audit logging

Resource Manager tracks user actions in audit log files and maintains logged information in a format that is optimized for searching and reporting.

Audit logging information is written to a flat file located on the Control Center master host which is located at /var/log/serviced/application-audit.log. The information is also sent to Elasticsearch, and is may be viewed through Kibana from the Control Center browser interface on the Logs tab.

The retention rules of the application-audit.log file are governed by the logrotate configuration file located at /opt/serviced/etc/logrotate.conf. For more information about editing the logrotate configuration file, see Control Center audit logging.

Examples

The following examples show logged messages for various user interactions.

Change device class

2017-07-14 20:17:52 INFO user=admin action=ChangeDeviceClass 
  kind=Device device=/Devices/Server/Linux/devices/emailsrv05 device_name=emailsrv05
  deviceclass=/Devices/Server/SSH/Linux old_deviceclass=/Devices/Server/Linux

In this example, the admin user moved device emailsrv05 from device class /Server/Linux to /Server/SSH/Linux.

Change threshold value

2017-07-14 20:53:19 INFO user=admin action=Edit kind=Threshold
  threshold="/Devices/Server/Microsoft/rrdTemplates/Device/thresholds/CPU Utilization" 
  maxval=95 old_maxval=90 thresholdtype=MinMaxThreshold

In this example, the admin user edited the max value of threshold "CPUUtilization" on Microsoft servers from 90 to 95.

The zensendaudit utility

You can send custom log messages using the zensendaudit script.

  1. Log in to the Control Center host as a user with serviced CLI privileges.

  2. Attach to the Zope service as the zenoss user.

    serviced service attach zope/0 su - zenoss

  3. Send a message with the zensendaudit script. Replace MESSAGE with the text to send to the audit log.

    zensendaudit MESSAGE

For example, invoking "zensendaudit Hello world" results in the following audit log entry:

2017-07-14 19:10:18 INFO action=Log kind=Comment comment="Hello world"
  source=Shell process=zensendaudit logname=zenoss parameters="Hello world"