Auditing#

ESS services support auditing to log various system activities.

Audit Log Messages#

Audit log messages conform to Syslog RFC5424 and have the following format:

<Datetime> system.audit.info: <Document>

For example:

2021-04-20T17:32:33.797478 -0400 system.audit.info: {"host":"ess-ldp-12345fffff-abcde","ident":"ess-ldp-service","pid":"18151","msgid":"AuditLogger","extradata":"-","message":"{\"actor\":\"https://example.com/xaprvherjk/profile/card#me\",\"data\":[],\"id\":\"urn:uuid:70667a1d-8f06-454f-9df4-f652258b68b0\",\"name\":\"resource.created\",\"object\":\"https://example.com/xaprvherjk/a70a811b-d3cd-427c-9a46-67298316ef94\",\"published\":\"2021-04-20T17:32:33.797478-04:00[America/New_York]\",\"summary\":\"Resource has been created.\",\"type\":\"Event\"}"}

Timestamp#

The <Datetime> indicates the date and time the Audit Service logged the event. <Datetime> has the format:

YYYY-MM-DD hh:mm:ss.sssssssss +-hhmm

Audit Info#

The system.audit.info contains the audit event information. system.audit.info is a document with the following fields:

Field

Description

host

Hostname where the ESS service is run.

ident

ESS Service being audited.

pid

Process id of the event being audited.

msgid

Identifier denoting the issuer of the message.

Audit events have a msgid value of "AuditLogger" with the following exception. If the user fails to authenticate, msgid has a value of -.

extradata

Any miscellaneous data.

message

Details of the audit message. The message is a JSON string with the following fields:

`actor`	Agent that performed the event.
`content`
`data`	Any data associated with the event. The `data` field is an array of documents. The data documents vary depending on the event. If no `data` is associated with the event, the field is an empty array.
`id`	Universally Unique IDentifier (UUID) for the event.
`name`	Name that denotes the type of audited event (e.g., `pod.created`). See Audited Events for a list of audited events and summary.
`object`	The object associated with the event. If no `object` is associated with the event, the field is omitted.
`published`	The timestamp of the event.
`summary`	Short description associated with the message `name`. See Audited Events for a list of audited events and summary.
`target`	Describes target of the audit event. For example, “A user logged in to the Broker through Google”. Here Google is the target. The target is dependent on the type of event..
`type`	The type of the message. The `type` has the value `Event`.

Masking Sensitive Data#

By default:

For the LDP Service, the Audit Service masks fields whose name contains the string password or secret.

To change which fields are masked, configure the inrupt.audit.properties.mask-filter property. See Configure Auditing.

Audited Events#

The following events are audited. In the system.audit.info message field, the Event Name is displayed in the name field and the Event Summary in the summary field.

Pod Related Events#

The following Pod events are audited:

Event Name	Event Summary	Notes
pod.created	A Pod has been provisioned for user: [`<user>`]	Actual username is substituted for `<user>`.
pod.power.on	Pod powered on
pod.power.off	Pod powered off

For example, the following is a pod.created event by the user test3:

2020-09-09 11:31:34.173000000 +0000 system.audit.info: {"host":"ess-ldp-12345fffff-abcde","ident":"ess-ldp-service","pid":"18151","msgid":"AuditLogger","extradata":"-","message":"{\"actor\":\"https://example.com/registrar-agent.ttl\",\"data\":[],\"id\":\"urn:uuid:13f41f1b-930f-43e8-9d65-0ea7e930e38c\",\"name\":\"pod.created\",\"object\":\"https://example.com/test3/profile/card#me\",\"published\":\"2020-09-09T12:31:34.173295+01:00[Europe/London]\",\"summary\":\"A Pod has been provisioned for user: [test3]\",\"type\":\"Event\"}"}

Request Events#

The following request events received by the LDP service are audited:

Event Name	Event Summary	Notes
request.delete	DELETE request received.	The `data` field includes the response, including the HTTP response status code.
request.get	GET request received.	The `data` field includes the response, including the HTTP response status code.
request.head	HEAD request received.	The `data` field includes the response, including the HTTP response status code.
request.patch	PATCH request received.	The `data` field includes the response, including the HTTP response status code.
request.post	POST request received.	The `data` field includes the response, including the HTTP response status code.
request.put	PUT request received.	The `data` field includes the response, including the HTTP response status code.

For example,

The following is a successful request.post event:

2020-09-09 11:31:33.002000000 +0000 system.audit.info: {"host":"ess-ldp-12345fffff-abcde","ident":"ess-ldp-service","pid":"18151","msgid":"AuditLogger","extradata":"-","message":"{\"actor\":\"https://example.com/registrar-agent.ttl\",\"data\":[{\"ip\":\"1.2.3.4\",\"type\":\"client\",\"user-agent\":\"Apache-HttpClient/4.5.10 (Java/11.0.8)\"},{\"type\":\"headers\"},{\"reason\":\"OK\",\"type\":\"response\",\"status\":\"200\"}],\"id\":\"urn:uuid:0d0a8861-4a88-41ce-bd0c-bb9b13439c61\",\"name\":\"request.head\",\"object\":\"https://example.com/test3/\",\"published\":\"2020-09-09T12:31:33.00234+01:00[Europe/London]\",\"summary\":\"HEAD request received.\",\"type\":\"Event\"}"}

The data array includes a document with the response information:

{\"reason\":\"OK\",\"type\":\"response\",\"status\":\"200\"}

The following is an unsuccessful request.get event:

2020-09-09 17:25:27.508000000 +0000 system.audit.info: {"host":"ess-ldp-12345fffff-abcde","ident":"ess-ldp-service","pid":"28200","msgid":"AuditLogger","extradata":"-","message":"{\"actor\":\"https://registrar.inrupt.com/profile/card#me\",\"data\":[{\"ip\":\"127.0.0.1\",\"type\":\"client\",\"user-agent\":\"Apache-HttpClient/4.5.10 (Java/11.0.8)\"},{\"Accept\":\"*/*\",\"type\":\"headers\"},{\"reason\":\"Not Found\",\"type\":\"response\",\"status\":\"404\"}],\"id\":\"urn:uuid:b7b13929-0e76-43a6-b65e-29586232131c\",\"name\":\"request.get\",\"object\":\"https://example.com/nonexistingPod/foo/bar\",\"published\":\"2020-09-09T18:25:27.50762+01:00[Europe/London]\",\"summary\":\"GET request received.\",\"type\":\"Event\"}"}

The data array includes a document with the response information:

{\"reason\":\"Not Found\",\"type\":\"response\",\"status\":\"404\"}

Resource Events#

The following resource events are audited:

Event Name	Event Summary	Notes
resource.acl.deleted	Resource ACL has been deleted.
resource.acl.updated	Resource ACL has been updated.	For both ACL creation or update.
resource.created	Resource has been created.
resource.deleted	Resource has been deleted.
resource.updated	Resource has been updated.
resource.shape.validation-failed	Shape validation failed.

For example, the following is a resource.acl.updated event (associated with either the creation or an update of Access Control List):

2020-09-09 13:04:11.363000000 +0000 system.audit.info: {"host":"ess-ldp-12345fffff-abcde","ident":"ess-ldp-service","pid":"11420","msgid":"AuditLogger","extradata":"-","message":"{\"actor\":\"http://www.trellisldp.org/ns/trellis#AdministratorAgent\",\"data\":[],\"id\":\"urn:uuid:5f9f32fd-5a74-4c32-9073-2a937fd9a984\",\"name\":\"resource.acl.updated\",\"object\":\"https://example.com/pod1/?ext=acl\",\"published\":\"2020-09-09T14:04:11.3624+01:00[Europe/London]\",\"summary\":\"Resource ACL has been updated.\",\"type\":\"Event\"}"}

Service Events#

The following Service events are audited:

Event Name	Event Summary	Notes
service.configuration	The Service started with the following configurations.	To configure which configuration properties are included in the message, see Configure Auditing.
service.started	<service> has started up	The service name is substituted for `<service>`. For example, LDP Service.
service.stopped	<service> has stopped	The service name is substituted for `<service>`. For example, LDP Service.