Auditing

ESS services support auditing to log various system activities.

Audit Log Messages

Audit log messages conform to Syslog RFC5424 and have the following format:

<Datetime> system.audit.info: <Document>

For example:

2020-09-09 10:57:56.351000000 +0000 system.audit.info: {"host":"ess-ldp-12345fffff-abcde","ident":"oidc-broker","pid":"4672","msgid":"-","extradata":"-","message":"{\"data\":[{\"hostname\":\"ess-ldp-12345fffff-abcde\",\"type\":\"service\",\"platform\":\"spring\"}],\"id\":\"urn:uuid:d7f6716d-45a3-4577-8fc0-efb375c5b861\",\"name\":\"service.started\",\"object\":\"http://localhost:8080/\",\"published\":\"2020-09-09T11:57:56.351525+01:00[Europe/London]\",\"summary\":\"OIDC Broker Service has started up.\",\"type\":\"Event\"}"}

Timestamp

The <Datetime> indicates the date and time the Audit Service logged the event. <Datetime> has the format:

YYYY-MM-DD hh:mm:ss.sssssssss +-hhmm

Audit Info

The system.audit.info contains the audit event information. system.audit.info is a document with the following fields:

Field

Description

host

Hostname where the ESS service is run.

ident

ESS Service being audited.

pid

Process id of the event being audited.

msgid

Identifier denoting the issuer of the message.

Audit events have a msgid value of "AuditLogger" with the following exception. If the user fails to authenticate, msgid has a value of -.

extradata

Any miscellaneous data.

message

Details of the audit message. The message is a JSON string with the following fields:

actor

Agent that performed the event.

content

data

Any data associated with the event. The data field is an array of documents. The data documents vary depending on the event.

If no data is associated with the event, the field is an empty array.

id

Universally Unique IDentifier (UUID) for the event.

name

Name that denotes the type of audited event (e.g., pod.created).

See Audited Events for a list of audited events and summary.

object

The object associated with the event.

If no object is associated with the event, the field is omitted.

published

The timestamp of the event.

summary

Short description associated with the message name.

See Audited Events for a list of audited events and summary.

target

Describes target of the audit event. For example, “A user logged in to the Broker through Google”. Here Google is the target. The target is dependent on the type of event..

type

The type of the message. The type has the value Event.

See also Configure Auditing.

Masking Sensitive Data

By default:

  • For the OIDC Broker Service, the Audit Service masks fields whose name contains the string PASSWORD (e.g., "OIDC_ADMIN_PASSWORD\":\"xxxxx\") but not the various Secret fields (e.g., clientSecret\\\\=MEH_ZX2EabcDe-FGhi9MS4EG\").

  • For the LDP Service, the Audit Service masks fields whose name contains the string password or secret.

To change which fields are masked, configure the inrupt.audit.properties.mask-filter property. See Configure Auditing.

Audited Events

The following events are audited. In the system.audit.info message field, the Event Name is displayed in the name field and the Event Summary in the summary field.

Authentication Events

The following authentication events from the OIDC Broker Service are audited:

Event Name

Event Summary

Notes

authentication.failed

Failed OIDC Broker Authentication

Event msgid has a value of -.

authentication.logout

User logged out of OIDC Broker

authentication.success

Successful OIDC Broker Authentication

For example, the following is an authentication.success event associated with a successful login through the OIDC Broker with Google acting as the Identity Provider:

2020-09-09 09:11:58.766000000 +0000 system.audit.info: {"host":"ess-ldp-12345fffff-abcde","ident":"oidc-broker","pid":"22684","msgid":"-","extradata":"-","message":"{\"actor\":\"115407266092377734752\",\"data\":[{\"ip\":\"0:0:0:0:0:0:0:1\",\"type\":\"client\",\"user-agent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36\"}],\"id\":\"urn:uuid:17d13f2e-5986-4ccf-b6d2-5912ad2990cd\",\"name\":\"authentication.success\",\"object\":\"http://localhost:8080/\",\"published\":\"2020-09-09T10:11:58.765051+01:00[Europe/London]\",\"summary\":\"Successful OIDC Broker Authentication\",\"target\":\"https://accounts.google.com\",\"type\":\"Event\"}"}

Request Events

The following request events received by the LDP service are audited:

Event Name

Event Summary

Notes

request.delete

DELETE request received.

The data field includes the response, including the HTTP response status code.

request.get

GET request received.

The data field includes the response, including the HTTP response status code.

request.head

HEAD request received.

The data field includes the response, including the HTTP response status code.

request.patch

PATCH request received.

The data field includes the response, including the HTTP response status code.

request.post

POST request received.

The data field includes the response, including the HTTP response status code.

request.put

PUT request received.

The data field includes the response, including the HTTP response status code.

For example,

  • The following is a successful request.post event:

    2020-09-09 11:31:33.002000000 +0000 system.audit.info: {"host":"ess-ldp-12345fffff-abcde","ident":"ess-ldp-service","pid":"18151","msgid":"AuditLogger","extradata":"-","message":"{\"actor\":\"http://localhost:10100/registrar-agent.ttl\",\"data\":[{\"ip\":\"127.0.0.1\",\"type\":\"client\",\"user-agent\":\"Apache-HttpClient/4.5.10 (Java/11.0.8)\"},{\"type\":\"headers\"},{\"reason\":\"OK\",\"type\":\"response\",\"status\":\"200\"}],\"id\":\"urn:uuid:0d0a8861-4a88-41ce-bd0c-bb9b13439c61\",\"name\":\"request.head\",\"object\":\"http://localhost:10100/test3/\",\"published\":\"2020-09-09T12:31:33.00234+01:00[Europe/London]\",\"summary\":\"HEAD request received.\",\"type\":\"Event\"}"}
    

    The data array includes a document with the response information:

    {\"reason\":\"OK\",\"type\":\"response\",\"status\":\"200\"}
    
  • The following is an unsuccessful request.get event:

    2020-09-09 17:25:27.508000000 +0000 system.audit.info: {"host":"ess-ldp-12345fffff-abcde","ident":"ess-ldp-service","pid":"28200","msgid":"AuditLogger","extradata":"-","message":"{\"actor\":\"https://registrar.inrupt.com/profile/card#me\",\"data\":[{\"ip\":\"127.0.0.1\",\"type\":\"client\",\"user-agent\":\"Apache-HttpClient/4.5.10 (Java/11.0.8)\"},{\"Accept\":\"*/*\",\"type\":\"headers\"},{\"reason\":\"Not Found\",\"type\":\"response\",\"status\":\"404\"}],\"id\":\"urn:uuid:b7b13929-0e76-43a6-b65e-29586232131c\",\"name\":\"request.get\",\"object\":\"http://localhost:40993/nonexistingPod/foo/bar\",\"published\":\"2020-09-09T18:25:27.50762+01:00[Europe/London]\",\"summary\":\"GET request received.\",\"type\":\"Event\"}"}
    

    The data array includes a document with the response information:

    {\"reason\":\"Not Found\",\"type\":\"response\",\"status\":\"404\"}
    

Resource Events

The following resource events are audited:

Event Name

Event Summary

Notes

resource.acl.deleted

Resource ACL has been deleted.

resource.acl.updated

Resource ACL has been updated.

For both ACL creation or update.

resource.created

Resource has been created.

resource.deleted

Resource has been deleted.

resource.updated

Resource has been updated.

resource.shape.validation-failed

Shape validation failed.

For example, the following is a resource.acl.updated event (associated with either the creation or an update of Access Control List):

2020-09-09 13:04:11.363000000 +0000 system.audit.info: {"host":"ess-ldp-12345fffff-abcde","ident":"ess-ldp-service","pid":"11420","msgid":"AuditLogger","extradata":"-","message":"{\"actor\":\"http://www.trellisldp.org/ns/trellis#AdministratorAgent\",\"data\":[],\"id\":\"urn:uuid:5f9f32fd-5a74-4c32-9073-2a937fd9a984\",\"name\":\"resource.acl.updated\",\"object\":\"http://localhost:35329/pod1/?ext=acl\",\"published\":\"2020-09-09T14:04:11.3624+01:00[Europe/London]\",\"summary\":\"Resource ACL has been updated.\",\"type\":\"Event\"}"}

Service Events

The following Service events are audited:

Event Name

Event Summary

Notes

service.configuration

The Service started with the following configurations.

To configure which configuration properties are included in the message, see Configure Auditing.

service.started

<service> has started up

The service name is substituted for <service>. For example, OIDC Broker Service or LDP Service.

service.stopped

<service> has stopped

The service name is substituted for <service>. For example, OIDC Broker Service or LDP Service.

For example, the following is a service.configuration event for the OIDC Broker Service:

2020-09-09 10:57:56.354000000 +0000 system.audit.info: {"host":"ess-ldp-754f5bdff5-gccz2","ident":"oidc-broker","pid":"4672","msgid":"-","extradata":"-","message":"{\"data\":[{\"name\":\"EnvConfigSource\",\"type\":\"configuration-sources\",\"ordinal\":\"300\"},{\"OIDC_KEY_ID\":\"rsa1\",\"OIDC_ISSUER\":\"http://example.com/\",\"OIDC_HTTP_SSL_CERTIFICATE_TRUST_STORE_FILE\":\"/some/location/enterprise-microservices/utilities/auditing/tls/cacerts\",\"OIDC_ISSUER_CLIENTS_ORIGINAL\":\"id\\\\=https://auth0.example.com/|logoUri\\\\=/resources/images/auth0.png|clientName\\\\=Auth0|clientId\\\\=ABCDEFGHIJKLMNOPQRSTUVWXYZ123456|clientSecret\\\\=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789000;id\\\\=https://accounts.google.com|clientName\\\\=Google|logoUri\\\\=/resources/images/google.png|clientId\\\\=123456789012-abcdefghijklmnop123456789012345.apps.googleusercontent.com|clientSecret\\\\=ABC_DEFGabcde-XYZz123456\",\"OIDC_INITIALIZE_DATABASE\":\"false\",\"type\":\"configurations\",\"OIDC_ISSUER_CLIENTS\":\"id=https://solidess.auth0.com/|logoUri=/resources/images/auth0.png|clientName=Auth0|clientId=ABCDEFGHIJKLMNOPQRSTUVWXYZ123456|clientSecret=zyxwvutsrqponmlkjihgfedcbaABCDEFGHIJKLMNOPQRSTUVWXYZ123456789000;id=https://accounts.google.com|clientName=Google|logoUri=/resources/images/google.png|clientId=098765432100-abcdefghijklmnopqrstuvwxyz123456.apps.googleusercontent.com|clientSecret=ABCD_EF2GhijKl-WXyz000000\",\"OIDC_LOG_LEVEL\":\"DEBUG\",\"OIDC_ADMIN_PASSWORD\":\"xxxxx\",\"OIDC_RESOURCE_SERVER_ADMIN\":\"http://localhost:10100/registrar-agent.ttl\",\"OIDC_AUDIT_LOG_LEVEL\":\"INFO\",\"OIDC_RESOURCE_SERVER_URI\":\"https://local-ess.inrupt.com/\",\"OIDC_JDBC_USERNAME\":\"oic\",\"OIDC_KEY_ALGORITHM\":\"RS256\",\"OIDC_HTTP_SSL_CERTIFICATE_TRUST_STORE_PASSWORD\":\"xxxxx\",\"OIDC_JDBC_PASSWORD\":\"xxxxx\",\"OIDC_JDBC_URL\":\"jdbc:postgresql://localhost/oic\"}],\"id\":\"urn:uuid:d89ef49c-2345-469e-bad0-a1b2c918a82a\",\"name\":\"service.configuration\",\"published\":\"2020-09-09T11:57:56.35358+01:00[Europe/London]\",\"summary\":\"The Service started with the following configurations.\",\"type\":\"Event\"}"}

See also: