Document toolboxDocument toolbox

Audit Log

Owned by Panna .
Last updated: Aug 24, 2022 by Jyothi KP
6 min read

The audit log contains a record of all TOE administrative activities. The stored audit records in the audit trail are protected from unauthorized modifications and deletion. For more information about the audit log, see Using the Audit Log.
Following are the events that are logged and examples of their corresponding audit log messages:

Identification and Authentication

Event: Invalid password when logging in to the WebUI.
Message: "2011-10-19 14:02:32.750Z [admin]: Login_Denied - - to=Serial\040Console apparently_via=Directerror=invalid\040login\040or\040password"


Event: Number of attempts exceeds the limit when logging in to the WebUI.
Message: "2011-10-19 14:05:23.217Z [admin]: Login_Denied - - to=Serial\040Console apparently_via=Directerror=failed\040logins\040exceed\040limit"


Event: Invalid password when logging in to the CLI.
Message: "2011-10-19 14:02:32.750Z [admin]: Login_Denied - - to=Serial\040Console apparently_via=Directerror=invalid\040login\040or\040password"


Event: Number of attempts exceeds the limit when logging in to the CLI.
Message: "2011-10-19 14:05:23.217Z [admin]: Login_Denied - - to=Serial\040Console apparently_via=Directerror=failed\040logins\040exceed\040limit"


Event: Enable Common Criteria mode:
Message: 2011-10-19 19:48:37.299Z [admin]: Login_Allowed - - to=Serial\040Console apparently_via=Directauth=Local group=.admin-group


Message: 2011-10-19 19:48:48.705Z [admin]: Called - set_cc_mode: Args cc_mode_enabled="true"
Event: Disable Common Criteria mode:
Message: 2011-10-19 19:48:37.299Z [admin]: Login_Allowed - - to=Serial\040Console apparently_via=Directauth=Local group=.admin-group
Message: 2011-10-19 19:48:48.705Z [admin]: Called - set_cc_mode: Args cc_mode_enabled="false"


Event: Login successful
Message: 2011-10-19 19:48:48.706Z [USER\040admin]: rebooted the system
2011-11-01 17:09:21.696Z [admin]: Login_Allowed - - to=Serial\040Console apparently_via=Direct auth=Localgroup=.admin-group


Event: First login
Message: 2011-10-19 12:43:47.375Z [user]: First_Login - - to=AdminConnector ip=127.0.0.1 auth=LOCALgroup=admin-group apparently_via=GUI first login


Event: Password expired
Message: 2011-10-20 13:17:29.257Z [user]: Password_Expired - - to=AdminConnector ip=127.0.0.1 auth=LOCALgroup=admin-group apparently_via=GUI


Event: Password was successfully reset.
Message: 2011-10-19 12:44:45.962Z [user]: Password_Reset - - to=AdminConnector auth=LOCALgroup=admin-group apparently_via=GUI


Event: New password did not conform to the rule.
Message: 2011-10-19 13:07:33.343Z [user]: Password_Reset_Error - - to=AdminConnector auth=LOCALgroup=admin-group apparently_via=GUI

Quotas

Event: Upload file limit reached.
Message: user manojk-vm httpd[]: err User {0} tried to upload the file. File {1} with size 272629904 kBytes is greater than maximum size allowed. Maximum size is 102400 kBytes.

LDAP

Event: Establishment of session
Message: 2011-10-27T07:50:59-04:00 user epbyminw0065t2 python[]: notice Connection established:success


Event: Failure to establish a session 
Message: 2011-10-27T07:50:38-04:00 user epbyminw0065t2 python[]: err 10.6.11.249: AD user authentication timed out
Message: 2011-10-27T07:51:02-04:00 user epbyminw0065t2 python[]: err Connection timed out


Event: Crypto Failure (Type and name of crypto algorithm that failed cannot be logged, since openldap uses SSL/TLS protocol functions from OpenSSL and did not use crypto functions directly.)
Message: 2011-10-27T07:51:00-04:00 user epbyminw0065t2 python[]: err SSL handshake failed.
Message: 2011-10-27T07:51:02-04:00 user epbyminw0065t2 python[]: err SSL handshake failed. Cannot verify server certificate.

GSS-TSIG


Event: Invalid size specified for algorithm HMAC-SHA256
Message: 2011-10-19T17:57:12-04:00 user EPBYMINW2856 httpd[]: err TSIG key generation failure: Size 512 can not be used with algorithm HMAC-SHA256


Event: Invalid algorithm specified in Common Criteria mode
Message: 2011-10-19T18:12:22-04:00 user EPBYMINW2856 httpd[]: err TSIG key (keylen = 256, algname = HMAC-MD5) generation error : Only HMAC-SHA256 available in CC mode.


Event: Algorithm restriction
Message: Only AES128_CTS_HMAC_SHA1_96 or AES256_CTS_HMAC_SHA1_96 algorithms are allowed in CC mode. Current algorithm is DES_CBC_CRC.

TSIG CSV Import/Export


Event: Import error (TSIG algorithm is not allowed in Common Criteria mode)
Message: [2011/10/20 09:38:42.496] (24473 /usr/bin/python)/infoblox/common/lib/python/infoblox/one/csv_import_function.py:601 write_to_error_file(): Import Error:authzone,zone.com,FORWARD,,,,,,,False,False,False,,1.2.3.4/1.2.3.4/False/False/True/ext_sec_key/ut29ROLaJwty6a%2Fhsgg0wA==,infoblox.localdomain,False,,,,,,,,,,,,,2,,default,Authoritative-Line 2: Insertion aborted due to IBDataError?: IB.Data:TSIG algorithm used for TSIG key name 'ext_sec_key' is not allowed in CC mode.

“set” Commands

Message: 2011-10-19 13:14:04.030Z [admin]: Called - set_snmptrap: Args variable="sysName.0", address="10.120.20.31"
Message: 2011-10-19 13:16:16.545Z [admin]: Called - set_scheduled: Args task_restarts="0 from 60"
Message: 2011-10-19 13:17:19.391Z [admin]: Called - set_mld_version_1: MLD version set to 1
Message: 2011-10-19 13:18:28.171Z [admin]: Called - set_support_access: Args support_access="true from false"
Message: 2011-10-19 13:19:46.669Z [admin]: Called - set_session_timeout: Args session_timeout="650 from 600"
Message: 2011-10-19 13:23:11.596Z [admin]: Called - set_phonehome: Args phonehome_disabled="true from false"
Message: 2011-10-19 13:24:02.372Z [admin]: Called - set_remote_console: Args remote_console="true from false"
Message: 2011-10-19 13:25:31.704Z [admin]: Called - set_security: Args address="10.120.20.31",netmask="255.255.255.0"
Message: 2011-10-19 13:26:12.673Z [admin]: Called - set_safemode
Message: 2011-10-19 13:28:12.302Z [admin]: Called - set_prompt: Args prompt=ip
Message: 2011-10-19 13:30:22.221Z [admin]: Called - set BGP: Args log_level="debugging"
Message: 2011-10-19 13:31:20.142Z [admin]: Called - set OSPF: Args log_level="informational"
Message: 2011-10-19 13:32:10.319Z [admin]: Called - set_nosafemode
Message: 2011-10-19 13:38:42.998Z [admin]: Called - set_network: Args ip_address="10.120.20.34 from 10.120.20.31",netmask="255.255.255.0 from 255.255.255.0",gateway_address="10.120.20.1 from 10.120.20.1"
Message: 2011-10-19 13:41:56.178Z [admin]: Called - set_ip_rate_limit: Args ip_rate_limit="on from off"
Message: 2011-10-19 13:43:42.828Z [admin]: Called - set_monitor_dns_alert: Args dns_alert="on from off"
Message: 2011-10-19 13:46:34.647Z [admin]: updated physical node 0
Message: 2011-10-19 13:46:34.648Z [admin]: Called - set_interface: Args interface="LAN", speed="100M", duplex="half"
Message: 2011-10-19 13:48:03.066Z [admin]: Called - set_dns: Args dns="flush all "
Message: 2011-10-19 13:49:35.527Z [admin]: Called - set_debug: Args all="on from off"
Message: 2011-10-19 09:53:53.595Z [admin]: Called - set_ibtrap: Args ibtrap="DNS", snmp="true", email="true"
Message: 2011-10-19 09:57:00.747Z [admin]: Called - set_thresholdtrap: Args thresholdtrap="CpuUsage", trigger="60", reset="50"
Message: 2011-10-19 10:32:50.183Z [admin]: Called - set_maintenancemode: Args maintenancemode="on from off"
Message: 2011-10-19 14:05:20.132Z [admin]: Called - set_dhcp_expert_mode: Args dhcp_expert_mode="true from false"
Message: 2011-10-19 14:07:02.082Z [admin]: Called - set_dhcp_release_delay: Args delay_time=40 secs
Message: 2011-10-19 14:09:24.285Z [admin]: Called - set_gsstsig_key_expiration_time: Args gsstsig_key_expiration_time="3000 from 3600"
Message: 2011-10-19 14:10:19.906Z [admin]: Called - set_named_worker_threads: Args named_worker_threads="20 from 0"
Message: 2011-10-19 14:11:04.731Z [admin]: Called set_recursion_log_interval: Args recursion_log_interval="60"
Message: 2011-10-19 14:14:12.170Z [admin]: Called - set_partial_replication: Args partial_replication="off from on"
Message: 2011-10-19 14:15:33.978Z [admin]: Called - set_rep_queue_ixfr_limit: Args rep_queue_ixfr_limit="60 from 1000"
Message: 2011-10-19 14:16:16.797Z [admin]: Called - set_watchdog: Args watchdog_enabled="true from false"
Message: 2011-10-19 14:17:14.605Z [admin]: Called - set_fsck
Message: 2011-10-19 14:19:25.282Z [admin]: Called - set_host_consistency_check: Args host_consistency_check="on from off"
Message: 2011-10-19 14:21:00.202Z [admin]: Called - set_internal_apache_http_port: Args internal_apache_http_port="2000 from 9000"
Message: 2011-10-19 14:22:18.682Z [admin]: Called - set_internal_jetty_http_port: Args internal_apache_http_port="6060 from 8080"
Message: 2011-10-19 14:25:58.704Z [admin]: Called - set_always_ret_nxdomain_for_fmz_ptr: Args always_ret_nxdomain_for_fmz_ptr="true from false"
Message: 2011-10-19 14:28:18.046Z [admin]: Called - set_debug_tools: Args debug_tools="db_binary_dump" 
Message: 2011-10-19 14:29:06.511Z [admin]: Called - set_dns_autogen: Args dns_auto_gen="check"
Message: 2011-10-19 14:30:54.628Z [admin]: Called - set_named_recv_sock_buf_size: Args udp_so_rcvbuf="122 from (null)"

CLI Top Level Commands

Message: 2011-10-19 10:33:29.664Z [admin]: Called - delete_cores_all
Message: 2011-10-19 10:38:12.356Z [admin]: Called - delete_cores: Args filename="core.8295.gz"
Message: 2011-10-19 10:58:28.064Z [admin]: Called - delete_backup_all
Message: 2011-10-19 11:00:17.917Z [admin]: Called - delete_backup: Args filename="BACKUP_6.bkp"
Message: 2011-10-19 12:41:47.707Z [admin]: Called - rotate_log: Args log="syslog"
Message: 2011-10-19 12:58:11.738Z [admin]: Called - rotate_log: Args log="audit"
Message: 2011-10-19 12:58:11.738Z [USER\040admin]: rotated the previous audit log to audit.log.0.gz
Message: 2011-10-19 13:51:36.982Z [admin]: Called - reset_database
Message: 2011-10-19 13:54:14.023Z [admin]: Called - debug_webui_restart
Message: 2011-10-19 13:57:39.407Z [USER\040admin]: rebooted the system
Message: 2011-10-19 14:03:41.124Z [admin]: Called - delete_file: Args groupname="bloxtools", filename="/storage/web-portal/udata/logs/access.log"

CLI Emergency Commands

Message: 2011-10-19 14:32:31.927Z [Emergency\040User]: Called - set_safemode
Message: 2011-10-19 14:33:23.591Z [Emergency\040User]: Called - set_nosafemode
Message: 2011-10-19 14:33:41.286Z [Emergency\040User]: Called set_repsafe_mode: Args repsafe_mode = on
Message: 2011-10-19 14:34:47.321Z [Emergency\040User]: Called - set_weak
Message: 2011-10-19 14:35:25.969Z [Emergency\040User]: Called - set_fsck
Message: 2011-10-19 14:35:46.604Z [Emergency\040User]: Called - set_watchdog: Args watchdog_enabled="true from true"
Message: 2011-10-19 14:41:13.727Z [Emergency\040User]: Called - reset_database 

Note

During the boot time, if you erroneously press the Enter key before being prompted, NIOS does not wait for a specified time to enter into emergency mode and restarts immediately.

WAPI Detailed

You can view detailed WAPI session information logs in the audit log for successful WAPI calls such as PUT, POST, and DELETE. For more information, see Monitoring Tools.

Event: Member restart or reboot service
Message: [2018-07-10 16:23:08.112Z] [admin]: Called(POST) v2.9/member {“_function”:”restartservices”, “restart_option": "FORCE_RESTART","service_option": "ALL"} 3.081 MemberRestartServices: Args service_option="ALL",grid_member=Member:infoblox.localdomain,restart_option="FORCE_RESTART"


Event: All succeeded function calls  

Message: [2018-07-28 08:56:44.399Z] [admin]: Called(POST) v2.9/network {"_function":"next_available_ip"} 0.034 NextAvailableIp: Args parent=Network:2.2.2.0/24\054network_view\075default


Event: Enhanced audit log for POST method

Message: [2018-05-29 09:20:12.026Z] [admin]: Created(POST) v2.9/zone_auth {"fqdn":"foo.com"} 2.233 AuthZone foo.com DnsView=default: Set fqdn="foo.com"


Event: Enhanced audit log for PUT method

Message: 2018-06-07 08:45:25.681Z [admin]: Modified(PUT) v2.2/zone_auth {"comment":"testing auditlogs"} 1.930 AuthZone foo.com DnsView=default: Changed comment:NULL->"testing auditlogs"


Event: Enhanced audit log for DELETE method:

Message: 2018-07-24 13:11:26.614Z [admin]: Deleted(DELETE) v2.6/zone_auth {} 0.356 AuthZone foo.com DnsView=default exclude_subobj=False

Host Record Logging

NIOS inserts two records for each host record object and the audit log displays the URI, InData and response time twice, that is, one for the host record and the other one for the host address/host alias records.

Example of Host Record logging: curl -H "Content-Type: application/json" -k -u admin:infoblox -X POST https://10.120.20.129/wapi/v2.0/record:host -d '{ "ipv4addrs":[ {"ipv4addr" : "1.1.1.0","configure_for_dhcp" : false, "mac" : "aa:0:0:0:1:cc" }], "comment":"this is my one.perfusera comment","view":"default","name":"perfusera.test.com"}'

Message: 2018-07-24 12:27:40.375Z [admin]: Created(POST) v2.0/record:host {"ipv4addrs":[ {"ipv4addr" : "1.1.1.0","configure_for_dhcp" : false, "mac" : "aa:0:0:0:1:cc" }],"comment":"this is my one.perfusera comment","view":"default","name":"perfusera.test.com"} 0.236 HostAddress 1.1.1.0 network_view=default: Set address="1.1.1.0",configure_for_dhcp=False,mac_address="aa:0:0:0:1:cc",match_option="MAC_ADDRESS",parent=HostRecord:._default.com.foo.perfusera

Message: 2018-07-24 12:27:40.375Z [admin]: Created(POST) v2.0/record:host {"ipv4addrs":[ {"ipv4addr" : "1.1.1.0","configure_for_dhcp" : false, "mac" : "aa:0:0:0:1:cc" }],"comment":"this is my one.perfusera comment","view":"default","name":"perfusera.test.com"} 0.236 HostRecord perfusera.foo.com DnsView=default address=1.1.1.0: Set addresses=[address="1.1.1.0"],comment="this is my one.perfusera comment",fqdn="perfusera.foo.com",view=DnsView:default

Requesting an Object

Each WAPI call for a request object shows the timestamp, user, operation, URI, InData, and the response time.

Example of Request object: https://10.35.120.1/wapi/v2.9/request body : [{ "method": "POST", "object": "network", "data": {"network": "22.2.2.0/24"} }, { "method": "POST", "object": "network", "data": {"network": "111.1.111.0/24"} } ]

Message: 2018-10-24 11:18:18.828Z [admin]: Created(POST) v2.9/request [{'object': 'network', 'data': {'network': '22.2.2.0/24'}, 'method': 'POST'}, {'object': 'network', 'data': {'network': '111.1.111.0/24'}, 'method': 'POST'}] 5.5867

Message: 2018-10-24 11:18:18.828Z [admin]: Created Network 22.2.2.0/24 network_view=default: Set address="22.2.2.0",cidr=24

Message: 2018-10-24 11:18:18.828Z [admin]: Created Network 111.1.111.0/24 network_view=default: Set address="111.1.111.0",cidr=24

Scheduling an Object

For a schedule object, PUT/POST/DELETE calls and WAPI session log information, such as URI, InData, and response time, are added only in the first line.

Example of Schedule object: curl -k1 -u admin:infoblox -X POST https://10.35.120.1/wapi/v2.9/network -d network=3.3.8.0/24 -d _schedinfo.scheduled_time=1540386870

Message: 2018-10-24 11:22:01.998Z [admin]: Sched:3 Created(POST) v2.9/network {'_schedinfo.scheduled_time': '1540380251', 'network': '3.3.8.0/24'} 1.7615 Network 3.3.8.0/24 network_view=default: Set address="3.3.8.0",cidr=24

Message: 2018-10-24 11:22:01.998Z [admin]: Sched:3 Created ScheduledTask 3: Set scheduled_time=2018-10-24 11:24:11.000Z,submit_time=2018-10-24 11:22:01.983Z,submitter="admin",type="SCHEDULED

Database Backup

NIOS logs information about who started the database backup and where the database backup file is stored.

Event: Successful database backup
Message: 2020-06-03 10:15:28.634Z [admin]: Called - GetGridData message=backed\040up\040database\040at\040scp\072//root:****@10.120.20.38/tmp/adf: Args message="backed up database at scp://root:****@10.120.20.38/tmp/adf" 2020-06-03 10:15:28.852Z [admin]: Called - DataGetComplete message=data\040get\040completed: Args message="data get completed