Audit logging format
Cloud Auditing Data Federation (CADF) standards define an event model to collect the required data for auditing. You can also add custom fields to generate comprehensive logs.
For more information about CADF, see Cloud Auditing Data Federation .
The following fields are important:
{
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event",
"eventType": "activity",
"id": "icp:e97c7b00-e215-11e8-abf8-79cb75b57820",
"action": "create",
"requestPath": "/identity/api/v1/teams",
"initiator": {
"typeURI": "service/security/account/user",
"name": "admin",
"credential": {
"type": "token"
},
"host": {
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15",
"address": "icp-management-ingress:8443"
}
},
"target": {
"id": "c4e8170e90a7c01a228fbef74c22245d2665cefffac1662907a6a75e82319a74",
"name": "icp-testing-audit-logs",
"actions": {
"name": "icp-testing-audit-logs",
"teamId": "icp-testing-audit-logs",
"users": [],
"usergroups": [],
"directoryList": []
},
"typeURI": "service/security/group"
},
"observer": {
"id": "target"
},
"severity": "normal",
"outcome": "success",
"reason": {
"reasonType": "HTTP",
"reasonCode": 200
},
"eventTime": "2018-11-06T22:47:17.424Z",
"kubernetes.container_id": "c4e8170e90a7c01a228fbef74c22245d2665cefffac1662907a6a75e82319a74",
"kubernetes.container_name": "platform-identity-management",
"kubernetes.pod": "auth-idp-mw2x9",
"kubernetes.namespace": "kube-system",
"origination": "ui",
"version": "v1.0"
}
Go language CADF structure
type CADF struct {
TypeURI string `json:"typeURI"`
Action string `json:"action"`
ID string `json:"id"`
Initiator struct {
Name string `json:"name"`
TypeURI string `json:"typeURI"`
Credential struct {
Type string `json:"type"`
} `json:"credential"`
} `json:"initiator"`
Target struct {
ID string `json:"id"`
Name string `json:"name"`
TypeURI string `json:"typeURI"`
} `json:"target"`
RequestPath string `json:"requestPath"`
EventType string `json:"eventType"`
Severity string `json:"severity"`
Outcome string `json:"outcome"`
EventTime string `json:"eventTime"`
KubernetesContainerID string `json:"kubernetes.container_id"`
KubernetesContainerName string `json:"kubernetes.container_name"`
KubernetesPod string `json:"kubernetes.pod"`
KubernetesNamespace string `json:"kubernetes.namespace"`
Observer struct {
ID string `json:"id"`
} `json:"observer"`
Origination string `json:"origination"`
Version string `json:"version"`
}
Node.js CADF structure
let cadf = {
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event",
"eventType": "activity",
"id": +uuid1,
"action": action,
"requestPath": path,
"initiator": {
"typeURI": (user ? "service/security/account/user": ''),
"name": user,
"credential": {
"type":"token"
},
"host": {
"user-agent": req.headers['user-agent'],
"address": req.headers['host']
}
},
"target": {
"id": cont_id,
"name": res,
"actions": actions,
"typeURI": (map ? map: parseUrl(path)) // pretend this app is a service
},
"observer": {
"id": "target"
},
"severity" : severity,
"outcome": outcome,
"reason": {
"reasonType":"HTTP",
"reasonCode": status, // like 200 or 400
},
"eventTime": expT,
"kubernetes.container_id": cont_id,
"kubernetes.container_name": process.env.SERVICE_NAME,
"kubernetes.pod": process.env.POD_NAME || process.env.HOSTNAME,
"kubernetes.namespace": process.env.POD_NAMESPACE,
"origination": identifyOrig(req.headers['referer'] || req.headers['user-agent']),
"version": "v1.0"
};