Audit Logging for the SwiftStack Controller

Messages

For auditing purposes, certain events need to be logged by SwiftStack Controller On-Premises controllers. Events that seem to be normal operation are logged at the INFO level, while ones that seem to be abnormal are logged as WARNING. Changing the audit logging level is logged as CRITICAL (thus always logged).

These events include:

Warnings:

  • Attempting to use an invalid invite code
  • Being prevented from changing roles for a user
  • Being prevented from changing roles for an invitation
  • Being prevented from creating an invitation
  • Being prevented from deleting a user
  • Being prevented from creating an API key
  • Being prevented from deleting an API key

Informational messages:

  • Login succeeded
  • Logout succeeded
  • Login attempt failed
  • Invite code claimed
  • User created
  • Changed roles for user
  • Changed roles for invitation
  • Created invitation
  • Deleted user
  • Created an API key
  • Deleted an API key

Configuration

You can either have audit messages logged go to a local file, or they can be sent to syslog for more complex routing. By default, audit messages are logged to the local file, /opt/ss/var/log/ssaudit.log.

To route to a local file:

On the Controller Networking configuration page, under Audit Logging, set "Where to log SwiftStack Controller audit data" to a string of the form file:<path> where <path> is a path to a local file on disk. Then click "Save Changes".

To route to syslog:

On the Controller Networking configuration page, under Audit Logging, set "Where to log SwiftStack Controller audit data" to a string of the form syslog[:<system name or ip>[:<port>[:<facility>]]] where <system name or ip> is the hostname or IP address of your syslog server, <port> is an optional port, and <facility> is the syslog facility to use when sending the messages. Then click "Save Changes".

If not specified, the system is localhost, the port is 514, and the facility is LOCAL0.

The logging level of audit messages is also configured on the Controller Networking configuration page, under Audit Logging.