Audit Log Settings for v8.1 and Below
The Audit Log feature is currently under development. Only some of its planned capabilities are functional in this version of ControlUp (v. 7.2), and these features are experimental.
Internal audit logs document changes within a system and actions performed by the system remotely, enabling system administrators to monitor those changes and activities. Such logs are primarily used in corporate environments.
ControlUp is currently developing an Audit Log feature. When the feature is completed, it will be capable of logging information in its internal logs about two types of events:
- Changes made to ControlUp’s configuration settings, such as creating a new user or adding a new hypervisor
- Remote operations performed on managed assets through ControlUp, such as rebooting a VM or killing a process on a managed computer
In its first phase of development, the ControlUp Audit Log feature can only record information about service operations initiated by ControlUp, and only SysLog and local-disk log storage are supported.
The Audit Log feature is optional, and by default is not activated. If IT staff want to use it, they must turn it on and configure it, as explained below.
Where Are the Audit Logs Stored?
When the Audit Log feature is activated, it can save log data in up to three distinct data stores:
- ControlUp cloud : The Insights database on the ControlUp server (mandatory, when supported)
This functionality is not yet available. However, once it is available, it will be activated automatically whenever the Audit Log feature is turned on, and it will not be possible to opt out of it.
- SysLog : A SysLog server within the organization’s network (optional)
- Local disk: A CSV file stored locally on the Console or Monitor machine from which ControlUp’s actions were initiated (optional)
What Data Is Included in the Audit Logs?
At present, only service operations (start service, stop service, restart service, edit service properties, etc.) are logged by the Audit Log system. In the future, all ControlUp actions – both changes within ControlUp and changes to resources managed by ControlUp – will be logged.
For each entry in the audit logs, the following information is stored:
Date and time when the event was initiated.
The source of the event (Web client, Console, PowerShell, automated action, Insights, etc).
The status of the event (initiated, completed, aborted, error, etc).
The hostname or IP address of the computer from which the event was initiated
The user account of the user who initiated the event
The user account that was used to execute the command.
If this is the same as the Requesting User, this field is left blank.
The type of action that was performed (kill process, add computer, etc).
Supplementary information that is specific to the command.
The type of the target object (process, session, computer, host, netscaler, organization, folder, datastore, vDisk, etc.).
The name of the target object (computer hostname, hostname, Netscaler name, organization name, username, etc.).
The type of object on which the command was executed.
The name of the object on which the command was executed (computer hostname, hypervisor name, Netscaler name, organization name, username, etc).
The output of the operation.
All metrics of the target object at the moment of the event
All metrics of all target object predecessors (parent objects) at the moment of the event
All metrics of all target object successors (child objects) at the moment of the event
For each metric, at the moment of the vent, we save Current value + Average in history + Max in history
The computer where the operation was executed (CU Console / CU Monitor / CU Agent).
Modes of Operation
The Audit Log feature supports two alternative modes of operation:
- Regular mode (default) : Each operation is logged in a single entry when it is executed.
- Enforced mode: Operations cannot be executed until they are logged. No operations can be executed until acknowledgement is received from the relevant data stores that the entry was successfully recorded.
The SysLog system does not support the sending of acknowledgments. Because of this, even when Enforced mode is selected, and the SysLog option is also activated, ControlUp does not require an acknowledgment from the SysLog before allowing an operation to be executed. In ControlUp v.7.2, since the cloud data store is not yet functional, this means that Enforced mode has no effect unless the Local Disk storage option (see Where Are the Audit Logs Stored? ) is activated.
In Enforced mode, if the system fails to open an audit-log entry for an operation after three attempts, the operation is canceled, and an error message is returned.
Configuring and Activating the Audit Log Feature
The Audit Log feature can be configured and activated in the ControlUp Console settings.
To configure and activate the Audit Log feature:
- In the ControlUp Management Console, under Settings, select the Audit Log button. The Audit Log settings open.
- Configure the settings as follows:
Enable Audit Logging
Select this option to activate the Audit Log system.
Note: In the future, selecting this option will automatically activate the cloud audit log. Currently, since the cloud log is not yet functional, if you want a log to be created, you must also select Save to local disk and/or Send to SysLog server.
Fail action if auditing fails
Select this option to turn on Enforced mode, which prevents actions from being performed if they are not successfully logged first (see Modes of Operation).
Save to local disk
Select this option to save a local audit log on each ControlUp Console or Monitor machine. Each log will save information about the ControlUp actions that were initiated from that machine.
Send to Syslog server
Select this option to save a central audit log to a Syslog server in the organization.
After you select this option, fill in the following fields:
· IP/hostname: Enter the IP address or hostname of the SysLog server.
· Port: Enter the port to use to connect to the Syslog server.
· Protocol: Select the protocol to use to connect to the SysLog server – UDP or TCP.
- Select OK (or Apply). The Audit Log feature is activated with the settings you specified.
Viewing the Logs
Each of the three logs is accessed in a different way:
- ControlUp cloud : Once support for the cloud data-store is implemented, it will be possible to view a report in the ControlUp Insights portal. Data will be retained in this log for a period of a year after it was first recorded.
- SysLog : The contents of the SysLog data store can be viewed using any standard Syslog reader (e.g., Splunk).
- Local disk : Local audit logs are stored in the form of up to ten rotating files, named CSV , CUAudit1.csv , CUAudit2.csv , … CUAudit9.csv , each of which contains a maximum of 50 MB of data. The CUAudit.csv file contains the newest data; the higher the numbers in the names of the other files, the older the data those files contain. When all of the files are full, the oldest one is deleted, and the numbers in the names of all the others are incremented by one.
The audit-log files are stored in the folder in which the Console or Monitor executable itself (ControlUpConsole.exe or cuMonitor.exe ) is stored (e.g. C:\Program Files\Smart-X\ControlUpMonitor\Version 22.214.171.124 for the Monitor). The files can be opened using any application that can handle CSV files (e.g., MS Excel). The screenshot below shows an audit log which was stored locally in a CSV file, opened in MS Excel.