Audit Log Settings

 NOTE: The Audit Log feature is currently under development. Only some of its planned capabilities are functional in this version of ControlUp (v. 7.2), and these features are experimental.

Internal audit logs document changes within a system and actions performed by the system remotely, enabling system administrators to monitor those changes and activities. Such logs are primarily used in corporate environments.

ControlUp is currently developing an Audit Log feature. When the feature is completed, it will be capable of logging information in its internal logs about two types of events:

  • Changes made to ControlUp’s configuration settings, such as creating a new user or adding a new hypervisor
  • Remote operations performed on managed assets through ControlUp, such as rebooting a VM or killing a process on a managed computer

In its first phase of development, the ControlUp Audit Log feature can only record information about service operations initiated by ControlUp, and only SysLog and local-disk log storage are supported.

The Audit Log feature is optional, and by default is not activated. If IT staff want to use it, they must turn it on and configure it, as explained below.

Where Are the Audit Logs Stored?

When the Audit Log feature is activated, it can save log data in up to three distinct data stores:

  • ControlUp cloud: The Insights database on the ControlUp server (mandatory, when supported)

NOTE: This functionality is not yet available. However, once it is available, it will be activated automatically whenever the Audit Log feature is turned on, and it will not be possible to opt out of it.

  • SysLog: A SysLog server within the organization’s network (optional)
  • Local disk: A CSV file stored locally on the Console or Monitor machine from which ControlUp’s actions were initiated (optional)

What Data Is Included in the Audit Logs?

At present, only service operations (start service, stop service, restart service, edit service properties, etc.) are logged by the Audit Log system. In the future, all ControlUp actions – both changes within ControlUp and changes to resources managed by ControlUp – will be logged.

For each entry in the audit logs, the following information is stored: 

Item

Description

Date

Date and time when the event was initiated

Origin

The source of the event (Web client, Console, PowerShell, automated action, Insights, etc.)

Status

The status of the event (initiated, completed, aborted, error, etc.)

Requesting Computer

The hostname or IP address of the computer from which the event was initiated

Requesting User 

The user account of the user who initiated the event

Credentials

The user account that was used to execute the command

Note: If this is the same as the Requesting User, this field is left blank.

Activity

The type of action that was performed (kill process, add computer, etc.)

Details

Supplementary information that is specific to the command

Target Type

The type of object on which the command was executed

Target Name

The name of the object on which the command was executed (computer hostname, hypervisor name, Netscaler name, organization name, username, etc.)

Output

The output of the operation

 

Modes of Operation

The Audit Log feature supports two alternative modes of operation:

  • Regular mode (default): Each operation is logged in a single entry when it is executed.
  • Enforced mode: Operations cannot be executed until they are logged. No operations can be executed until acknowledgement is received from the relevant data stores that the entry was successfully recorded.

NOTE: The SysLog system does not support the sending of acknowledgements. Because of this, even when Enforced mode is selected, and the SysLog option is also activated, ControlUp does not require an acknowledgement from the SysLog before allowing an operation to be executed. In ControlUp v.7.2, since the cloud data store is not yet functional, this means that Enforced mode has no effect unless the Local Disk storage option (see Where Are the Audit Logs Stored?) is activated.

In Enforced mode, if the system fails to open an audit-log entry for an operation after three attempts, the operation is cancelled, and an error message is returned.

Configuring and Activating the Audit Log Feature

The Audit Log feature can be configured and activated in the ControlUp Console settings.

To configure and activate the Audit Log feature:

1. In the ControlUp Management Console, under Settings, select the Audit Log button. AuditLog1.jpg The Audit Log settings open.

AuditLog2.jpg

Audit Log settings

 

2. Configure the settings as follows:

Setting

Description

Enable Audit Logging

Select this option to activate the Audit Log system.

Note: In the future, selecting this option will automatically activate the cloud audit-log. Currently, since the cloud log is not yet functional, if you want a log to be created, you must also select Save to local disk and/or Send to SysLog server.

Fail action if auditing fails

Select this option to turn on Enforced mode, which prevents actions from being performed if they are not successfully logged first (see Modes of Operation).

Save to local disk

Select this option to save a local audit-log on each ControlUp Console or Monitor machine. Each log will save information about the ControlUp actions that were initiated from that machine.

Send to SysLog server

Select this option to save a central audit log to a SysLog server in the organization.

After you select this option, fill in the following fields:

· IP/hostname: Enter the IP address or hostname of the SysLog server.

· Port: Enter the port to use to connect to the SysLog server.

· Protocol: Select the protocol to use to connect to the SysLog server – UDP or TCP.

 3. Select OK (or Apply). The Audit Log feature is activated with the settings you specified.

Viewing the Logs

Each of the three logs is accessed in a different way:

  • ControlUp cloud: Once support for the cloud data-store is implemented, it will be possible to view a report in the ControlUp Insights portal. Data will be retained in this log for a period of a year after it was first recorded.
  • SysLog: The contents of the SysLog data-store can be viewed using any standard SysLog reader (e.g., Splunk).
  • Local disk: Local audit logs are stored in the form of up to ten rotating files, named csv, CUAudit1.csv, CUAudit2.csv, … CUAudit9.csv, each of which contains a maximum of 50 MB of data. The CUAudit.csv file contains the newest data; the higher the numbers in the names of the other files, the older the data those files contain. When all of the files are full, the oldest one is deleted, and the numbers in the names of all the others are incremented by one.
    The audit-log files are stored in the folder in which the Console or Monitor executable itself (ControlUpConsole.exe or cuMonitor.exe) is stored (e.g. C:\Program Files\Smart-X\ControlUpMonitor\Version 7.2.0.59 for the Monitor). The files can be opened using any application that can handle CSV files (e.g., MS Excel).

AuditLog3.jpg

Audit Log stored locally in a CSV file, opened in MS Excel

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Powered by Zendesk