Gateway's audit log of user actions is designed for machine parsing so that it can be used for auditing, compliance monitoring, API request analysis, and SLA reporting.
See Gateway Configuration for configuring the logging output.
| Table of Contents | ||
|---|---|---|
|
Audit Log Message Fields
This section focuses on the format of the audit logs to allow for integration and development of applications that use them.
These are the fields that appear in logging output. These are only definitions and not the format of any particular log message.
Field Name | Description |
|---|---|
Auth Domain | Tenant or storage domain name used to authenticate user; tenant names prefixed with "+" |
Auth User | User ID used to authenticate; empty if anonymous |
Bucket | Name of bucket |
DNS Domain | Origin DNS domain; value of Host header from the request |
Domain | Swarm domain name to which operation refers to |
Elapsed Time | Transaction time in milliseconds |
HTTP Code | Request response code. Exceptions in request handling return a 500. All SCSP requests that have authorization errors output a 401. |
Log Level | Logging level for the audit log entry |
Message Type | Message category to simplify filtering |
Object Name or UUID | Named of object, excluding bucket name, or UUID for unnamed streams |
Operation | The operation. Examples: POST, HEAD, DELETE, INVOKE |
Record Format Version | Audit log record format version. This will change if format of the output records is different from the previous release. |
Request ID | A unique identifier for client request attached to all associated audit messages. This value matches the HTTP response header Gateway-Request-Id given to the client and is used in the server log. |
Response Bytes | Number of bytes sent to Source IP in the HTTP response body |
Source Bytes | Number of bytes received from Source IP in the message body |
Source IP | IP address from which a request originated |
Timestamp | High resolution timestamp up to millisecond |
Audit Log Message Formats
...
The fields in each log message are separated by spaces. If a field value is missing, the string (none) is substituted. Field values are subject to HTML URL encoding in order to make spaces, UTF-8, and other special characters safe for inclusion in the audit log entry.
Alphanumeric characters "a" through "z", "A" through "Z" and "0" through "9" remain unchanged
Characters ".", "-", "*", and "_" remain unchanged
Space character is converted into a plus sign "+"
All other characters are converted into %HH byte values using UTF-8 encoding
| Info | |
|---|---|
| title | NoteThe "/" character in an object's name will appear as "%2F" in the log, based on the previous rules. |
Common Prefix Fields
All messages will be prefixed by the following fields in this order:
Timestamp
Log Level
Request ID
Record Format Version
Source IP
DNS Domain
Message Type
Operation
Auth User
Auth Domain
HTTP Code
Source Bytes
Response Bytes
Elapsed Time
Suffix Fields
This table defines the suffix fields that are included with each log message following the common prefix fields.
Event | Message Type | Operation | Suffix Fields |
|---|---|---|---|
User requests token | Auth | GET | |
User deletes token | DELETE | ||
List available domains | Admin | LIST_DOMAINS | |
Domain creation | Domain | POST | Domain |
Domain policy create/ update | POLICY_PUT | ||
Domain policy read | POLICY_GET | ||
Domain policy delete | POLICY_DELETE | ||
Domain copy | COPY | ||
Domain delete | DELETE | ||
Domain read | GET | ||
Domain info | HEAD | ||
List buckets in a domain | LIST_BUCKETS | ||
Bucket creation | Bucket | POST | Domain, Bucket |
Bucket policy create/ update | POLICY_PUT | ||
Bucket policy read | POLICY_GET | ||
Bucket policy delete | POLICY_DELETE | ||
Bucket copy | COPY | ||
Bucket delete | DELETE | ||
Bucket read | GET | ||
Bucket info | HEAD | ||
List objects in a bucket | LIST_OBJECTS | ||
S3 list multiparts | LIST_MULTIPARTS | ||
Object creation | Scsp | POST | Domain, Bucket, Object name or UUID |
Object update | PUT | ||
Object append | APPEND | ||
Object copy | COPY | ||
Object delete | DELETE | ||
Object read | GET | ||
Object info | HEAD | ||
S3 multipart initiate | MULTIPART_INITIATE | Domain, Bucket, Object name | |
S3 multipart put | MULTIPART_PUT | ||
S3 multipart copy | MULTIPART_COPY | ||
S3 multipart abort | MULTIPART_ABORT | ||
S3 multipart complete | MULTIPART_COMPLETE | ||
S3 list multipart | LIST_MULTIPART |
Example Log Messages
These are examples of a variety of audit log messages.
...
...
Successful login for user muser1 to the domain nom.dom.com
| Code Block | ||
|---|---|---|
| ||
2019-05-13 19:28:29,671 INFO [9D9A577B66D2DD56] 2 172.20.1.1 172.20.1.2 Auth POST muser1 nom.dom.com 201 0 0 0.48 | ||
| Code Block | ||
| language | text |
Successful POST of a bucket named redbucket by user admin1
| Code Block | ||
|---|---|---|
| ||
2019-05-13 19:28:25,070 INFO [7169E3D6DD5656B9] 2 172.20.1.1 172.20.1.2 Bucket POST admin1 nom.dom.com 201 0 44 0.65 nom.dom.com redbucket | ||
| Code Block | ||
| language | text | title |
401 authentication challenge on a HEAD to an unauthenticated request
| Code Block | ||
|---|---|---|
| ||
2019-05-13 19:28:36,632 INFO [85822E93CFBC6F12] 2 172.20.1.1 172.20.1.2 Bucket HEAD (none) nom.dom.com 401 0 0 0.72 nom.dom.com redbucket | ||
| Code Block | ||
| language | text | title |
Writing an object named water.jpg to bucket bluebucket without being required to authenticate
| Code Block | ||
|---|---|---|
| ||
2019-05-15 14:54:31,616 INFO [D2AC19A94ECA5A51] 2 172.20.1.1 172.20.1.2 Scsp POST (none) open.dom.com 201 10 44 1.05 open.dom.com bluebucket water.jpg | ||
| Code Block | ||
| language | text | title |
Reading an object named water.jpg to bucket bluebucket without being required to authenticate
| Code Block | ||
|---|---|---|
| ||
2019-05-15 14:54:31,818 INFO [86B6E646C65DC83B] 2 172.20.1.1 172.20.1.2 Scsp GET (none) open.dom.com 200 0 10 1.12 open.dom.com bluebucket water.jpg | ||
| Code Block | ||
| language | text |
Listing a bucket without being required to authenticate
| Code Block | ||
|---|---|---|
| ||
2019-05-15 14:54:45,236 INFO [C87A09C1FCCCE581] 2 172.20.1.1 172.20.1.2 Bucket LIST_OBJECTS (none) open.dom.com 200 0 273 2.57 open.dom.com bluebucket | ||
| Code Block | ||
| language | text |
Listing a domain as user admin1
| Code Block | ||
|---|---|---|
| ||
2019-05-15 16:32:14,560 INFO [CAE97BE991DE877A] 2 172.20.1.1 172.20.1.2 Domain LIST_BUCKETS admin1 nom.dom.com 200 0 180 2.38 nom.dom.com | ||
| language | text | title |
Administrative override and replacement of domain's Policy by user superuser from root IDSYS
| Code Block | ||
|---|---|---|
| ||
2019-10-16 10:37:29,719 INFO [D580617E135E35DF] 2 172.30.1.1 172.20.1.2 Domain POLICY_PUT !superuser@ nom.dom.com 201 123 0 1.08 nom.dom.com |
...
INVOKE operations — The optional feature Video Clipping (v11.0) logs INVOKE operations. Each video clipping event logs multiple events to provide auditing through the process, which might take a while to complete. When you create a video clip, Gateway acknowledges the request with an INVOKE message. See Video Clipping for Partial File Restore.
Application-Supplied Tag
Gateway's audit logging allows for the client application to supply a custom tag that can be used to correlate multiple audit log entries to one application-level transaction. The application specifies this tag in a Gateway-Audit-Id request header and it must be alpha-numeric and is truncated at 32 characters. When this optional tag is received, the Request ID field of the audit log entry will contain the automatically-generated request identifier from the Gateway, a dash ("-"), and the application-supplied tag.
...
Example of a normal request identifier and one with the application supplied tag trans123
| Code Block | ||
|---|---|---|
| ||
2019-12-10 09:30:45,360 INFO [1813AC1764D48125] ... 2019-12-10 09:30:45,360 INFO [2AF5F226122D9673-trans123] ... |
When the application-supplied tag is used for multiple operations, even across multiple Gateway servers, the request identifiers remain unique with a common suffix.
| Child pages (Children Display) |
|---|