Gateway Audit Logging
- Rumena Zlatkova (Deactivated)
- Anjali Tyagi
- Bala Harish A(AC)
- Kyle Miller (Deactivated)
Gateway's audit log of user actions is designed for machine parsing so it can be used for auditing, compliance monitoring, API request analysis, and SLA reporting.
See Gateway Configuration for configuring the logging output.
Audit Log Message Fields
This section focuses on the format of the audit logs to allow for integration and development of applications that use them.
These are the fields that appear in logging output. These are only definitions and not the format of any particular log message.
Field Name | Description |
|---|---|
Auth Domain | Tenant or storage domain name used to authenticate user; tenant names prefixed with "+" |
Auth User | User ID used to authenticate; empty if anonymous |
Backend IP Address | The IP address of the backend service |
Date | Date (in YYYY-MM-DD) |
DNS Domain | Origin DNS domain; value of Host header from the request |
Swarm Domain | Swarm domain name to which operation refers to |
Elapsed Time | Transaction time in milliseconds |
HTTP Status Code | Request response code. Exceptions in request handling return a 500. All SCSP requests with authorization errors output a 401. |
Log Level | Logging level for the audit log entry |
Message Type | Message category to simplify filtering |
Object Path | The object path targeted by the request |
Operation | The operation. Examples: INVOKE, ACL, POLICY_PUT, POLICY_GET, POLICY_DELETE, MULTI_DELETE, MULTIPART_INITIATE, MULTIPART_PUT, MULTIPART_COPY, MULTIPART_ABORT, LIST_MULTIPART, LIST_MULTIPARTS, LIST_OBJECTS, LIST_BUCKETS, LIST_OBJECTS, LIST_DOMAINS |
Record Format Version | A version of the audit log record format. This changes if the format of the output records is different from the previous release. |
Request ID | A unique identifier for client requests is attached to all associated audit messages. This value matches the HTTP response header Gateway-Request-Id given to the client and is used in the server log. |
Response Bytes Count | Number of bytes sent to Source IP in the HTTP response body |
Source Bytes Count | Number of bytes received from Source IP in the message body |
Source IP Address | IP address from which a request originated |
Swarm Bucket | Name of the Swarm bucket |
Time | Time (in HH:MM:SS UTC) |
Version ID | The version ID of an object in a versioned bucket |
queryString | The query portion of the URI |
Authentication Action | The authentication action for the request. See Policy Document | Request Actions. |
Tags | Arbitrary name/value pairs for debugging purposes |
Audit Log Message Formats
Following are the output formats for all event types. All log messages share a common set of prefix fields, which includes a message type. The suffix fields in a log message are variable based on the message type. This allows for automated parsing of log messages.
The fields in each log message are separated by spaces. If a field value is missing, the string “-” is substituted. Field values are subject to URL encoding to make spaces, UTF-8, and other special characters safe for inclusion in the audit log entry.
Alphanumeric characters "a" through "z", "A" through "Z" and "0" through "9" remain unchanged
Other characters are displayed as encoded in the HTTP request, percent-encoding (Percent-encoding) reserved and non-ASCII characters.
Note
Before Gateway 8.0 and audit log version 4, the “/” character in an object’s name appears as “%2F” in the log.
Common Fields
The common fields/messages are as follows:
Date
Time
Log Level
Request ID
Record Format Version
Source IP Address
DNS Domain
Message Type
Operation
Auth User
Auth Domain
Http Status Code
Source Bytes Count
Response Bytes Count
Elapsed Time
Backend IP Address
Swarm Domain
Swarm Bucket
Object Path
Version ID
QueryString
Authentication Action
Tags
Audit Tags
These fields and names may change in future versions.
Field Name | Description |
|---|---|
auth | Shows the time spent in authentication and authorization |
refresh | Listings show the index "refresh" time before S3 listings ("F" means failure) |
nondelimited | Query time for non-delimiter listings |
query and commonprefixes | Query times for delimiter listings |
collections | Collections show the query time for collections |
indexing | Show the time spent synchronous indexing writes and deletes into Elasticsearch |
rswfeeds and rswtime | Requests where Remote Synchronous Writes are configured will show status and timing |
quota | Time spent evaluating quota |
Example Log Messages
These are examples of a variety of audit log messages.
Successful login for user muser1 to the domain nom.dom.com
2019-05-13 19:28:29,671 INFO [9D9A577B66D2DD56] 2 172.20.1.1 172.20.1.2
Auth POST muser1 nom.dom.com 201 0 0 0.48Successful POST of a bucket named redbucket by user admin1
2019-05-13 19:28:25,070 INFO [7169E3D6DD5656B9] 2 172.20.1.1 172.20.1.2
Bucket POST admin1 nom.dom.com 201 0 44 0.65 nom.dom.com redbucket401 authentication challenge on a HEAD to an unauthenticated request
2019-05-13 19:28:36,632 INFO [85822E93CFBC6F12] 2 172.20.1.1 172.20.1.2
Bucket HEAD (none) nom.dom.com 401 0 0 0.72 nom.dom.com redbucketWriting an object named water.jpg to bucket bluebucket without being required to authenticate
Reading an object named water.jpg to bucket bluebucket without being required to authenticate
Listing a bucket without being required to authenticate
Listing a domain as user admin1
Administrative override and replacement of domain's Policy by user superuser from root IDSYS
Locking-enabled bucket creation with a search feed indexing error
S3 object write with a search feed indexing error
Behaviors of Operations
Interrupted GET: When a GET operation is interrupted, such as if the socket closed unexpectedly prior to reading all data, the audit log may record an HTTP 200 response with response bytes equal to the size of the object. When interruption takes place, an HTTP 500 response is logged with response bytes equal to the actual number of bytes transmitted.
Duplicate Request IDs: All messages have the same Request ID so they can be correlated with the client request if multiple messages are logged from one client operation. For example, the recursive delete operation generates synthetic delete requests all with the same Request ID.
INVOKE operations: The optional feature Video Clipping (v11.0) logs INVOKE operations. Each video clipping event logs multiple events to provide auditing through the process, which may take a while to complete. When you create a video clip, Gateway acknowledges the request with an INVOKE message. See Video Clipping for Partial File Restore.
Application-Supplied Tag
Gateway's audit logging allows for the client application to supply a custom tag that can be used to correlate multiple audit log entries to one application-level transaction. The application specifies this tag in a Gateway-Audit-Id request header and it must be alpha-numeric and is truncated at 32 characters. When this optional tag is received, the Request ID field of the audit log entry contains the automatically-generated request identifier from the Gateway, a dash ("-"), and the application-supplied tag.
Example of a normal request identifier and one with the application supplied tag trans123
When the application-supplied tag is used for multiple operations, even across multiple Gateway servers, the request identifiers remain unique with a common suffix.
© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.