Audit log events Version: 1.12
Doc. ID: SPEC-AL
Version history Date Version Description Author 11.09.2015 0.1 Initial version Kristo Heero 14.09.2015 0.2 Bug fixes Kristo Heero 16.09.2015 0.3 Made editorial changes in introduction Margus Freudenthal 18.09.2015 1.0 Editorial changes made Imbi Nõgisto 09.10.2015 1.1 Delete certificate/key events of security server updated Kristo Heero 12.10.2015 1.2 Updated CSR generation events. Fields nameExtractorMemberClass and nameExractorMethod replaced with field certificateProfileInfo Kristo Heero 20.10.2015 1.3 New events 'Add subsystem' and 'Register management service provider as security server client' added Kristo Heero 21.10.2015 1.4 New fields managementRequestId and keyLabel added Kristo Heero 23.10.2015 1.5 Data field of the event 'Edit WSDL' changed Kristo Heero 08.12.2015 1.6 Added audit log events for TLS internal key certificate requests and certificate import Ilkka Seppälä 10.05.2016 1.7 Merged changes from xtee6-doc repo. Added New event ‘Skip unregistration of authentication certificate' added change made by Meril Vaht on 10.12.2015. Kedi Välba 10.05.2020 1.8 Updated to match current implementation Janne Mattila 16.02.2023 1.9 Converted document from docx to markdown Raido Kaju 17.04.2023 1.10 Remove central services support Justas Samuolis 05.06.2023 1.11 New Central Server Eneli Reimets 09.12.2023 1.12 Management service TLS certificate Eneli Reimets
Table of Contents License This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/ .
1 Introduction X-Road central and security servers keep audit log. The audit log events are generated by user interfaces when the user changes system state or configuration. Additionally, the utility signer-console
generates audit log events. The user actions are logged regardless of whether the outcome was a success or a failure.
This document provides complete list of all audit log events and theirs related data sets.
The audit log record contains description of the audit log event in JSON
format. The field event represents the description of the event, the field user represents the user name of the performer (events started by the system have the user name system
), and the field data represents data fields related with the event:
json {
"event" : "..." ,
"user" : "..." ,
"reason" : "..." ,
"data" : {
"data_field_1" : "data_field_1_value" ,
...
}
}
In case of failure the event description ends with suffix failed and related data set may contain less data fields than normally. Also, an additional field reason for the error message will be added.
Security Server and Central Server audit log contains some additional elements, described in the next chapter.
Section 2 lists all the possible (successful) event descriptions and corresponding set of data fields (some fields are optional).
Security Server and Central Server use REST APIs to update data, and a new audit log implementation adds some features that are useful in auditing updates done through the API.
Example of extended audit log message for the security server:
bash 2023-05-25T13:26:32+03:00 dev-ss1.i.x-road.rocks correlation-id: [a81deb2bf312a60f] INFO [X-Road Proxy Admin REST API]
2023-05-25T13:26:32.409+03:00 - {
"event" : "Refresh service description" ,
"user" : "xrd" ,
"ipaddress" : "192.0.2.1" ,
"auth" : "Session" ,
"url" : "/api/v1/service-descriptions/7/refresh" ,
"data" : {
"clientIdentifier" : {
"memberClass" : "ORG" ,
"memberCode" : "111" ,
"subsystemCode" : "MANAGEMENT" ,
"fieldsForStringFormat" : [ "ORG" , "111" , "MANAGEMENT" ],
"objectType" : "SUBSYSTEM" ,
"xroadInstance" : "DEV" },
"url" : "http://dev-cs.i.x-road.rocks/managementservices.wsdl" ,
"serviceType" : "WSDL" ,
"wsdl" : {
"servicesAdded" : [],
"servicesDeleted" : []
}
}
}
Log contains (outside the actual audit log event JSON
) correlation-id
element which can be used to associate audit log entry with a specific request, regular log entries and e.g. stack traces from regular log.
Audit log event JSON
contains these additional elements:
ipaddress the IP address of the user auth authentication type used for this API call possible values: Session - session based authentication (web application) ApiKey - direct API call using API key authentication HttpBasicPam - HTTP basic authentication with PAM login (for api key management API operations) url url of called API endpoint warning for failed events, boolean indicating whether the failure was caused by unhandled warnings json {
"event" : "..." ,
"user" : "..." ,
"ipaddress" : "..." ,
"reason" : "..." ,
"warning" : true ,
"auth" : "Session" ,
"url" : "/api/service-descriptions/249" ,
"data" : {
"data_field_1" : "data_field_1_value" ,
...
}
1.1.2 Common Value Structures of the Data Fields Values of data fields memberIdentifier
, clientIdentifier
, ownerIdentifier
, providerIdentifier
, and serviceProviderIdentifier
have a common structure:
json {
"xRoadInstance" : "..." ,
"memberClass" : "..." ,
"memberCode" : "..."
}
where xRoadInstance
is the X-Road instance, memberClass
is the X-Road member class, and memberCode
is the X-Road member code. In case of clientIdentifier
, providerIdentifier
, and serviceProviderIdentifier
an optional field subsystemCode
(the X-Road subsystem code) is present in the structure.
2 Audit Log Events 2.1 Central Server 2.1.1 Common Events The audit log events related to the UI logging and the UI language settings.
Event Data fields Log in user Log out user Set UI language * locale - the selected UI locale (e.g en)
2.1.2 Initialization Event The audit log event related to initialization.
Event Data fields Initialize Central Server centralServerAddress - the address of the Central Server instanceIdentifier - the instance identifier of the Central Server haNode - the name of the node in the cluster in the case of HA setup
2.1.3 Members Events The audit log events related to configuration of the X-Road members.
Event Data fields Add member memberName - the member name of the added member memberClass - the member class of the added member memberCode - the member code of the added member Edit member name memberName - the new member name of the edited member memberClass - the member class of the edited member memberCode - the member code of the edited member Delete member memberClass - the member class of the deleted member memberCode - the member code of the deleted member Add subsystem memberClass - the member class of the added subsystem memberCode - the member code of the added subsystem memberSubsystemCode - the subsystem code of the added subsystem Delete subsystem memberClass - the member class of the deleted subsystem memberCode - the member code of the deleted subsystem memberSubsystemCode - the subsystem code of the deleted subsystem Unregister member as security server client serverCode - the server code of the selected security server ownerClass - the owner class of the selected security server ownerCode - the owner code of the selected security server clientIdentifier - the client identifier of the member unregistered as client of the selected security server
2.1.4 Security Servers Events The audit log events related to configuration of the X-Road security servers.
Event Data fields Edit security server address serverCode - the server code of the edited security server ownerCode - the owner code of the edited security server ownerClass - the owner class of the edited security server address - the new address of the edited security server Delete security server serverCode - the server code of the deleted security server ownerCode - the owner code of the deleted security server ownerClass - the owner class of the deleted security server Delete authentication certificate of security server serverCode - the server code of the selected security server ownerCode - the owner code of the selected security server ownerClass - the owner class of the selected security server certHash - the hash of the deleted authentication certificate of the selected security server certHashAlgorithm - the hash algorithm used to calculate value of the field certHash
2.1.5 Global Groups Events The audit log events related to configuration of the X-Road global groups.
Event Data fields Add global group code - the group code of the added global group description - the description of the added global group Edit global group description code - the group code of the edited global group description - the new description of the edited global group Delete global group code - the group code of the deleted global group description - the description of the deleted global group Add members to global group code - the group code of the selected global group description - the description of the selected global group memberIdentifiers - the list of member identifiers of the members added to the selected global group Remove members from global group code - the group code of the selected global group description - the description of the selected global group memberIdentifiers - the list of member identifiers of the members removed from the selected global group
2.1.6 Certification Services Events The audit log events related to configuration of the X-Road certification services.
Event Data fields Add certification service caId - the identifier of the added certification service caCertHash - the hash of the CA certificate of the added certification service caCertHashAlgorithm - the hash algorithm used to calculate value of the field caCertHash authenticationOnly - the authentication only flag of the added certification service certificateProfileInfo - the fully qualified (Java) class name that implements the CertificateProfileInfo interface of the added certification service Edit certification service settings caId - the identifier of the edited certification service caCertHash - the hash of the CA certificate of the edited certification service caCertHashAlgorithm - the hash algorithm used to calculate value of the field caCertHash authenticationOnly - the (new) authentication only flag of the edited certification service certificateProfileInfo - the fully qualified (Java) class name that implements the CertificateProfileInfo interface of the eddited certification service Delete certification service caId - the identifier of the deleted certification service Add intermediate CA caId - the identifier of the selected certification service intermediateCaId - the identifier of the intermediate CA added to the selected certification service intermediateCaCertHash - the hash of the intermediate CA certificate intermediateCaCertHashAlgorithm - the hash algorithm used to calculate value of the field intermediateCaCertHash Delete intermediate CA intermediateCaId - the identifier of the deleted intermediate CA Add OCSP responder of certification service caId - the identifier of the selected certification service ocspId - the identifier of the OCSP responder added to the selected certification service ocspUrl - the URL of the added OCSP responder ocspCertHash - the hash of the added OCSP responder certificate ocspCertHashAlgorithm - the hash algorithm used to calculate value of the field ocspCertHash Add OCSP responder of intermediate CA intermediateCaId - the identifier of the selected intermediate CA ocspId - the identifier of the OCSP responder added to the selected intermediate CA ocspUrl - the URL of the added OCSP responder ocspCertHash - the hash of the added OCSP responder certificate ocspCertHashAlgorithm - the hash algorithm used to calculate value of the field ocspCertHash Edit OCSP responder ocspId - the identifier of the edited OCSP responder ocspUrl - the (new) URL of the edited OCSP responder ocspCertHash - the (new) hash of the edited OCSP responder certificate ocspCertHashAlgorithm - the hash algorithm used to calculate value of the field ocspCertHash Delete OCSP responder ocspId - the identifier of the deleted OCSP responder
2.1.7 Timestamping Services Events The audit log events related to configuration of the X-Road timpestamping services.
Event Data fields Add timestamping service tsaId - the identifier of the added timestamping service tsaName - the name of the added timestamping service tsaUrl - the URL of the added timestamping service tsaCertHash - the hash of the timestamping service certificate tsaCertHashAlgorithm - the hash algorithm used to calculate value of the field tsaCertHash Edit timestamping service tsaId - the identifier of the edited timestamping service tsaName - the (new) name of the edited timestamping service tsaUrl - the (new) URL of the edited timestamping service tsaCertHash - the hash of the edited timestamping service certificate tsaCertHashAlgorithm - the hash algorithm used to calculate value of the field tsaCertHash Delete timestamping service tsaId - the identifier of the deleted timestamping service tsaName - the name of the deleted timestamping service tsaUrl - the URL of the deleted timestamping service
2.1.8 Management Requests Events The audit log events related to the management requests.
Event Data fields Add management request requestId - the identifier of the added request Revoke management request requestId - the identifier of the revoked request Approve management request requestId - the identifier of the approved request Decline management request requestId - the identifier of the declined request
2.1.9 Configuration Management Events The audit log events related to configuration management.
Event Data fields Re-create internal configuration anchor anchorFileHash - the hash of the re-created internal configuration anchor file anchorFileHashAlgorithm - the hash algorithm used to calculate value of the field anchorFileHash Generate internal configuration signing key tokenId - the identifier of the token used to generate the signing key tokenSerialNumber - the serial number of the token tokenFriendlyName - the friendly name of the token keyId - the identifier of the generated signing key keyFriendlyName - the friendly name of the generated key certHash - the hash of the generated signing certificate certHashAlgorithm - the hash algorithm used to calculate value of the field certHash Activate internal configuration signing key tokenId - the identifier of the token owning the signing key tokenSerialNumber - the serial number of the token tokenFriendlyName - the friendly name of the token keyId - the identifier of the activated signing key Delete internal configuration signing key tokenId - the identifier of the token owning the signing key tokenSerialNumber - the serial number of the token tokenFriendlyName - the friendly name of the token keyId - the identifier of the deleted signing key Re-create external configuration anchor anchorFileHash - the hash of the re-created external configuration anchor file anchorFileHashAlgorithm - the hash algorithm used to calculate value of the field anchorFileHash Generate external configuration signing key tokenId - the identifier of the token used to generate the signing key tokenSerialNumber - the serial number of the token tokenFriendlyName - the friendly name of the token keyId - the identifier of the generated signing key keyFriendlyName - the friendly name of the generated key certHash - the hash of the generated signing key certificate certHashAlgorithm - the hash algorithm used to calculate value of the field certHash Activate external configuration signing key tokenId - the identifier of the token owning the signing key tokenSerialNumber - the serial number of the token tokenFriendlyName - the friendly name of the token keyId - the identifier of the activated signing key Delete external configuration signing key tokenId - the identifier of the token owning the signing key tokenSerialNumber - the serial number of the token tokenFriendlyName - the friendly name of the token keyId - the identifier of the deleted signing key Add trusted anchor anchorFileHash - the hash of the added anchor file anchorFileHashAlgorithm - the hash algorithm used to calculate value of the field anchorFileHash instanceIdentifier - the X-Road instance identifier of the added anchor generatedAt - the UTC time when anchor file was generated anchorUrls - the configuration download URLs of the added anchor Delete trusted anchor anchorFileHash - the hash of the deleted anchor file anchorFileHashAlgorithm - the hash algorithm used to calculate value of the field anchorFileHash instanceIdentifier - the X-Road instance identifier of the deleted anchor Log in to token tokenId - the identifier of the token logged in tokenSerialNumber - the serial number of token tokenFriendlyName - the friendly name of token Log out from token tokenId - the identifier of the token logged out tokenSerialNumber - the serial number of token tokenFriendlyName - the friendly name of token Upload configuration part sourceType - the source type (internal or external) of the uploaded configuration part contentIdentifier - the content identifier of the uploaded configuration part partFileName - the internal name of the configuration part file uploadFileName - the name of the uploaded configuration part file uploadFileHash - the hash of the uploaded configuration part file uploadFileHashAlgorithm - the hash algorithm used to calculate value of the field uploadFileHash
2.1.10 System Settings Events The audit log events related to the system settings.
Event Data fields Edit Central Server address centralServerAddress - the new address of the Central Server Register management service provider as Security Server client serverCode - the server code of the management services' security server ownerClass - the owner class of the management services' security server ownerCode - the owner code of the management services' security server clientIdentifier - the client identifier of the registered management service provider Edit provider of management services serviceProviderIdentifier - the new service provider identifier of the management service serviceProviderName - the new service provider name of the management service Add member class code - the code of the added member class description - the description of the added member class Edit member class description code - the code of the edited member class description - the new description of the edited member class Delete member class code - the code of the deleted member class API key create apiKeyId - identifier of the API key apiKeyRoles - array containing the roles associated with the API key API key update apiKeyId - identifier of the API key apiKeyRoles - array containing the roles associated with the API key API key remove apiKeyId - identifier of the API key apiKeyRoles - array containing the roles associated with the API key Generate management service TLS key and self-sign certificate certHash - the hash of the management service TLS certificate certHashAlgorithm - the hash algorithm used to calculate value of the field certHash Generate management service TLS certificate signing request subjectName - the subject name of the generated certificate request Upload management service TLS certificate certFileName - the file name of the uploaded certificate certHash - the hash of the uploaded certificate certHashAlgorithm - the hash algorithm used to calculate value of the field certHash
2.1.11 Backup and Restore Events The audit log events related to back up and restore.
Event Data fields Back up configuration backupFileName - the name of the created backup file Upload backup file backupFileName - the name of the uploaded backup file Delete backup file backupFileName - the name of the deleted backup file Restore configuration backupFileName - the name of the backup file used to restore configuration
2.2 Security Server 2.2.1 Common Events The audit log events related to the UI logging.
Event Data fields Log in user Log out user
2.2.2 Initialization Events The audit log events related to initialization.
Event Data fields Initialize anchor anchorFileHash - the hash of the initialized anchor file anchorFileHashAlgorithm - the hash algorithm used to calculate value of the field anchorFileHash generatedAt - the UTC time when the anchor file was generated Initialize server configuration ownerIdentifier - the owner identifier of the initialized security server serverCode - the server code of the initialized security server
2.2.3 Security Server Clients Events The audit log events related to the security server clients configuration.
Event Data fields Add client clientIdentifier - the client identifier of the added client isAuthentication - the information system authentication type of the added client clientStatus - the status of the added client Register client clientIdentifier - the client identifier of the registered client managementRequestId - the identifier of the corresponding management request in the Central Server clientStatus - the status of the registered client Unregister client clientIdentifier - the client identifier of the unregistered client managementRequestId - the identifier of the corresponding management request in the Central Server clientStatus - the status of the unregistered client Delete client clientIdentifier - the client identifier of the deleted client Delete orphaned client keys, certs and certificates tokenId - the identifier of the token where the deleted key located tokenSerialNumber - the serial number of the token tokenFriendlyName - the friendly name of the token keyId - the identifier of the deleted key keyFriendlyName - the friendly name of the deleted key keyUsage - the key usage of the deleted key clientIdentifier - the client identifier of the client which certificates and certificate requests were deleted certHashes - the list of hashes of the deleted certificates certHashAlgorithm - the hash algorithm used to calculate hash values of the field certHashes certRequestIds - the list of identifiers of the deleted certificate requests Change owner clientIdentifier - the client identifier of the selected client managementRequestId - the identifier of the corresponding management request in the Central Server clientStatus - the status of the registered client Add service description clientIdentifier - the client identifier of the selected client url - the URL of the added service description of the selected client serviceType - type of the service description: WSDL, REST, or OPENAPI3 disabled - the flag indicating whether the added WSDL and all its services were disabled refreshedDate - the time when the added WSDL was refreshed Delete service description clientIdentifier - the client identifier of the selected client url - the URL of the service description of the selected client serviceType - type of the service description: WSDL, REST, or OPENAPI3 Disable service description clientIdentifier - the client identifier of the selected client url - the URL of the service description of the selected client serviceType - type of the service description: WSDL, REST, or OPENAPI3 disabledNotice - the notice of the disabled WSDLs Enable service description clientIdentifier - the client identifier of the selected client url - the URL of the service description of the selected client serviceType - type of the service description: WSDL, REST, or OPENAPI3 Refresh service description clientIdentifier - the client identifier of the selected client url - the previous URL of the service description serviceType - type of the service description: WSDL, REST, or OPENAPI3 urlNew - the new URL of the service description wsdl - wsdl data (only for type WSDL) servicesAdded - the list of services added during refresh servicesDeleted - the list of services removed during refresh Edit service description clientIdentifier - the client identifier of the selected client url - the URL of the added service description of the selected client serviceType - type of the service description: WSDL, REST, or OPENAPI3 wsdl - wsdl data (only for type WSDL):servicesAdded - the list of services added by the new WSDL servicesDeleted - the list of services removed by the new WSDL Edit service parameters clientIdentifier - the client identifier of the member provided the edited services url - the URL of the added service description of the selected client serviceType - type of the service description: WSDL, REST, or OPENAPI3 services - the list of the edited services. The list item contains of the following data fields:id - the identifier of the service url - the URL of the service timeout - the timeout of the service tlsAuth - the flag indicating whether the certificate of the service provider should be verified for TLS connections Add access rights to service clientIdentifier - the client identifier of the member provided the selected service serviceCode - the selected service code subjectIds - the list of the selected subject identifiers to which the access of the selected service granted Remove access rights from service clientIdentifier - the client identifier of the member provided the selected service serviceCode - the selected service code subjectIds - the list of the selected subject identifiers from which the access of the selected service denied Add access rights to subject clientIdentifier - the client identifier of the member provided the selected service subjectId - the selected subject identifier serviceCodes - the list of the service codes which access granted to the selected subject Remove access rights from subject clientIdentifier - the client identifier of the member provided the selected service subjectId - the selected subject identifier serviceCodes - the list of the service codes which access denied to the selected subject Set connection type for servers in service consumer role clientIdentfier - the client identifier of the selected client isAuthentication - the new information system authentication type of the selected client Add internal TLS certificate clientIdentfier - the client identifier of the selected client certHash - the hash of the certificate added to the selected client certHashAlgorithm - the hash algorithm used to calculate value of the field certHash Delete internal TLS certificate clientIdentfier - the client identifier of the selected client certHash - the hash of the certificate deleted from the selected client certHashAlgorithm - the hash algorithm used to calculate value of the field certHash Add group clientIdentifier - the client identifier of the selected client groupCode - the code of the local group added to the selected client groupDescription - the description of the added local group Edit group description clientIdentifier - the client identifier of the selected client groupCode - the code of the edited local group of the selected client groupDescription - the new description of the edited local group Add members to group clientIdentifier - the client identifier of the selected client groupCode - the code of the selected local group of the selected client memberIdentifiers - the list of member identifiers of members added to the selected local group Remove members from group clientIdentifier - the client identifier of the selected client groupCode - the code of the selected global group of the selected client memberIdentifiers - the list of member identifiers of the removed members Delete group clientIdentifier - the client identifier of the selected client groupCode - the code of the deleted local group of the selected client groupDescription - the description of the deleted local group
2.2.4 System Parameters Events The audit log events related to the system parameters.
Event Data fields Generate certificate request for TLS subjectName - the subject name of the generated certificate request Import TLS certificate from file certHash - the hash of the generated internal TLS certificate certHashAlgorithm - the hash algorithm used to calculate value of the field certHash Upload configuration anchor anchorFileHash - the hash of the uploaded anchor file anchorFileHashAlgorithm - the hash algorithm used to calculate value of the field anchorFileHash generatedAt - the UTC time when the anchor file was generated Add timestamping service tspName - the name of the added timestamping service tspUrl - the URL of the added timestamping service Delete timestamping service tspName - the name of the deleted timestamping service tspUrl - the URL of the deleted timestamping service Generate new internal TLS key and certificate certHash - the hash of the generated internal TLS certificate certHashAlgorithm - the hash algorithm used to calculate value of the field certHash
2.2.5 Keys and Certificates Events The audit log events related to keys and certificates management
2.2.6 Backup and Restore Events The audit log events related to backup and restore.
Event Data fields Back up configuration backupFileName - the name of the created backup file Upload backup file backupFileName - the name of the uploaded backup file Delete backup file backupFileName - the name of the deleted backup file Restore configuration backupFileName - the name of the backup file used to restore configuration
2.2.7 API Key Management Events The audit log events related to API key management.
Event Data fields API key create apiKeyId - identifier of the API key apiKeyRoles - array containing the roles associated with the API key API key update apiKeyId - identifier of the API key apiKeyRoles - array containing the roles associated with the API key API key remove apiKeyId - identifier of the API key apiKeyRoles - array containing the roles associated with the API key
2.2.8 Technical Events The audit log events related to technical events, such as authentication failures. Except for Key management API log in event, these events are only logged if they fail.
Event Data fields Key management API log in API key authentication Auth credentials discovery Access check (if user did not have permission to do an operation which is not an audit logged event) Authentication
2.3 Utility signer-console The audit log events logged by the utility signer-console.
Event Data fields Set a friendly name to the token tokenId - the entered token identifier tokenFriendlyName - the new friendly name for the entered token Set a friendly name to the key keyId - the entered key identifier keyFriendlyName - the new friendly name for the entered key Activate the certificate certId - the identifier of the activated certificate Deactivate the certificate certId - the identifier of the deactivated certificate Delete the key from token keyId - the identifier of the deleted key Delete the certificate certId - the identifier of the deleted certificate Delete the certificate request certRequestId - the identifier of the deleted certificate request Import a certificate from the file certFileName - the name of the imported certificate file clientIdentifier - the client identifier of the member constructed from signing certificate keyId - the identifier of the key to which the certificate was imported. Log into the token tokenId - the identifier of the token logged in Initialize the software token tokenId - the identifier of the initialized token Generate a key on the token tokenId - the identifier of the token used to generate the key keyId - the identifier of the generated key keyLabel - the label of the generated key Generate CSR keyId - the identifier of the key used to generate the certification request keyUsage - the key usage clientIdentifier - the client identifier of the client which certificate request was generated subjectName - the subject name of the generated certification request csrFormat - the format (PEM / DER) of the generated CSR file