[keystone] which CADF events are considered audit logs?

Bence Romsics bence.romsics at gmail.com
Thu Jul 8 13:13:02 UTC 2021


Hi All,

My colleagues working downstream asked me about audit logging, however
I did not know enough about it to answer their questions. So let me
please phrase their question here:

For all other OpenStack components but Keystone they see audit logs in
CADF format with event types 'audit.http.request' and
'audit.http.response'. Always separate logs for requests and
responses.

However from Keystone they also encountered CADF events with
event_types like 'identity.user.created', 'identity.user.deleted' or
'identity.authenticate'. Please see an example at the end of my mail.
And I guess all examples from
https://docs.openstack.org/keystone/latest/admin/event_notifications.html
also apply here. They were a bit surprised that these events do not
one-by-one correspond to request-responses.

So I believe their question is: Do you consider these Keystone events
audit logs? Or do you consider them just event logs in CADF format? Or
does the answer to this question depend on the object of auditing?

Thanks in advance,
Bence Romsics

keystone/keystone-main.log:188003:<14>2021-06-15T12:51:27.323753+02:00
cic-1.domain.tld keystone-main[14531]: INFO
oslo.messaging.notification.identity.user.created
[req-8c3fed70-db9c-4f37-a9c5-517491d55246
034a3ac87804494a8d89d32987ff6696 e2fa6412da584f7ebb439d108e1a1185 -
default default] {"event_type": "identity.user.created", "timestamp":
"2021-06-15 10:51:27.321921", "payload": {"typeURI":
http://schemas.dmtf.org/cloud/audit/1.0/event<http://schemas.dmtf.org/cloud/audit/1.0/event>,
"initiator": {"typeURI": "service/security/account/user", "host":
{"agent": "python-keystoneclient", "address": "192.168.2.124"},
"project_id": "e2fa6412da584f7ebb439d108e1a1185", "user_id":
"034a3ac87804494a8d89d32987ff6696", "id":
"034a3ac87804494a8d89d32987ff6696"}, "target": {"typeURI":
"data/security/account/user", "id":
"3dac4a1acaaa4d5598d03b9970d13ce5"}, "observer": {"typeURI":
"service/security", "id": "6c15158d525643ea9e40e26b88489b82"},
"eventType": "activity", "eventTime":
"2021-06-15T10:51:27.211457+0000", "action": "created.user",
"outcome": "success", "id": "c0723c47-f806-54c6-b8b1-14d4e5fdd456",
"resource_info": "3dac4a1acaaa4d5598d03b9970d13ce5"}, "priority":
"INFO", "publisher_id": "identity.cic-1.domain.tld", "message_id":
"2a2adc06-710d-4b11-abdf-2b588a2b8440"}



More information about the openstack-discuss mailing list