About audit events

MAAS events provide a detailed audit trail of changes to machines, users, and configuration settings within your MAAS environment. Events tagged with AUDIT capture this important history of modifications that have occurred over time.

Examining these audit events enables operators to understand who made changes, what was changed, and when changes occurred. This visibility facilitates troubleshooting, forensics, compliance, and oversight.

Querying Audit Events

The maas CLI includes an events query command to retrieve MAAS events. To focus specifically on audit events, include the level=AUDIT filter:

maas $PROFILE events query level=AUDIT

Additional filters can be applied to restrict the event set. For example, to retrieve the 20 most recent audit events:

maas $PROFILE events query level=AUDIT limit=20 after=0

Parsing Event Output

The default output format for events query is JSON. This allows piping the output into tools like jq for parsing and formatting:

maas $PROFILE events query level=AUDIT | jq -r '.events[] | {user, node, action}'

Alternatively, text processing utilities like grep, cut, sort, and sed can be used on the raw JSON output or text output from jq.

Interpreting Audit Events

Audit event descriptions follow a consistent verb/noun format denoting the action performed:

  • Started $OPERATION on $OBJECT
  • Completed $OPERATION on $OBJECT
  • Marked $OBJECT as $STATUS
  • Deleted $OBJECT

For example:

  • Started testing on 'example-node'
  • Marked 'old-node' broken
  • Deleted the machine 'retired-system'

Node Audit Events

The most useful audit events track lifecycle changes on nodes managed by MAAS. These node events include:

  • Commissioning started/aborted
  • Testing started/failed/overridden
  • Deploying started/completed
  • Acquiring/Releasing
  • Rescue mode entered
  • Broken/Fixed
  • Deleting

User and Configuration Audit Events

Beyond node lifecycle changes, audit events also track:

  • User logins and logouts
  • Users added/removed
  • Configuration changes
  • Script changes
  • DHCP snippet changes

Auditing with Filters

Leveraging events query filters enables focused audits for specific nodes, users, or time periods.

For example, to see all events for a node:

maas $PROFILE events query hostname=my-node

Or to audit deletes performed by a user:

maas $PROFILE events query username=jane level=AUDIT | grep "Deleted "

Chaining filters and output processing streams facilitates efficient auditing workflows tailored to an operator’s needs.

Conclusion

MAAS audit events provide a detailed history of changes over time. Querying and analyzing these events enables oversight, forensics, compliance, and troubleshooting. Operators can craft targeted audits combining CLI filters and output processing tools.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.