About audit events

Errors or typos? Topics missing? Hard to read? Let us know.

MAAS audit logs provide detailed records of changes in machines, users, and settings. The AUDIT level logs are particularly useful for tracing historical changes in a MAAS instance. They are crucial for system integrity, troubleshooting, compliance, and governance.

Fetch audit events

Use the maas CLI events query command to retrieve audit logs. Fetch all audit logs with:

maas $PROFILE events query level=AUDIT

For the latest 20 audit events:

maas $PROFILE events query level=AUDIT limit=20 after=0

Parse the output

Audit logs are in JSON format, suitable for parsing with tools like jq. For example:

maas $PROFILE events query level=AUDIT | jq -r '.events[] | {user, node, action}'

Alternatively, use text processing utilities like grep, cut, sort, and sed for analysis.

Audit log structure

Audit logs typically follow a verb/noun structure. Examples include:

  • Started testing on 'example-node'
  • Marked 'old-node' broken
  • Deleted the machine 'retired-system'

Node audit types

Audit logs detail node activities including commissioning phases, test results, deployment statuses, and actions like acquiring, rescuing, and deleting.

User audit types

Audit logs also track user activities, account modifications, system configuration changes, and updates to scripts or DHCP snippets.

Filtering output

Refine audits using filters in the events query command. For events related to a specific node:

maas $PROFILE events query hostname=my-node

For delete actions by a specific user:

maas $PROFILE events query username=jane level=AUDIT | grep "Deleted "

Combining filters yields more targeted audit records, aiding in tailored governance.

Keeping track

MAAS audit logs are essential for understanding system history. Effectively querying, filtering, and interpreting these logs are key skills for system troubleshooting, compliance, and oversight.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.