MAAS events provide a detailed audit trail of changes to machines, users, and configuration settings within your MAAS environment. Events tagged with AUDIT
capture this important history of modifications that have occurred over time.
Examining these audit events enables operators to understand who made changes, what was changed, and when changes occurred. This visibility facilitates troubleshooting, forensics, compliance, and oversight.
Querying Audit Events
The maas
CLI includes an events query
command to retrieve MAAS events. To focus specifically on audit events, include the level=AUDIT
filter:
maas $PROFILE events query level=AUDIT
Additional filters can be applied to restrict the event set. For example, to retrieve the 20 most recent audit events:
maas $PROFILE events query level=AUDIT limit=20 after=0
Parsing Event Output
The default output format for events query
is JSON. This allows piping the output into tools like jq
for parsing and formatting:
maas $PROFILE events query level=AUDIT | jq -r '.events[] | {user, node, action}'
Alternatively, text processing utilities like grep
, cut
, sort
, and sed
can be used on the raw JSON output or text output from jq
.
Interpreting Audit Events
Audit event descriptions follow a consistent verb/noun format denoting the action performed:
- Started $OPERATION on $OBJECT
- Completed $OPERATION on $OBJECT
- Marked $OBJECT as $STATUS
- Deleted $OBJECT
For example:
Started testing on 'example-node'
Marked 'old-node' broken
Deleted the machine 'retired-system'
Node Audit Events
The most useful audit events track lifecycle changes on nodes managed by MAAS. These node events include:
- Commissioning started/aborted
- Testing started/failed/overridden
- Deploying started/completed
- Acquiring/Releasing
- Rescue mode entered
- Broken/Fixed
- Deleting
User and Configuration Audit Events
Beyond node lifecycle changes, audit events also track:
- User logins and logouts
- Users added/removed
- Configuration changes
- Script changes
- DHCP snippet changes
Auditing with Filters
Leveraging events query
filters enables focused audits for specific nodes, users, or time periods.
For example, to see all events for a node:
maas $PROFILE events query hostname=my-node
Or to audit deletes performed by a user:
maas $PROFILE events query username=jane level=AUDIT | grep "Deleted "
Chaining filters and output processing streams facilitates efficient auditing workflows tailored to an operator’s needs.
Conclusion
MAAS audit events provide a detailed history of changes over time. Querying and analyzing these events enables oversight, forensics, compliance, and troubleshooting. Operators can craft targeted audits combining CLI filters and output processing tools.