There are many user-initiated events in MAAS that an administrator or a user may want to audit. These include someone updating the settings or changing a user’s permissions. This page details how to query these events and includes examples of how to perform a query, and the type of data logs can provide.
Three questions you may have:
- How do I list audit events for all users?
- How do I list audit events for a specific user?
- What are the types of audit event logs available?
List audit events for all users
To list events for all users, use the following syntax:
maas $PROFILE events query level=AUDIT
Note: Non-administrators will only see their own audit event logs listed.
The following is example output from the previous command, using admin as the MAAS profile:
Success.
Machine-readable output follows:
{
"count": 1,
"events": [
{
"username": "admin",
"node": null,
"hostname": "",
"id": 2569,
"level": "AUDIT",
"created": "Thu, 01 Feb. 2018 22:28:18",
"type": "Authorisation",
"description": "User admin logged in."
}
],
"next_uri": "/MAAS/api/2.0/events/?op=query&level=AUDIT&after=2569",
"prev_uri": "/MAAS/api/2.0/events/?op=query&level=AUDIT&before=2558"
}
The above output shows that there is currently only one audit event log for the user admin
, and that MAAS created this log when they logged into the web UI.
List audit events for a specific user
To list the audit event logs for a specific user that you have permissions for, supply the owner=$USERNAME
parameter to the query command:
maas $PROFILE events query level=AUDIT owner=$USERNAME
As there is only one audit event log in the database (as seen above), generate some more by performing these four actions:
- Create new non-administrator user
johnnybegood
withadmin
user - Logout of web UI as
admin
user and login withjohnnybegood
user - Change password of the
johnnybegood
user - Log back into the web UI (Django forces a re-login when currently logged in user changes their password).
Let’s take a look and see what type of audit event logs we have now, filtering with owner=johnnybegood
as shown in the following command:
maas admin events query level=AUDIT owner=johnnybegood
Success.
Machine-readable output follows:
{
"count": 3,
"events": [
{
"username": "johnnybegood",
"node": null,
"hostname": "",
"id": 2877,
"level": "AUDIT",
"created": "Mon, 12 Feb. 2018 22:34:46",
"type": "Authorisation",
"description": "User 'johnnybegood' logged in."
},
{
"username": "johnnybegood",
"node": null,
"hostname": "",
"id": 2876,
"level": "AUDIT",
"created": "Mon, 12 Feb. 2018 22:34:35",
"type": "Authorisation",
"description": "Password changed for 'johnnybegood'."
},
{
"username": "johnnybegood",
"node": null,
"hostname": "",
"id": 2875,
"level": "AUDIT",
"created": "Mon, 12 Feb. 2018 22:33:56",
"type": "Authorisation",
"description": "User 'johnnybegood' logged in."
}
],
"next_uri": "/MAAS/api/2.0/events/?op=query&level=AUDIT&owner=johnnybegood&after=2877",
"prev_uri": "/MAAS/api/2.0/events/?op=query&level=AUDIT&owner=johnnybegood&before=2875"
}
As we can see above, only audit event logs for the user johnnybegood
are generated. These events show the following eight items:
- The user for the event
- Whether or not the event is associated with a particular node
- The node’s hostname
- The event id
- The level of the event
- when MAAS created the event
- The event type
- The event description
Types of audit event logs available
Here is a list of the nine types of audit event logs that are currently supported by MAAS:
- Password changes
- Permission changes
- API (OAuth) tokens created/deleted
- Login and logouts
- SSH keys imported from GitHub or Launchpad
- SSL key changes
- User profile changes
- Commissioning script changes
- Test script changes