| Workload location | Hardware |
| Audit log source | Node OS |
| Audited operations |
|
Sign-in events
All access attempts and actions through OS SSH connections.
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | ident |
|
| Target (Fields and values that call the API) | message | For example,
|
| Action (Fields containing the performed operation) | message | For example,
|
| Event timestamp | time | For example,
|
| Source of action | host | For example,
|
| Outcome | message | For example,
|
| Other fields | Not applicable | Not applicable |
Example log
{ "pri": "87", "time": "2022-11-30T22:53:39.442037+00:00", "host": "zb-aa-bm01", "ident": "sshd", "pid": "757322", "msgid": "-", "extradata": "-", "message": "pam_tty_audit(sshd:session): restored status to 0", "_gdch_cluster": "root-admin", "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-dn5jn", "_gdch_service_name": "inventory-machine-bm-e2c2a7e1" } OS TTY events
All commands printing outputs on the console.
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | ident |
|
| Target (Fields and values that call the API) | message | For example,
|
| Action (Fields containing the performed operation) | message | For example,
|
| Event timestamp | time | For example,
|
| Source of action | host | For example,
|
| Outcome | message | For example,
|
| Other fields | Not applicable | Not applicable |
Example log
{ "pri": "14", "time": "2022-12-20T10:23:35.878924+00:00", "host": "zk-aa-bm08", "ident": "audispd", "pid": "-", "msgid": "-", "extradata": "-", "message": "node=ubuntu type=TTY msg=audit(1671531815.870:94280): tty pid=1217279 uid=0 auid=0 ses=3536 major=136 minor=0 comm=\"pager\" data=71", "_gdch_cluster": "root-admin", "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-w6fl4", "_gdch_service_name": "inventory-machine-bm-7cc496d5" } ClamAV events
All ClamAV scanning events.
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | ident | Possible values:
|
| Target (Fields and values that call the API) | message | For example,
|
| Action (Fields containing the performed operation) | message | For example,
|
| Event timestamp | time | For example,
|
| Source of action | host | For example,
|
| Outcome | message | For example,
|
| Other fields | Not applicable | Not applicable |
Example log
{ "pri": "86", "time": "2022-12-20T04:01:47.219862+00:00", "host": "zk-aa-bm09", "ident": "clamav", "pid": "-", "msgid": "-", "extradata": "-", "message": "No virus found", "_gdch_cluster": "root-admin", "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-lcxgq", "_gdch_service_name": "inventory-machine-bm-b11f4752" } AIDE events
All AIDE intrusion detection events.
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | ident |
|
| Target (Fields and values that call the API) | message | For example,
|
| Action (Fields containing the performed operation) | message | For example,
|
| Event timestamp | time | For example,
|
| Source of action | host | For example,
|
| Outcome | message | For example,
|
| Other fields | Not applicable | Not applicable |
Example log
{ "pri": "86", "time": "2022-12-20T10:20:09.428106+00:00", "host": "zk-aa-bm08", "ident": "aide", "pid": "-", "msgid": "-", "extradata": "-", "message": "AIDE check passed.", "_gdch_cluster": "root-admin", "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-lcxgq", "_gdch_service_name": "inventory-machine-bm-7cc496d5" }