Understanding audit events
Mastering MAAS audit logs for robust management and oversight
MAAS events provide a thorough record of alterations across various elements—machines, users, and settings. Among these, events tagged as AUDIT
offer invaluable insights into the historical changes affecting your MAAS instance. For operators, understanding and leveraging audit logs is vital for system integrity, troubleshooting, regulatory compliance, and governance.
Fetching audit events from the CLI
The maas
CLI features an events query
command that can be tailored to fetch only audit-related logs. The following query fetches all AUDIT
level logs:
maas $PROFILE events query level=AUDIT
To limit the output to the most recent 20 audit events, use:
maas $PROFILE events query level=AUDIT limit=20 after=0
Parsing the output for meaningful data
The default output from events query
is in JSON format. This allows for easy parsing with JSON-centric tools such as jq
. For instance, to extract relevant information like the user, node, and action, you can employ:
maas $PROFILE events query level=AUDIT | jq -r '.events[] | {user, node, action}'
For users comfortable with text processing, common utilities like grep
, cut
, sort
, and sed
can be applied either on the raw JSON or the text output from jq
.
Decoding the structure of audit logs
Audit logs maintain a consistent format, using a verb/noun structure to indicate actions clearly. Here are some examples to illustrate:
Started testing on 'example-node'
Marked 'old-node' broken
Deleted the machine 'retired-system'
Node-related audit types
Audit logs can provide intricate details on node-related activities such as:
- Phases of commissioning
- Test results
- Deployment statuses
- Special modes like acquiring, rescuing, and deletion
User and setting related audit types
Beyond node events, audit logs also offer visibility into:
- User activities, including logins
- Modifications to user accounts
- Changes to system configuration
- Adjustments to scripts or DHCP snippets
Fine-tuning your audit queries with filters
The events query
command supports a variety of filters to focus your audits further. For example, to see all events related to a specific node:
maas $PROFILE events query hostname=my-node
Or to find all delete actions initiated by a particular user:
maas $PROFILE events query username=jane level=AUDIT | grep "Deleted "
Filters can be combined to generate more precise audit records, aiding operators in customising their governance methods.
You can keep track of your system
MAAS audit logs are an indispensable resource for gaining deep insights into the system’s history. By understanding how to query, filter, and interpret these logs, operators equip themselves with robust tools for troubleshooting, compliance, and oversight.
Last updated a month ago.