Understanding audit events

Mastering MAAS audit logs for robust management and oversight

MAAS events provide a thorough record of alterations across various elements—machines, users, and settings. Among these, events tagged as AUDIT offer invaluable insights into the historical changes affecting your MAAS instance. For operators, understanding and leveraging audit logs is vital for system integrity, troubleshooting, regulatory compliance, and governance.

Fetching audit events from the CLI

The maas CLI features an events query command that can be tailored to fetch only audit-related logs. The following query fetches all AUDIT level logs:

maas $PROFILE events query level=AUDIT

To limit the output to the most recent 20 audit events, use:

maas $PROFILE events query level=AUDIT limit=20 after=0

Parsing the output for meaningful data

The default output from events query is in JSON format. This allows for easy parsing with JSON-centric tools such as jq. For instance, to extract relevant information like the user, node, and action, you can employ:

maas $PROFILE events query level=AUDIT | jq -r '.events[] | {user, node, action}'

For users comfortable with text processing, common utilities like grep, cut, sort, and sed can be applied either on the raw JSON or the text output from jq.

Decoding the structure of audit logs

Audit logs maintain a consistent format, using a verb/noun structure to indicate actions clearly. Here are some examples to illustrate:

  • Started testing on 'example-node'
  • Marked 'old-node' broken
  • Deleted the machine 'retired-system'

Node-related audit types

Audit logs can provide intricate details on node-related activities such as:

  • Phases of commissioning
  • Test results
  • Deployment statuses
  • Special modes like acquiring, rescuing, and deletion

User and setting related audit types

Beyond node events, audit logs also offer visibility into:

  • User activities, including logins
  • Modifications to user accounts
  • Changes to system configuration
  • Adjustments to scripts or DHCP snippets

Fine-tuning your audit queries with filters

The events query command supports a variety of filters to focus your audits further. For example, to see all events related to a specific node:

maas $PROFILE events query hostname=my-node

Or to find all delete actions initiated by a particular user:

maas $PROFILE events query username=jane level=AUDIT | grep "Deleted "

Filters can be combined to generate more precise audit records, aiding operators in customising their governance methods.

You can keep track of your system

MAAS audit logs are an indispensable resource for gaining deep insights into the system’s history. By understanding how to query, filter, and interpret these logs, operators equip themselves with robust tools for troubleshooting, compliance, and oversight.

Last updated a month ago.

Help improve this document in the forum.