Server audit logs

Starting with BigFix version 9.5.11, the server audit logs include the following items:

  • Messages for deletion of computers from the console or through API
  • Messages for deletion of actions
Audit entries are presented in a single line and contain the same number of field delimiters. Field delimiters are present even if no value exists for a specific field. Since the format of the audit fields is subject to change over time, each line has a version number as the first entry. The current format still includes texts from existing audit log messages (which are in old format) and presents them in the last field.

Format of the audit log messages

The default location of the audit logs is as follows:
  • On Windows computers: %PROGRAM FILES%\BigFix Enterprise\BES Server\server_audit.log
  • On Linux computers: /var/opt/BESServer/server_audit.log
Starting in version 9.5.11, the audit log messages are in the following format:
<format-version>|<timestamp>|<message-priority>|<username>|<event-source>|<event-label>|<event-type>|<ip-address>|<message>
| is the field separator.
  • format-version: The version of the message format. For example, 1.
  • timestamp: The timestamp of the log message, which can be the server timezone or UTC.
  • message-priority: The priority of the log.
    • EMERG (emergency, system non-functioning or unusable)
    • ERROR (error condition)
    • WARN (warning)
    • INFO (informational message)
  • username: The username of the event initiator. In case it is not a user event, then the field is set to SYSTEM.
  • event-source: The source from which the event originates. Possible values: CONSOLE, RESTAPI.
  • event-label: The event or the artifact that is affected.

    Possible values: USER, SITE, ACTION, ROLE, COMPUTER

  • event-type: The type of the event.

    Possible values: CREATE, DELETE, EDIT, PERMIT (or LOGIN), DENY (or LOGIN)

  • ip-address: The IP address of the component which initiated the event request. For SYSTEM, this is the server IP address.
  • message: The actual log message.

Examples

Following are a few examples of the log messages in the new format:
1|Tue, 05 Sep 2017 10:57:06 -0700|INFO|johndoe|CONSOLE|USER|PERMIT|172.28.128.5|Successful log in. (Data Connection)
1|Tue, 05 Sep 2017 10:58:32 -0700|INFO|johndoe|CONSOLE|ACTION|DELETE|172.28.128.5|Action waitOverrideTest(50) was deleted

In case of audit entries other than those introduced in 9.5.11 or later, the messages are formatted as follows: <format-version>|<timestamp>|<message-priority>||||||<message>. For example:

1|Tue, 05 Sep 2017 10:57:06 -0700|INFO||||||user "johndoe" (1): Successful log in. (Data Connection)

Managing logs

The default size of an audit log file is 100 MB. You can change the value by using the setting _Audit_Logging_LogMaxSize. When the size reaches it maximum value, the log file is renamed and a new file is created. Renamed log files are never deleted. To optimally use the space, you should move the log files to a different location or purge them at regular internals. For details, see Logging and https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/BigFix%20Logging%20Guide.
Note: When you upgrade to version 9.5.11, the server_audit.log file is forced to rotate to server_audit.YYYYMMDDHHMM. This is a one-time action and is applicable regardless of whether or not you have configured log rotation. The server_audit.YYYYMMDDHHMM file only contains audit logs in the old format, whereas server_audit.log only contains audit logs in the new format.