REST requests and accounting (audit) logs
Requests that are logged
All REST requests—including GET requests—are logged to the accounting (audit) log.
Accounting (audit) log URI
The URI for the accounting logs is the following:
/rest/v1/logs/audit
Access authorization for accounting (audit) logs
The accounting logs can be accessed by administrators or auditors.
Sample accounting log message for a REST request
The following is an example of an accounting log message generated when a user executed a GET request:
type=USYS_CONFIG msg=audit(1535741482.045:70): pid=1675 uid=0 auid=4294967295 ses=4294967295 msg='rec=ACCT_CMD op=stop timezone=UTC user=admin priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=https-server data="http-method=GET http-uri=/rest/v1/system/bridge/vlans/1/macs" exe="/usr/bin/hpe-restd" hostname=8320 addr=127.0.0.1 terminal=? res=success'
The message starts with the record type, which is specific to ArubaOS-CX. Values are the following:
USER_START
Record of a user login action.
USER_STOP
Record of a user logout action.
USYS_CONFIG
Record of a command executed by the user.
msg=
element starting with the
rec=
item as follows:
Exec is identified with:
msg='rec=ACCT_EXEC
Command is identified with:
msg='rec=ACCT_CMD
System is identified with:
msg='rec=ACCT_SYSTEM
The user group is indicated by
priv-lvl
, which is also specific to ArubaOS-CX. Values are the following:
Privilege level | User group |
---|---|
1 |
|
15 |
|
19 |
|
The value of
service
indicates which user interface was used:
service=shell
Indicates that the log entry is a result of a CLI command.
service=https-server
Indicates that the log entry is a result of a REST API request or a Web UI action.
The string value of
data
identifies the CLI command or REST API request that was executed.
For REST requests, the method and URI of the REST request is contained in the string value of
data
. For example:
data="http-method=GET http-uri=/rest/v1/system/bridge/vlans/1/macs"