REST requests and accounting (audit) logs

Requests that are logged

All REST requests—including GET requests—are logged to the accounting (audit) log.

Accounting (audit) log URI

The URI for the accounting logs is the following:

/rest/v1/logs/audit

Access authorization for accounting (audit) logs

The accounting logs can be accessed by administrators or auditors.

Sample accounting log message for a REST request

The following is an example of an accounting log message generated when a user executed a GET request:

type=USYS_CONFIG msg=audit(1535741482.045:70): pid=1675 uid=0 auid=4294967295 ses=4294967295 msg='rec=ACCT_CMD op=stop timezone=UTC user=admin priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=https-server data="http-method=GET http-uri=/rest/v1/system/bridge/vlans/1/macs" exe="/usr/bin/hpe-restd" hostname=8320 addr=127.0.0.1 terminal=? res=success'

The message starts with the record type, which is specific to ArubaOS-CX. Values are the following:

USER_START

Record of a user login action.

USER_STOP

Record of a user logout action.

USYS_CONFIG

Record of a command executed by the user.

The three types of accounting log information are identified by the msg= element starting with the rec= item as follows:
  • Exec is identified with: msg='rec=ACCT_EXEC

  • Command is identified with: msg='rec=ACCT_CMD

  • System is identified with: msg='rec=ACCT_SYSTEM

The user group is indicated by priv-lvl, which is also specific to ArubaOS-CX. Values are the following:

Privilege level User group

1

operators

15

administrators

19

auditors

The value of service indicates which user interface was used:

service=shell

Indicates that the log entry is a result of a CLI command.

service=https-server

Indicates that the log entry is a result of a REST API request or a Web UI action.

The string value of data identifies the CLI command or REST API request that was executed.

For REST requests, the method and URI of the REST request is contained in the string value of data. For example:

data="http-method=GET http-uri=/rest/v1/system/bridge/vlans/1/macs"