Using Predix Audit Service
Publishing Predix Audit Events
Predix Audit Service enables publishing events by sending requests to the following endpoint:
<audit-receiver-url>/v2/audit
Header | Description |
---|---|
Authorization | A valid token that includes the scopes under "audit-pub-client-scope" , which was issued by a trusted UAA that was provided at instance provisioning. |
Predix-Zone-Id | Audit Service zone id parameters that represents the AuditService tenant id. This value must match the scopes in the provided token. |
Content | application/JSON |
Events | Events that need to be published in the event format. |
curl -X POST \
https://audit-receiver-sysint-blue-dev.run.aws-usw02-dev.ice.predix.io[audit-receiver-url]/v2/audit \
-H 'Authorization: Bearer <token>
-H 'Content-Type: application/json' \
-H 'Predix-Zone-Id: 5dd76136-f897-4371-89e0-38d5e9a0dbbb' \
-d '[{
"messageId": "525b3e34-5648-46d4-8901-acb6aec53490",
"timestamp":"1546337722",
"classifier":"SUCCESS",
"publisherType":"APP_SERVICE",
"categoryType": "OPERATIONS",
"eventType":"LOGIN_SUCCESS",
"payload":"payload",
"correlationId":"525b3e34-5648-46d4-8901-acb6aec53491",
"tenantUuid":"525b3e34-5648-46d4-8901-acb6aec53492",
"ownerTenant":"525b3e34-5648-46d4-8901-acb6aec53493"}
]'
[{
"appName": "string",
"categoryType": "AUDIT_ACCOUNTABILITY",
"classifier": "SUCCESS",
"correlationId": "string",
"eventType": "CUSTOM",
"messageId": "string",
"operatorTenant": "string",
"ownerTenant": "string",
"payload": "string",
"publisherType": "NETWORK_DEVICE",
"tenantUuid": "string",
"timestamp": 0
}]
Type | Field Name | Mandatory for user? | Details |
---|---|---|---|
String | messageId | Yes | Must be a random, unique UUID. |
long | timestamp | Yes | timestamp in milliseconds |
AuditEnums.Classifier | classifier | Yes | |
AuditEnums.PublisherType | publisherType | Yes | |
AuditEnums.CategoryType | categoryType | Yes | |
AuditEnums.EventType | eventType | Yes | |
String | payload | No | |
String | correlationId | No | Maximum 64 characters |
String | tenantUuid | No | Maximum 36 characters |
String | ownerTenant | No | Maximum 36 characters |
String | operatorTenant | No | Maximum 36 characters |
String | appName | No | Maximum 100 characters |
- AuditEnums.Classifier
Classifier is a field that is created to classify the event, whether it was a success or a failure. Each message is classified automatically as a successful message. Supported types: SUCCESS, FAILURE, UNRECOGNIZED
- AuditEnums.PublisherType
This field enables the developer to provide the auditor type. Supported types: NETWORK_DEVICE, DB_SYSTEM, APP_SERVICE, OS, UNRECOGNIZED
- AuditEnums.CategoryType
This field mentions which type of category is related to the event. Supported fields: AUDIT_ACCOUNTABILITY, OPERATIONS, ADMINISTRATIONS, AUTHENTICATIONS, AUTHORIZATION, MALICIOUS, DATA_INTEGRITY, API_CALLS, UNRECOGNIZED
-
AuditEnums.EventType
This field mentions the event in general terms (It is also a provided CUSTOM value in case there is no matching for the client’s needs). Supported fields: CUSTOM, LOG_START, LOG_STOP, LOG_DELETION, LOG_DEACTIVATION, LOG_MODIFICATION, UNAVAILABILITY, EXCEPTION, SERIOUS_ERROR, STARTUP_EVENT, SHUTDOWN_EVENT, START_SERVICE, STOP_SERVICE, ACCOUNT_PRIVILEGE_SUCCESS_MODIFICATION, ACCOUNT_PRIVILEGE_FAILURE_MODIFICATION, ADD_ADMIN_ACCOUNT, CHANGE_PASSWD_SUCCESS, CHANGE_PASSWD_FAILURE, CHANGE_CONFIGURATIONS_SUCCESS, CHANGE_CONFIGURATIONS_FAILURE, ADD_ADMIN_GROUP_ACCOUNT, CHANGE_CONFIGURATIONS, ADD_ROLE, REMOVE_ROLE, SECURITY_POLICY_CHANGE_SUCCESS, SECURITY_POLICY_CHANGE_FAILURE, LOGIN_SUCCESS, LOGIN_FAILURE, ACCOUNT_LOCKOUT, AUTHENTICATION_ERROR, VPN_CONNECTION_ESTABLISHED_SUCCESS, VPN_CONNECTION_ESTABLISHED_FAILURE, CHANGE_CRITICAL_FILE, PRIVILEGE_ACCOUNT_ACTION, CHANGE_CRITICAL_RESOURCE, INBOUND_CONNECTION_DENIED, OUTBOUND_CONNECTION_DENIED, INVALID_INPUTS, INVALID_APP_ABUSE, COMPONENT_INSTALLATION, COMPONENT_MODIFICATION, COMPONENT_DELETION, DOS_ATTACK, EAVSDROPPING_ATTACK, USER_UNAPPROVED_OUTBOUND_TRAFFIC, VIRUS_ALERT, MALWARE_ALERT, ACTION, CREATE, TRIGGER, DROP, INSERT, UPDATE, DELETE, SUCCESS_API_REQUEST, FAILURE_API_REQUEST, UNRECOGNIZED
The HTTP response shall include the following parameters:Table 3. HTTP Status Description 200 ok Request was successfully processed . The user should examine the results. 400 Bad Request Request has a bad format:
- Max size was reached.
- Audit messageId is not unique.
- Audit events are malformed.
- Missing mandatory headers.
401 Unauthorized Request is not authorized:
- Token is invalid, missing scopes or was not issued by a known trusted issuer.
- Zone-Id header does not match the token scopes.
500 Internal Server Error An unknown error occurred. When the request is successfully processed ,the user receives a 200 OK HTTP Status with a list of message statuses. This information provides insight regarding the status of each audit event. The user should check the status to ensure that each event was successfully published, and if not, what is the current status and reason.
Table 4. Status Details Notes SUCCESS The audit event was successfully published. FAILURE_INVALID The audit event is invalid:
- Mandatory fields are missing.
- Exceeds limitations per field.
FAILURE The event was not published:
- Communication failure to the Predix Audit Service.
- The process was timed out.
It is recommended to resend the event. The messageStatus description may include additional relevant information. The following examples show possible responses. The first two audit events were accepted, whereas the third was rejected due to a missing mandatory "Classifier" field.{ "messageStatus": [ { "messageId": "525b3e34-5648-46d4-8901-acb6aec53490", "status": "SUCCESS", "description": "message was accepted" } { "messageId": "525b3e34-5648-46d4-8901-acb6aec53492", "status": "SUCCESS", "description": "message was accepted" }, { "messageId": "525b3e34-5648-46d4-8901-acb6aec53493", "status": "FAILURE_INVALID", "description": "classifier - must not be null, " }, ] }
Sending a Predix Audit Message using AuditEvent
AuditEvent eventV2 = AuditEventV2.builder()
.payload("GET: /v2/resources was unsuccessful")
.classifier(AuditEnums.Classifier.FAILURE)
.publisherType(AuditEnums.PublisherType.APP_SERVICE)
.categoryType(AuditEnums.CategoryType.API_CALLS)
.eventType(AuditEnums.EventType.FAILURE_API_REQUEST)
.tenantUuid(TENANT)
.correlationId(CORRELATION_ID)
.appName(“Application name”)
.build();
auditClient.audit(eventV2);
Type | Field Name | Mandatory for user? | Editable? | Default Value | Details |
---|---|---|---|---|---|
String | messageId | No | Yes | Auto generated in UUID format by AuditEventV2 builder | Maximum 36 characters |
int | version | No | No | Auto generated by AuditEventV2 builder with the value "2". | The field is protected. Changing this field may cause an exception. |
String | auditServiceId | No | Yes | Auto generated in Audit-Subscriber | The field is an Audit Subscriber Component and should not be used by Audit SDK users |
long | timestamp | No | Yes | Auto generated by AuditEventV2 builder with system current time in milliseconds | |
AuditEnums.Classifier | classifier | Yes | Yes | Auto generated by AuditEventV2 builder to "SUCCESS" | Audit SDK throws a Null Point Exception if AuditEventV2 is initialized without this value |
AuditEnums.PublisherType | publisherType | Yes | Yes | The developer must set this in the builder | Audit SDK throws a Null Point Exception if AuditEventV2 is initialized without this value |
AuditEnums.CategoryType | categoryType | Yes | Yes | The developer must set this in the builder | Audit SDK throws a Null Point Exception if AuditEventV2 is initialized without this value |
AuditEnums.EventType | eventType | Yes | Yes | The developer must set this in the builder | Audit SDK throws a Null Point Exception if AuditEventV2 is initialized without this value |
String | payload | No | Yes | Custom field. not mandatory | Maximum 2048 characters |
String | correlationId | No | Yes | Not mandatory | Maximum 64 characters |
String | tenantUuid | No | Yes | Should be in UUID format | Maximum 254 characters |
String | AppName | No | Yes | Defines the application friendly name | Maximum 100 characters |
- AuditEnums.Classifier
Classifier is a field that is created to classify the event, whether it was a success or a failure. Each message is classified automatically as a successful message. Supported types: SUCCESS, FAILURE
- AuditEnums.PublisherType
This field enables the developer to provide the auditor type. Supported types: NETWORK_DEVICE, DB_SYSTEM, APP_SERVICE, OS
- AuditEnums.CategoryType
This field mentions which type of category is related to the event. Supported fields: AUDIT_ACCOUNTABILITY, OPERATIONS, ADMINISTRATIONS, AUTHENTICATIONS, AUTHORIZATION, MALICIOUS, DATA_INTEGRITY, API_CALLS
-
AuditEnums.EventType
This field mentions the event in general terms (It is also a provided CUSTOM value in case there is no matching for the client’s needs). Supported fields: CUSTOM, LOG_START, LOG_STOP, LOG_DELETION, LOG_DEACTIVATION, LOG_MODIFICATION, UNAVAILABILITY, EXCEPTION, SERIOUS_ERROR, STARTUP_EVENT, SHUTDOWN_EVENT, START_SERVICE, STOP_SERVICE, ACCOUNT_PRIVILEGE_SUCCESS_MODIFICATION, ACCOUNT_PRIVILEGE_FAILURE_MODIFICATION, ADD_ADMIN_ACCOUNT, CHANGE_PASSWD_SUCCESS, CHANGE_PASSWD_FAILURE, CHANGE_CONFIGURATIONS_SUCCESS, CHANGE_CONFIGURATIONS_FAILURE, ADD_ADMIN_GROUP_ACCOUNT, CHANGE_CONFIGURATIONS, ADD_ROLE, REMOVE_ROLE, SECURITY_POLICY_CHANGE_SUCCESS, SECURITY_POLICY_CHANGE_FAILURE, LOGIN_SUCCESS, LOGIN_FAILURE, ACCOUNT_LOCKOUT, AUTHENTICATION_ERROR, VPN_CONNECTION_ESTABLISHED_SUCCESS, VPN_CONNECTION_ESTABLISHED_FAILURE, CHANGE_CRITICAL_FILE, PRIVILEGE_ACCOUNT_ACTION, CHANGE_CRITICAL_RESOURCE, INBOUND_CONNECTION_DENIED, OUTBOUND_CONNECTION_DENIED, INVALID_INPUTS, INVALID_APP_ABUSE, COMPONENT_INSTALLATION, COMPONENT_MODIFICATION, COMPONENT_DELETION, DOS_ATTACK, EAVSDROPPING_ATTACK, USER_UNAPPROVED_OUTBOUND_TRAFFIC, VIRUS_ALERT, MALWARE_ALERT, ACTION, CREATE, TRIGGER, DROP, INSERT, UPDATE, DELETE, SUCCESS_API_REQUEST, FAILURE_API_REQUEST
- Payload
The following fields are currently parsed by the Audit Log Viewer UI and can be a part of the Payload string per the consuming application needs: OLDVALUE, NEWVALUE, RESOURCEUUID, RESOURCE, ACTOR, ACTORUUID, ACTORDISPLAYNAME, BATCHUUID, ORIGINATOR, ACTIONTYPE, DESCRIPTION, RESOURCETYPE.
For example, the following code snippet can be used by a consuming application to ingest data in all the above payload fields:try{ payload = gson.fromJson(this.getPayload(), AuditEventV2Payload.class); }catch (Exception e){ String msg = "error parsing audit payload as JSON: "; log.error(msg, e); throw new AuditException(msg); } Audit audit = Audit.builder() .resourceUuid(payload.getResourceUuid()) .resource(payload.getResource()) .actor(payload.getActor()) .actorUuid(payload.getActorUuid()) .actorDisplayName(payload.getActorDisplayName()) .tenantUuid(this.getTenantUuid()) .ownerTenant(this.getOwnerTenant()) .operatorTenant(this.getOperatorTenant()) .batchUuid(payload.getBatchUuid()) .originator(payload.getOriginator()) .actionType(payload.getActionType()) .description(payload.getDescription()) .eventAt(""+this.timestamp) .resourceType(payload.getResourceType()) .oldValue(payload.getOldValue()) .newValue(payload.getNewValue()) .build(); return audit;
Querying the Predix Audit Service
Procedure
Type | Parameter | Description |
---|---|---|
Optional | tenantUuid | Returns audit events that are generated by the specified tenant. This is a second-level tenancy. |
Mandatory | startDate/endDate | Returns audit events within the date/time range (in milliseconds). The current maximal range is 3 months. |
Mandatory | page | Defines response specific page of audit events. Must be larger than 0. |
Mandatory | pageSize | Defines response page size of audit events. The range is between 1 and 1000. |
Optional | correlationId | |
Optional | payload | |
Optional | classifier | |
Optional | publisherType | |
Optional | categoryType | |
Optional | AppName | Defines the auditing application friendly name. Maximum 100 characters. |
Optional | eventType |
Header | Description |
---|---|
Authorization | UAA Token |
Predix-Zone-Id | Audit Service zone id parameters that represents the AuditService tenant id |
Content | application/JSON |
curl -X POST https://audit-service-release.run.aws-usw02-pr.ice.predix.io/v2/query -H 'Authorization: Bearer ${access_token}'
-H 'Cache-Control: no-cache' -H 'Content-Type: application/json' -H 'Predix-Zone-Id: ${audit_service_instance_guid}' -d '{
"pageSize": 1000,
"page": 1,
"startDate": 1520470313460,
"endDate": 1520471078764
}'
HTTP Status | Description |
---|---|
200 ok | Successful |
401 Unauthorized | The user is not allowed to use the service. |
404 Not Found | The requested resource does not exist |
406 Not Acceptable | The request was malformed. The response body includes an error providing additional information |
The following procedure describes the methods of performing a query:
Querying Archived Data
POST /v2/archive/list
Type | Parameter | Description |
---|---|---|
Mandatory | startDate | The start date of the list in ISO-8601 format |
Mandatory | endDate | The end date of the list in ISO-8601 format |
Mandatory | version | The version of the audit event message (should be V2) |
Optional | pageSize | |
Optional | page | |
Optional | tenantUUID | Filters data based on the tenant identifier. |
Header | Description |
---|---|
Predix-Zone-Id | Audit Service zone id parameters that represents the AuditService tenant id |
Authorization | UAA token |
HTTPS Status | Description |
---|---|
200 ok | Successful |
201 | Created |
401 | Unauthorized |
403 | Forbidden |
404 | Not Found |
curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/xml' --header 'Predix-Zone-Id: {audit-service-id}' --header
'Authorization: Bearer {token}' -d '{
"startDate": "2018-01-01",
"endDate": "2018-01-31",
"version": "V2",
"pageSize": 10,
"page": 1
“tenantUUID” : “83fed947-8619-4989-a6bd-ed44378e8cf1”
}' 'https://audit-service-sysint-blue-dev.run.aws-usw02-dev.ice.predix.io/v2/archive/list'
POST /v2/archive/file
Type | Parameter | Description |
---|---|---|
Mandatory | path | The full path of the archived file. |
Optional | tenantId | Filters data based on the tenant identifier. |
Header | Description |
---|---|
Predix-Zone-Id | Audit Service zone id parameters that represents the AuditService tenant id |
Authorization | UAA toekn |
HTTPS Status | Description |
---|---|
200 ok | Successful |
201 | Created |
401 | Unauthorized |
403 | Forbidden |
404 | Not Found |
curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/xml' --header 'Predix-Zone-Id: {audit-service-id}' --header
'Authorization: Bearer {token}' -d '{
"path": "{path/to/your/file}"
}' 'https://audit-service-sysint-blue-dev.run.aws-usw02-dev.ice.predix.io/v2/archive/file'
Updating Plans
The user may want to update its subscription plan while working with an existing one to move to a dedicated database or enlarge its database storage. To move from one subscription plan to another, the user should use the “update-service” API via the service broker.
-
Beta to a Dedicated-A50: A one-time change for existing beta customers.It is recommended for a production environment where a dedicated database is required and the audit events storage volume is considered as medium.
-
Beta to a Shared-A10 : A one-time change for existing beta customers.It is recommended for testing and evaluating the Predix Audit service where the required audit events storage volume is considered small and the DB is shared with other tenants.
cf update-service<audit-instance-name-with-old-plan>-p<new-plan>
cf update-service audit-test -p Dedicated-A50
Upgrading from a Shared Plan to a Dedicated Plan
- Delete the current Audit service instance (either via “Delete Service Instance” option in the Marketplace UI or via CF CLI command)
- Create a new Audit service instance with Dedicated plan (either via selecting the dedicated subscription plan in the Marketplace UI or via CF CLI command).
- Perform the instructions on creating a new Predix Audit instance, as seen in the Getting Started section (https://docs.predix.io/en-US/content/service/security/audit/getting-started-with-predix-audit).
To retain data integrity, the user is required to sign each audit event message with a digital signature (e.g., RSA PKI) and the Predix Audit Service Query API should verify that the signature is valid. The digital signature should be owned and maintained by the customer and used within the message payload field to uniquely identify the original message.
When a delete-service request is sent to the Predix Audit service broker (via CF CLI or marketplace UI), the customer’s Predix Audit Database is immediately and permanently deleted with all its current audit events data. In order to keep the data before its deletion (for example, due to compliancy regulations), it is the customer's responsibility to transfer all data from the Predix to its own server prior of completing this action.