In order to provide a complete view of user actions IRM provides a robust Audit Log feature. This feature is only available for On Premises deployments of IRM. Among other things, the Audit Log captures basic HTTP traffic information flowing between the IRM server machine and any externally-running component, such as the IRM Web Client, Linkware Live, or the BMC application suite.
Note: This feature is available only to admins due to the broad and potentially sensitive nature of the information that can be extracted from it.
The Audit Log is able to create meaningful summary data and create reports. In other words, this interface provides a mechanism for extracting data from the Audit Log system in a way that can be analyzed or processed further in some other system. For the most detailed forensic investigations to be conducted, extracting and further processing of the Audit Log entries will usually be necessary.
Basic feature description
It is important not to confuse the Audit Log with the
User Activity Logs. Both are admin-only features, but the difference is that the Audit Log provides more detailed data, plus additional data analysis features. Unlike the
User Activity Log, which is text message-oriented, the data provided by the Audit Log is presented in a structured data format. Each event log consists of different fields (such as Type, Date, Time, object name) in a structured text format (JSON) to ease parsing and analysis.
Unlike the User Activity Log, which sometimes does not include enough detail to determine exactly what action triggered the log event, the Audit Log feature shows entries for all items in the User Activity Log (at minimum), plus enough additional information about the operation. For example, if a user is promoted from Normal to Admin, the User Activity Log entry would not say what kind of update it was - change of User Class, while the Audit Log would.
In summary, the User Activity Log gives users a quick and convenient way to check for more basic audit information, while the Audit Log attempts to provide enough information to support detailed forensic analysis. The Audit Log is particularly useful for customers wishing to comply with the DISA Security Technical Implementation Guides(STIGs).
Examples of events that create Audit Log entries include the following:
-
All IRM components which are logging participants generate a log event immediately on startup and during a controlled shutdown (e.g. going into maintenance mode).
-
The log records an entry for each change of a Global Console Setting or Global Setting field.
-
There is an event for each attempt by an Integration Service to log into an external system (like the IRM Linkware Integration Service logging into Linkware Live).
Access & example(s)
In order to provide a feature-rich audit log to admin users, IRM uses a third-party visualization system called Grafana. This system is accessed via a "/grafana" URL, that is, following the URL format http://<machine DNS or IP address>/grafana.
This opens the standard Grafana login page:
After a successful login, the standard main "dashboard" page is opened showing the Welcome screen.
Click the 'Home' dropdown shown in the upper left corner to reveal the list of Audit Logs available for the selected machine:
For this example, the Global Console (Launcher) Audit Log is selected:
The Audit Log page displays a paginated list of event (action) logs and different buttons that provide additional functionalities. The data displayed for each log entry contains the following information:
-
Time column - All log events have date and time fields to a granularity of one second.
-
Message column - contains the action description, similar to the Description field from the
User Activity Log entries, but with some additional fields and, as mentioned, displayed in a structured JSON format. Exactly which fields are present depend on the type of Audit Log entry.
-
For
user activity entries:
-
The
source field identifies the application, or the component that generates the log event (Launcher, Site Master, Linkware Integration Service)
-
The
eventTypeand
action fields identify the Action that generates the log event (Startup, Shutdown, REST, Idle Logout)
-
irmUser indicates what IRM user performed the action
-
For
REST API transactions:
-
req contains information from the HTTP request
-
res contains information from the HTTP response
Audit Log settings
