Server audit logs

The BigFix Server generates a server audit log file which contains the access information (login/logout) and information about the actions performed through the Console or the WebUI by the different users.

Morever, the server audit log file keeps track of specific actions sent through the BigFix Server from the Console or the WebUI to the client and then, later on, canceled. It also records access information to the BigFix Server when using either Web Reports or the BigFix REST API.

Starting with BigFix version 10.0.8, also the BigFix Administration Tool generates a specific log file providing information about the operations and the configuration changes performed.

Format of the audit log messages

Audit entries are presented in a single line and contain the same number of field delimiters. Field delimiters are present even if no value exists for a specific field. Since the format of the audit fields is subject to change over time, each line has a version number as the first entry.

The default location of the audit logs on the BigFix Server is as follows:
  • On Windows computers: %ProgramFiles(x86)%\BigFix Enterprise\BES Server\server_audit.log
  • On Linux computers: /var/opt/BESServer/server_audit.log
The default location of the audit logs on the BigFix Administration Tool is as follows:
  • On Windows computers:
    • For each user that runs the BigFix Administration Tool:

      C:\Users\<USERNAME>\AppData\Local\BigFix\besadmin_audit.log

      For example:

      C:\Users\Administrator\AppData\Local\BigFix\besadmin_audit.log

    • When the BigFix Administration Tool (BESAdmin) is invoked by a Fixlet or run by the LocalSystem user:

      C:\Windows\System32\config\systemprofile\AppData\Local\BigFix\besadmin_audit.log

  • On Linux computers:

    /var/log/besadmin_audit.log

Starting with BigFix version 9.5.11, the audit log messages are in the following format:
<format-version>|<timestamp>|<message-priority>|<username>|<event-source>|<event-label>|<event-type>|<ip-address>|<message>
| is the field separator.
  • format-version: The version of the message format. For example, 1.
  • timestamp: The timestamp of the log message, which can be the server timezone or UTC.
  • message-priority: The priority of the log.
    • EMERG (emergency, system non-functioning or unusable)
    • ERROR (error condition)
    • WARN (warning)
    • INFO (informational message)
  • username: The username of the event initiator. In case it is not a user event, then the field is set to SYSTEM.
  • event-source: The source from which the event originates. Possible values: CONSOLE, RESTAPI , WEBUI , WEBREPORTS.
  • event-label: The event or the artifact that is affected.

    Possible values: USER, SITE, ACTION, ROLE, COMPUTER , AUTHZ, SETTING , DATABASE.

  • event-type: The type of the event.

    Possible values: CREATE, DELETE, UPDATE, LOGIN , LOGOUT , SEARCH.

  • ip-address: The IP address of the component which initiated the event request. For SYSTEM, this is the server IP address.
  • message: The actual log message.
Starting with BigFix version 9.5.11, the server audit logs include also the following items:
  • Messages for deletion of computers from the console or through API.
  • Messages for deletion of actions.

Examples

Following are a few examples of the log messages in the new format:
1|Tue, 05 Sep 2017 10:57:06 -0700|INFO|johndoe|CONSOLE|AUTHZ|LOGIN|172.28.128.5|user “johndoe “ 
(1):Successful log in. (Data Connection)
1|Tue, 05 Sep 2017 10:58:32 -0700|INFO|johndoe|CONSOLE|ACTION|DELETE|172.28.128.5|
Action waitOverrideTest(50) was deleted

In case of audit entries other than those introduced in 9.5.11 or later, the messages are formatted as follows: <format-version>|<timestamp>|<message-priority>||||||<message>. For example:

1|Tue, 05 Sep 2017 10:57:06 -0700|INFO||||||user "johndoe" (1): Successful log in. (Data Connection)

Managing logs

The default size of an audit log file is 100 MB. When the size reaches its maximum value, the log file is renamed and a new file is created. Renamed log files are never deleted. To optimally use the space, you should move the log files to a different location or purge them at regular internals.

You can change the value by using the setting:
  • _Audit_Logging_LogMaxSize on the BigFix server.
  • _BESAdminAudit_Logging_LogMaxSize, introduced with BigFix version 10.0.8, on the BigFix Administration Tool.

Using the _BESAdminAudit_Logging_LogDirectoryPath setting, you can also modify the audit log directory path of the BigFix Administration Tool; it cannot be done on the BigFix server.

For details, see Logging and BigFix Logging Guide.

Note: When you upgrade to version 9.5.11, the server_audit.log file is forced to rotate to server_audit.YYYYMMDDHHMM. This is a one-time action and is applicable regardless of whether or not you have configured log rotation. The server_audit.YYYYMMDDHHMM file only contains audit logs in the old format, whereas server_audit.log only contains audit logs in the new format.
Note: When you upgrade to version 10.0.1, if you insert the character " | " (pipe) in the user name or in the content of the message, the character is replaced with " %7C " to allow the automatic tools to parse the log files and to avoid that the log files are wrongly formatted.