Server audit logs
Starting with BigFix version 9.5.11, the server audit logs include the following items:
- Messages for deletion of computers from the console or through API
- Messages for deletion of actions
Format of the audit log messages
The default location of the audit logs is as follows:- On Windows computers:
%PROGRAM FILES%\BigFix Enterprise\BES Server\server_audit.log
- On Linux computers:
/var/opt/BESServer/server_audit.log
<format-version>|<timestamp>|<message-priority>|<username>|<event-source>|<event-label>|<event-type>|<ip-address>|<message>
|is the field separator.
format-version
: The version of the message format. For example, 1.timestamp
: The timestamp of the log message, which can be the server timezone or UTC.message-priority
: The priority of the log.- EMERG (emergency, system non-functioning or unusable)
- ERROR (error condition)
- WARN (warning)
- INFO (informational message)
username
: The username of the event initiator. In case it is not a user event, then the field is set to SYSTEM.event-source
: The source from which the event originates. Possible values: CONSOLE, RESTAPI.event-label
: The event or the artifact that is affected.Possible values: USER, SITE, ACTION, ROLE, COMPUTER
event-type
: The type of the event.Possible values: CREATE, DELETE, EDIT, PERMIT (or LOGIN), DENY (or LOGIN)
ip-address
: The IP address of the component which initiated the event request. For SYSTEM, this is the server IP address.message
: The actual log message.
Examples
Following are a few examples of the log messages in the new format:1|Tue, 05 Sep 2017 10:57:06 +0100|INFO||||||user "Admin" (1): Successful log in. (Data Connection)
1|Tue, 05 Sep 2017 10:58:32 +0100|INFO|Admin||AUTHZ|LOGIN||Console closing. Logging out user.
In
case of audit entries other than those introduced in 9.5.11 or later, the messages
are formatted as follows:
<format-version>|<timestamp>|<message-priority>||||||<message>
.
For example:
1|Tue, 05 Sep 2017 10:57:06 -0700|INFO||||||user
"johndoe" (1): Successful log in. (Data Connection)
Managing logs
The default size of an audit log file is 100 MB. You can change the value by using the setting
_Audit_Logging_LogMaxSize. When the size reaches it maximum
value, the log file is renamed and a new file is created. Renamed log files are
never deleted. To optimally use the space, you should move the log files to a
different location or purge them at regular internals. For details, see Logging and https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/BigFix%20Logging%20Guide.
Note: When you upgrade to version 9.5.11, the
server_audit.log file is forced to rotate to
server_audit.YYYYMMDDHHMM. This is a one-time action
and is applicable regardless of whether or not you have configured log rotation.
The server_audit.YYYYMMDDHHMM file only contains audit logs
in the old format, whereas server_audit.log only contains
audit logs in the new format.