Audit
Unravel tracks the actions that create, change, and delete resources as audit events to support auditing for security reasons. A set of attributes describes each audit event. For example, the time of the event (in UTC), the action, the subject (who invokes the action), the object affected by the action, and so on. Unravel admins can search and sort events by these attributes and download the results.
List of audit events
Audit events are classified based on the following components of Unravel:
Unravel supports the following audit events for RBAC:
Login
Logout
Unravel supports the following audit events for Alerts:
An AutoAction is created, edited, or deleted.
An AutoAction triggers one of the following actions:
Email
HTTP Post
Post to Slack
Move application to queue
Kill application
Custom action
Unravel supports the following audit events for reports:
On-demand report generation by a user
Scheduled report generation invoked by Unravel
Creation, modification, and deletion of a report.
Unravel supports audit events for the services and configuration changes that are done via the Unravel Manager service.
Enabling audit events in Unravel
Stop Unravel.
Set the following properties.
<Unravel installation directory>/unravel/manager config properties set unravel.audit.enabled
<true/false>
<Unravel installation directory>/unravel/manager config properties set unravel.audit.rest.timeout.seconds<timeout in seconds>
<Unravel installation directory>/unravel/manager config properties unravel.audit.dateFormat<YYYY-MM-DDTHH:mm:ss.SSS[Z]>
Refer to the following table for more details of the properties.
Apply the changes.
<Unravel installation directory>/unravel/manager config apply
Start Unravel.
<Unravel installation directory>/unravel/manager start
Accessing audit Events from Unravel UI
Only users with admin roles have access to Audit. They can access Audit in the Unravel UI by navigating to Manager > Audit.
Viewing audit Events
Only users with an admin role can view the audit events from the UI. To view the audit events:
On the Unravel UI, go to Manager > Audit.
Select one of the following time periods from the drop-down on the upper right.
Last 1 Hour
Last 2 Hours
Last 6 Hours
Last 12 Hours
Today
Yesterday
Custom Date
The audit events are displayed. After the results are displayed, you can sort the events by any columns. You can also filter the events based on any of the following:
Component: RBAC, Alert, Report, Manage
Access Type: NA, Create, Read, Update, Delete
Status: NA, Unknown, Success, Failed
You can also use the Search option to filter out the events based on the search criteria.
The following columns are displayed for the audit events:
Column
Description
Date
Date and time when the event occurred.
User
The name of the user who has performed the action that led to the event.
Action
The action, which led to the event being generated.
Object
The object that is affected by the action. For example: For example, if a report is created, the object is the report ID.
Component
A component of Unravel with which the event is associated.
Access Type
Type of access that the action involves; CREATE, READ, UPDATE, DELETE.
Role
The role of the user who has performed the action that led to the event.
Client
The client IP address where the action is initiated.
Host
The name or IP address of the host on which the action is performed.
Status
Status of the action; NA, UNKNOWN, SUCCESS, FAILED.
Cluster Name
The ID of the cluster where the action occurs.
Detail
The text field adds any extra information unique to that event.
The Search option can be used to filter out the events based on the search criteria.
Downloading the audit events
You can download the audit events in a CSV format. Click and save the CSV file.