Audit Logs Management
Cloud Audit Logs is a feature that records all administrative and access activities on your VNG Cloud resources. Audit Logs helps you answer the questions: "Who did what, where, and when?" on VNG Cloud resources with the same level of transparency as your on-premise environment. Enabling Audit Logs allows you to monitor, review, and ensure the security of your VNG Cloud resources.
1. Type of Audit Logs
Cloud Audit Logs provide the following types of Audit Logs below; depending on the product or service, the supported audit log type may vary:
Admin Activity Audit Logs: contains all logs for actions that change resources (Create, Update, Delete) on VNG Cloud. For example: logs when users create vServer or delete security group. Abbreviated as ADMIN_WRITE
Data Access Audit Logs (coming soon): contains all logs for actions that read resource configuration information, as well as actions that create, delete, edit and read resource data. Resource data is data that users upload to VNG Cloud, such as vStorage objects. Specifically divided into 3 types as below:
ADMIN_READ: action to read resource configuration information. For example: list vServer or view details of a vServer
DATA_WRITE: action to create, delete, edit resource data. For example: uploading objects to vStorage or deleting objects on vStorage
DATA_READ: action to read data of resources. For example: listing objects of vStorage
System Event Audit Logs: contains all logs for actions that change resources on VNG Cloud; however, these are actions that are created by VNG Cloud systems, not directly performed by users. For example, logs when VNG Cloud systems automatically expand (autoscale) node groups of vContainer, or actions that automatically create daily backups for vDB. Abbreviated as SYSTEM_EVENT
Policy Denied Audit Logs (coming soon): contains all logs when VNG Cloud products/services deny access to IAM user accounts or service accounts because of violating the Policy. Abbreviated as POLICY_DENIED
2. List of Products/Services Supporting Various Types of Audit Logs
Products/Service Name
Admin Activity Audit Logs
Data Access Audit Logs
System Event Audit Logs
Policy Denied Audit Logs
ADMIN_WRITE
ADMIN_READ
DATA_WRITE
DATA_READ
SYSTEM_EVENT
POLICY_DENIED
vServer
YES
COMING SOON
N/A
N/A
N/A
COMING SOON
vLB
YES
COMING SOON
N/A
N/A
N/A
COMING SOON
vDB
COMING SOON
COMING SOON
N/A
N/A
COMING SOON
COMING SOON
vContainer
YES
COMING SOON
N/A
N/A
YES
COMING SOON
vMonitor
YES
COMING SOON
N/A
N/A
N/A
COMING SOON
vStorage
YES
YES
YES
YES
N/A
COMING SOON
Status meanings
N/A: does not support this type of audit logs COMING SOON: supports this type of audit logs and will be available soon PARTIAL YES: partially supports this type of audit logs YES: fully supports this type of audit logs
3. Activate Audit Logs
By default, VNG Cloud does not enable the Audit Logs feature, customers need to follow the steps below to activate it:
Access the Audit Logs page of the IAM Portal: https://hcm-3.console.vngcloud.vn/iam/audit-logs
Select Set default configuration, a setup popup will appear allowing you to choose to enable ADMIN_WRITE or SYSTEM_EVENT
Select to activate the type of audit logs ADMIN_WRITE or SYSTEM_EVENT that you desire
Press the Save button to activate
For example, if you choose both types of supported Audit Logs, you will see a screen like below, for both types ADMIN_WRITE and SYSTEM_EVENT when activated will apply to all products/services that are supported as shown in the table above Once Audit Logs are activated, the system will start saving Audit Logs from the moment of activation (no historical data), and will automatically create a Log Project: required on the vMonitor Logs side for storage, the Log Project: required will be completely free and will store the Audit Logs for 90 days. At the same time, once both types of Audit Logs: ADMIN_WRITE AND SYSTEM_EVENT are activated, you will not be able to disable this feature, the system will always store all actions belonging to these two types of Audit Logs.
4.View the Activated Audit Logs To view the activated Audit Logs, you need to follow these instructions:
Access the Log Search section of vMonitor Logs: https://hcm-3.console.vngcloud.vn/vmonitor/log/search
Select Log Project: required to view the stored Audit Logs.
For example, the image below shows an action where 1 root user account created a Security Group belonging to vServer at the time 19/06/2023 17:51:57 was recorded.
3 Structure and format of Audit Logs Each line of Audit Logs may contain the fields as below
timestamp time when the log is generated
logId UUID to distinguish each log line
source the origin of the log line and specifies what type of logs it is for example if the log line is generated from audit logs and the type is ADMIN_WRITE then the content will be source cloud_audit/admin_write
serviceName information about the product/service being monitored for example if this Audit Log line is for vServer then the content will be serviceName vserver
resource detailed information about which resource is being monitored consisting of 2 subfields type and labels
type information about which resource of the product for example if it is a log line related to server it will be type vserver_server
labels name and ID of the resource or other information about the resource
The example below is the resource server of vServer with serverID ins-b019f5d0-1234-41ba-1234-851f9ef39003
"resource":{
"labels":{
"serverVRN":"vserver::12345:server/ins-b019f5d0-1234-41ba-1234-851f9ef39003",
"serverId":"ins-b019f5d0-1234-41ba-1234-851f9ef39003"
},
"type":"vserver:server"
},
JsonPayload: contains specific information about what the action is, who initiated this action (root user account, IAM user account or service account), request metadata and request/response body if any. For example below you can see userType: root-user is the root user account with ID: 12345 performing the DeleteServer action with the server with ID: ins-b019f5d0-1234-41ba-1234-851f9ef39003
"jsonPayload":{
"authenticationInfo":{
"rootUserAccountId":12345,
"userType":"root-user"
},
"serviceName":"vserver"
"action":"vserver:DeleteServer",
"resource":"vserver::12345:server/ins-b019f5d0-1234-41ba-1234-851f9ef39003",
"request":{},
"requestMetadata":{},
"response":{}
},
With the example below, you can see userType: iam-user is IAM user account with ID: e6d39955-e4c3-1234-1234-84d82ea554bf belonging to root user account with ID: 12345 performing SearchLogs action with Log Project with ID: bbb5f6ef-1234-49a1-1234-b41332376fef. Similarly with serviceAccount you will also see userType: user-sa.
"jsonPayload":{
"authenticationInfo":{
"userType":"iam-user",
"rootUserAccountId":12345,
"userAccount":"e6d39955-e4c3-1234-1234-84d82ea554bf"
},
"serviceName":"vmonitor",
"action":"vmonitor:SearchLogs",
"resource":"vmonitor::12345:log-project/bbb5f6ef-1234-49a1-1234-b41332376fef",
"request":{},
"requestMetadata":{},
"response":{}
},
You can also see additional information about requestMetadata, request and response of this action (depending on the type of action, there will be or not)
"jsonPayload":{
"authenticationInfo":{
"userType":"iam-user",
"rootUserAccountId":12345,
"userAccount":"e6d39955-e4c3-1234-1234-84d82ea554bf"
},
"serviceName":"vmonitor",
"action":"vmonitor:SearchLogs",
"resource":"vmonitor::12345:log-project/bbb5f6ef-1234-49a1-1234-b41332376fef",
"request":{
"method":"POST",
"path":"/v1/projects/bbb5f6ef-1234-49a1-1234-b41332376fef/search-logs",
"httpVersion":"HTTP/1.1"
},
"requestMetadata":{
"callerIp":"103.1.208.50",
"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
},
"response":{
"duration":272,
"status":200
}
},
Last updated