Audit event reference

This topic provides a detailed description of the events generated by the Conjur audit service.

 

Unauthenticated requests to endpoints that require authentication do not generate an audit event.

Login

A Login event is generated when logging in with a username and password using HTTP basic authentication to retrieve an API key.

API endpoint

  • Login - GET /authn/{account}/login

Structured data

Data Element

Values

action@43868

operation: set to login

result: set to success or failure

auth@43868

authenticator: the type of authenticator used (authn-k8s or authn-ldap).

service: the service ID of the authenticator (aconjur/authn-k8s/my-k8s-authn).

user: the fully-qualified policy ID of the role attempting to log in. If the user does not exist, this field displays not-found.

subject@43868

role: the fully-qualified policy ID of the role attempting to log in.
  
<86>1 2020-04-14T21:05:52.886+00:00 6002d85d7d48 conjur 898268ec-a9c0-4ed1-9bbd-6c8d9832dbc9 authn [action@43868 result="success" operation="login"][subject@43868 role="demo:user:admin"][auth@43868 authenticator="authn" user="demo:user:admin"][client@43868 ip="172.24.0.5"][meta sequenceId="1"] demo:user:admin successfully logged in with authenticator authn
  
"subject@43868": {
  "role": "demo:user:admin"
},
"auth@43868": {
  "authenticator": "authn",
  "user": "demo:user:admin"
},
"action@43868": {
  "result": "success",
  "operation": "login"
},
"client@43868": {
  "ip": "172.24.0.5"
},
"PROGRAM": "conjur",
"PID": "898268ec-a9c0-4ed1-9bbd-6c8d9832dbc9",
"MSGID": "authn",
"MESSAGE": "demo:user:admin successfully logged in with authenticator authn",
"LEVEL": "info",
"ISODATE": "2020-04-14T21:05:52.886+00:00",
"FACILITY": "authpriv"
}

Authenticate

An Authenticate event is generated when:

  • A user or host authenticates to retrieve a short-lived access token (with an API key or OIDC).

  • A Kubernetes authenticator injects a client certificate into a Pod.

  • An authentication request is made with invalid credentials.

API endpoints

The Conjur audit service supports all authentication methods. Authentication requests typically append /authenticate to the server URL, as shown in the following examples:

  • Authenticate - POST /authn/{account}/{login}/authenticate

  • OIDC Authenticator - POST /authn-oidc/{service-id}/{account}/authenticate

  • Azure Authenticator - POST https://<-server-hostname>/authn-azure/<service-id>/<account>/<host-id>/authenticate

  • GCP Authenticator - POST https://<-server-hostname>/authn-gcp/<account>/authenticate

Structured data

Data Element

Values

action@43868

operation: is set to one of the following:

  • authenticate

  • k8s-inject-client-cert

result: set to success or failure

auth@43868

authenticator: the type of authenticator used (authn-k8s or authn-ldap).

service: the service ID of the authenticator (aconjur/authn-k8s/my-k8s-authn).

user: the fully-qualified policy ID of the role attempting to authenticate. If the user does not exist, this field displays not-found.

subject@43868

role: the fully-qualified policy ID of the role attempting to authenticate.
  
<86>1 2020-04-14T21:05:52.886+00:00 6002d85d7d48 conjur 898268ec-a9c0-4ed1-9bbd-6c8d9832dbc9 authn [action@43868 result="success" operation="authenticate"][subject@43868 role="demo:user:admin"][auth@43868 authenticator="authn" user="demo:user:admin"][client@43868 ip="172.24.0.5"][meta sequenceId="1"] demo:user:admin successfully authenticated with authenticator authn
<86>1 2020-04-14T21:05:52.886+00:00 6002d85d7d48 conjur 898268ec-a9c0-4ed1-9bbd-6c8d9832dbc9 authn [action@43868 result="success" operation="k8s-inject-client-cert"][subject@43868 role="demo:host:apps/my-k8s-app"][auth@43868 authenticator="authn-k8s" service="conjur/authn-k8s/my-k8s-authn" user="demo:host:apps/my-k8s-app"][client@43868 ip="172.24.0.5"][meta sequenceId="1"] demo:host:apps/my-k8s-app successfully injected client certificate with authenticator authn-k8s service conjur/authn-k8s/my-k8s-authn
  
{
  "subject@43868": {
    "role": "demo:user:admin"
  },
  "auth@43868": {
    "authenticator": "authn",
    "user": "demo:user:admin"
  },
  "action@43868": {
    "result": "success",
    "operation": "authenticate"
  },
  "client@43868": {
    "ip": "172.24.0.5"
  },
  "PROGRAM": "conjur",
  "PID": "898268ec-a9c0-4ed1-9bbd-6c8d9832dbc9",
  "MSGID": "authn",
  "MESSAGE": "demo:user:admin successfully authenticated with authenticator authn",
  "LEVEL": "info",
  "ISODATE": "2020-04-14T21:05:52.886+00:00",
  "FACILITY": "authpriv"
}

Validate authenticator status

A Validate Authenticator Status event is generated when a user or host queries an authenticator for its availability status.

API endpoint

Structured data

Data Element

Values

action@43868

operation: set to validate-status

result: set to success or failure

auth@43868

authenticator: the type of authenticator used (authn-k8s or authn-ldap).

service: the service ID of the authenticator (aconjur/authn-k8s/my-k8s-authn).

subject@43868

role: the fully-qualified policy ID of the role attempting to validate status.
  
<86>1 2020-04-14T21:05:52.886+00:00 6002d85d7d48 conjur 898268ec-a9c0-4ed1-9bbd-6c8d9832dbc9 authn [action@43868 result="success" operation="validate-status"][subject@43868 role="demo:user:admin"][auth@43868 authenticator="authn-oidc" service="conjur/authn-oidc/my-oidc"][client@43868 ip="172.24.0.5"][meta sequenceId="1"] demo:user:admin successfully validated status for authenticator authn-oidc service conjur/authn-oidc/my-oidc
  
{
  "subject@43868": {
    "role": "demo:user:admin"
  },
  "auth@43868": {
    "authenticator": "authn",
    "service": "conjur/authn-oidc/my-oidc"
  },
  "action@43868": {
    "result": "success",
    "operation": "validate-service"
  },
  "client@43868": {
    "ip": "172.24.0.5"
  },
  "PROGRAM": "conjur",
  "PID": "898268ec-a9c0-4ed1-9bbd-6c8d9832dbc9",
  "MSGID": "authn",
  "MESSAGE": "demo:user:admin successfully validated status for authenticator authn-oidc service conjur/authn-oidc/my-oidc",
  "LEVEL": "info",
  "ISODATE": "2020-04-14T21:05:52.886+00:00",
  "FACILITY": "authpriv"
}

Change password

A Change Password event is generated when a user changes or attempts to change their password.

API endpoint

Structured data

Data Element

Values

action@43868

operation: set to change

result: set to success or failure

auth@43868

user: the fully qualified policy ID for the authenticated role.

subject@43868

role: the fully-qualified policy ID for the role being updated.
  
<38>1 2020-04-15T15:56:53.771+00:00 6002d85d7d48 conjur 3490bfd0-75d1-4969-ac74-49ab3c48fc0d password [action@43868 result="success" operation="change"][auth@43868 user="demo:user:admin"][subject@43868 role="demo:user:admin"][client@43868 ip="172.24.0.5"][meta sequenceId="4"] demo:user:admin successfully changed their password

<38>1 2020-04-15T15:56:53.771+00:00 6002d85d7d48 conjur 3490bfd0-75d1-4969-ac74-49ab3c48fc0d password [action@43868 result="failure" operation="change"][auth@43868 user="demo:user:admin"][subject@43868 role="demo:user:admin"][client@43868 ip="172.24.0.5"][meta sequenceId="4"] demo:user:admin failed to change their password: CONJ00046E The password you have chosen does not meet the complexity requirements. Choose a password that includes: 12-128 characters, 2 uppercase letters, 2 lowercase letters, 1 digit, 1 special character
  
{
  "subject@43868": {
    "role": "demo:user:admin"
  },
  "auth@43868": {
    "user": "demo:user:admin"
  },
  "action@43868": {
    "result": "success",
    "operation": "change"
  },
  "client@43868": {
    "ip": "172.24.0.5"
  },
  "PROGRAM": "conjur",
  "PID": "3490bfd0-75d1-4969-ac74-49ab3c48fc0d",
  "MSGID": "password",
  "MESSAGE": "demo:user:admin successfully changed their password",
  "LEVEL": "info",
  "ISODATE": "2020-04-15T15:56:53.771+00:00",
  "FACILITY": "auth"
}

Rotate API key

A Rotate API Key event is generated when a role rotates its own API key, or a user rotates the API key for another role.

API endpoints

Structured data

Data Element

Values

action@43868

operation: set to rotate

result: set to success or failure

auth@43868

user: the fully qualified policy ID for the authenticated role.

subject@43868

role: the fully-qualified policy ID for the role being updated.
  
<38>1 2020-04-15T15:56:53.771+00:00 6002d85d7d48 conjur 3490bfd0-75d1-4969-ac74-49ab3c48fc0d api-key [action@43868 result="success" operation="rotate"][auth@43868 user="demo:user:admin"][subject@43868 role="demo:user:admin"][client@43868 ip="172.24.0.5"][meta sequenceId="4"] demo:user:admin successfully rotated their API key

<38>1 2020-04-15T15:56:53.771+00:00 6002d85d7d48 conjur 3490bfd0-75d1-4969-ac74-49ab3c48fc0d api-key [action@43868 result="success" operation="rotate"][auth@43868 user="demo:user:admin"][subject@43868 role="demo:host:my-app"][client@43868 ip="172.24.0.5"][meta sequenceId="4"] demo:user:admin successfully rotated the API key for demo:host:my-app
  
{
  "subject@43868": {
    "role": "demo:user:admin"
  },
  "auth@43868": {
    "user": "demo:user:admin"
  },
  "action@43868": {
    "result": "success",
    "operation": "rotate"
  },
  "client@43868": {
    "ip": "172.24.0.5"
  },
  "PROGRAM": "conjur",
  "PID": "3490bfd0-75d1-4969-ac74-49ab3c48fc0d",
  "MSGID": "api-key",
  "MESSAGE": "demo:user:admin successfully rotated their API key",
  "LEVEL": "info",
  "ISODATE": "2020-04-14T21:05:52.886+00:00",
  "FACILITY": "authpriv"
}

Check permission

A Check Permission event is generated when a request is made to check whether a policy role can perform some action (read, execute, etc.) on a policy resource.

API endpoints

  • Check permission - GET /resources/{account}/{kind}/{identifier}?check=true&role={role}&privilege={privilege}

Structured data

Data Element

Values

action@43868

operation: set to check

result: set to success or failure

auth@43868

NA

subject@43868

role: the fully-qualified policy ID of the role whose permissions are being checked.

resource: the fully-qualified policy ID of the resource whose permissions are being checked.

privilege: an action word describing the privilege that is being checked.
  
<38>1 2020-04-15T15:56:53.771+00:00 6002d85d7d48 conjur 3490bfd0-75d1-4969-ac74-49ab3c48fc0d check [action@43868 result="success" operation="check"][auth@43868 user="demo:user:admin"][subject@43868 resource="demo:variable:production/myapp/database/username" role="demo:user:admin" privilege="read"][meta sequenceId="4"] demo:user:admin checked if they can read demo:variable:production/myapp/database/username (success)
  
{
  "subject@43868": {
    "role": "demo:user:admin",
    "resource": "demo:variable:production/myapp/database/username",
    "privilege": "read"
  },
  "auth@43868": {
    "user": "demo:user:admin"
  },
  "action@43868": {
    "result": "success",
    "operation": "check"
  },
  "PROGRAM": "conjur",
  "PID": "3490bfd0-75d1-4969-ac74-49ab3c48fc0d",
  "MSGID": "check",
  "MESSAGE": "demo:user:admin checked if they can read demo:variable:production/myapp/database/username (success)",
  "LEVEL": "info",
  "ISODATE": "2020-04-15T15:56:53.771+00:00",
  "FACILITY": "auth"
}

Policy add

A Policy Add event is generated when a policy is loaded for each new resource that is created.

API endpoints

Structured data

Data Element

Values

action@43868

operation: set to add

result: set to success or failure

auth@43868

user: the fully qualified policy ID for the authenticated role.

policy@43868

id: the fully qualified policy ID for the policy add event.

version: the version in which this policy was added.

subject@43868

(see Policy event subjects)
  
<37>1 2020-04-14T20:40:24.806+00:00 e33eb4aaa67f conjur e9c07c05-4dc2-4809-b7e1-43f5d3a20599 policy [auth@43868 user="demo:user:admin"][subject@43868 resource="demo:group:security_ops"][action@43868 result="success" operation="add"][policy@43868 id="demo:policy:root" version="1"][client@43868 ip="172.24.0.5"][meta sequenceId="35"] demo:user:admin added resource demo:group:security_ops
  
{
  "subject@43868": {
    "resource": "demo:group:security_ops"
  },
  "policy@43868": {
    "version": "1",
    "id": "demo:policy:root"
  },
  "auth@43868": {
    "user": "demo:user:admin"
  },
  "action@43868": {
    "operation": "add",
    "result": "success"
  },
  "client@43868": {
    "ip": "172.24.0.5"
  },
  "PROGRAM": "conjur",
  "PID": "e9c07c05-4dc2-4809-b7e1-43f5d3a20599",
  "MSGID": "policy",
  "MESSAGE": "demo:user:admin added resource demo:group:security_ops",
  "LEVEL": "notice",
  "ISODATE": "2020-04-14T20:40:24.806+00:00",
  "FACILITY": "auth"
}

Policy remove

A Policy Remove event is generated when a policy is loaded for each deleted resource. The policy must be loaded through the "Replace" (PUT) or "Update" (PATCH) API endpoints because the "Append" (POST) endpoint does not allow resources to be deleted.

API endpoints

Structured data

Data Element

Values

action@43868

operation: set to remove

result: set to success or failure

auth@43868

user: the fully qualified policy ID for the authenticated role.

policy@43868

id: the fully qualified policy ID for the policy remove event.

version: the version in which this policy was removed.

subject@43868

(see Policy event subjects)
  
<37>1 2020-04-14T21:05:54.102+00:00 6002d85d7d48 conjur eb8f45e1-89f6-4c7a-8b06-00dc2be0bfb9 policy [auth@43868 user="demo:user:admin"][subject@43868 role="demo:user:terrance.blake"][action@43868 result="success" operation="remove"][policy@43868 id="demo:policy:root" version="3"][client@43868 ip="172.24.0.5"][meta sequenceId="14"] demo:user:admin removed role demo:user:terrance.blake
  
{
  "subject@43868": {
    "role": "demo:user:terrance.blake"
  },
  "policy@43868": {
    "version": "3",
    "id": "demo:policy:root"
  },
  "auth@43868": {
    "user": "demo:user:admin"
  },
  "action@43868": {
    "operation": "remove",
    "result":"success"
  },
  "client@43868": {
    "ip": "172.24.0.5"
  },
  "PROGRAM": "conjur",
  "PID": "eb8f45e1-89f6-4c7a-8b06-00dc2be0bfb9",
  "MSGID": "policy",
  "MESSAGE": "demo:user:admin removed role demo:user:terrance.blake",
  "LEVEL": "notice",
  "ISODATE": "2020-04-14T21:05:54.102+00:00",
  "FACILITY": "auth"
}

Policy change

A Policy Change event is generated for each updated resource. The policy must be loaded through the "Replace" (PUT) or "Update" (PATCH) API endpoints because the "Append" (POST) endpoint does not allow resource modification.

API endpoints

Structured data

Data Element

Values

action@43868

operation: set to change

result: set to success or failure

auth@43868

user: the fully qualified policy ID for the authenticated role.

policy@43868

id: the fully qualified policy ID for the policy change event.

version: the version in which this policy was changed.

subject@43868

(see Policy event subjects)
  
<37>1 2020-04-14T20:40:24.790+00:00 e33eb4aaa67f conjur e9c07c05-4dc2-4809-b7e1-43f5d3a20599 policy [auth@43868 user="demo:user:admin"][subject@43868 role="demo:user:terrance.blake"][action@43868 result="success" operation="change"][policy@43868 id="demo:policy:root" version="1"][client@43868 ip="172.24.0.5"][meta sequenceId="3"] demo:user:admin changed role demo:user:terrance.blake
  
{
  "subject@43868": {
    "role": "demo:user:terrance.blake"
  },
  "policy@43868": {
    "version": "1",
    "id": "demo:policy:root"
  },
  "auth@43868": {
    "user": "demo:user:admin"
  },
  "action@43868": {
    "operation": "change",
    "result":"success"
  },
  "client@43868": {
    "ip": "172.24.0.5"
  },
  "PROGRAM": "conjur",
  "PID": "e9c07c05-4dc2-4809-b7e1-43f5d3a20599",
  "MSGID": "policy",
  "MESSAGE": "demo:user:admin changed role demo:user:terrance.blake",
  "LEVEL": "notice",
  "ISODATE": "2020-04-14T20:40:24.790+00:00",
  "FACILITY": "auth"
}

Set secret value

A Set Secret Value event is generated when a request is made to set a secret value.

API endpoints

  • Set a Secret - POST /secrets/{account}/{kind}/{identifier}

Structured data

Data Element

Values

action@43868

operation: set to update

result: set to success or failure

auth@43868

user: the fully qualified policy ID for the authenticated role.

subject@43868

resource: the fully-qualified resource ID of the secret being set.
  
<37>1 2020-04-15T15:20:59.005+00:00 6002d85d7d48 conjur 5d379b87-39ce-420a-a4b9-2d2eacbe509c update [action@43868 result="success" operation="update"][auth@43868 user="demo:user:admin"][subject@43868 resource="demo:variable:production/myapp/database/username"][client@43868 ip="172.24.0.5"][meta sequenceId="108"] demo:user:admin updated demo:variable:production/myapp/database/username
  
{
  "subject@43868": {
    "resource": "demo:variable:production/myapp/database/username"
  },
  "auth@43868": {
    "user": "demo:user:admin"
  },
  "action@43868": {
    "result": "success",
    "operation": "update"
  },
  "client@43868": {
    "ip": "172.24.0.5"
  },
  "PROGRAM": "conjur",
  "PID": "5d379b87-39ce-420a-a4b9-2d2eacbe509c",
  "MSGID": "update",
  "MESSAGE": "demo:user:admin updated demo:variable:production/myapp/database/username",
  "LEVEL": "notice",
  "ISODATE": "2020-04-15T15:20:59.005+00:00",
  "FACILITY": "auth"
}

Fetch secret value

A Fetch Secret Value event is generated when a request is made to read a secret value.

API endpoints

Structured data

Data Element

Values

action@43868

operation: set to fetch

result: set to success or failure

auth@43868

user: the fully qualified policy ID for the authenticated role.

subject@43868

resource: the fully-qualified resource ID of the secret being read.
  
<38>1 2020-04-15T15:21:30.069+00:00 6002d85d7d48 conjur 5e7092ea-704c-4a9c-9e24-e8b6dcf9d472 fetch [action@43868 result="success" operation="fetch"][auth@43868 user="demo:user:admin"][subject@43868 resource="demo:variable:production/myapp/database/username"][client@43868 ip="172.24.0.5"][meta sequenceId="4"] demo:user:admin fetched demo:variable:production/myapp/database/username
  
{
  "subject@43868": {
    "resource": "demo:variable:production/myapp/database/username"
  },
  "auth@43868": {
    "user": "demo:user:admin"
  },
  "action@43868": {
    "result": "success",
    "operation": "fetch"
  },
  "client@43868": {
    "ip": "172.24.0.5"
  },
  "PROGRAM": "conjur",
  "PID": "5e7092ea-704c-4a9c-9e24-e8b6dcf9d472",
  "MSGID": "fetch",
  "MESSAGE": "demo:user:admin fetched demo:variable:production/myapp/database/username",
  "LEVEL": "info",
  "ISODATE": "2020-04-15T15:21:30.069+00:00",
  "FACILITY": "auth"
}

Policy event subjects

The subject@43868 structured data field of policy events can contain a wide range of values, depending on the type of policy object that is the target of the policy-loading operation. This section describes the contents of this field for various policy objects.

Field

Values

Annotations

  • annotation: the name of the annotation being updated.

  • resource: the fully-qualified policy ID of the resource to which the annotation applies.

Permissions

  • resource: the fully-qualified policy ID of the resource whose permission is being updated.

  • role: the fully-qualified policy ID of the role whose access to a resource is being updated.

  • privilege: an action word indicating the privilege that is being updated.

Resources

  • resource: the fully-qualified policy ID of the resource being updated.

Roles

  • role: the fully-qualified policy ID of the role that is being updated.

Role Membership

  • role: the fully-qualified policy ID of the role whose members are being updated.

  • owner / member: the fully-qualified policy ID of the role who is becoming an owner or member of a group.

High availability

In high-availability configurations, audit events are created by Masters and Followers. Standbys do not serve traffic, unless they are promoted to Leader, so they do not produce audit events.

The Leader can produce every type of audit event. Followers have a read-only database so they are only be able to produce audit events associated with read-only operations, which can be viewed only from the Conjur UI.

To determine whether a read-only audit event originated from the Leader or a Follower, examine the hostname field in the Syslog Protocol formatted audit message.