Audit Log
The audit log is located at ./log/audit.log and the log format is simply the message followed by a newline such that each audit log entry is an unformatted JSON message on its line. The audit log can be customized in your IQ Server configuration.
Note
For each audit log entry, each optional attribute will either be present with its name and value, or will not be present at all i.e. no name or value.
Audit Attributes
Attribute name | Description | Example |
|---|---|---|
| ISO 8601 formatted date time of when the audit event occurred |
|
| (Optional) HTTP request method which triggered the audit event |
|
| (Optional) HTTP request URI (relative to the base URL) which triggered the audit event |
|
| (Optional) IP address of the client request that triggered the audit event as known to the server |
|
| (Optional) Client properties as known to the server by the User-Agent property of the HTTP request |
|
| (Optional) If a proxy is involved in the request this can give information about the original client request (protocol, host request header) and/or client/proxy identifiers |
|
| Logged in username of the IQ Server's user (or *UNKNOWN if not logged in) that triggered the audit event |
|
| Functional area (category) in IQ Server where the audit event triggered. See audit domains and types for more details. |
|
| The type of audit event. Typically, the action/activity that occurred within the area given by domain |
|
| (Optional) Summary of the error if this audit event resulted due to an error. See audit-type errors for more details |
|
| (Optional) Additional attributes (name/value pairs) relevant to the event | { "applicationPublicId": "appPublicId", "applicationName": "appName", ...etc} |
Audit Domains and Types
Since | Domain | Event Types | Description |
|---|---|---|---|
Release 52 |
| Audit events related to login and logout of IQ Server | |
| Successful login event The “login" events are generated on a best-effort basis when the server uses reverse proxy authentication where the proxy handles login. | ||
| Successful logout event | ||
| Unsuccessful login event/action | ||
Release 53 |
| Audit events related to application policy evaluation | |
| An application policy evaluation event, occurs when an attempt is made to evaluate a binary scan against an application's policies | ||
| |||
| A claim component event, which occurs when a similar or unknown component is claimed | ||
| A revoke claim event, which occurs when a component claim is revoked | ||
| |||
| An update to the status of a vulnerability affecting a component, e.g. when marking a vulnerability as "not applicable" | ||
| |||
| An update to the status of the license(s) associated to a component, e.g. when marking a license as "overridden" | ||
| |||
| An assignment of a component label to a component | ||
| A removal of a component label from a component | ||
| |||
* As part of our inclusive language initiatives, we have renamed the feature previously known as Policy Violation Grandfathering to Legacy Violationsstarting with release 167. |
| Represents changing policy violation grandfathering* for an organization or application to be inherited, enabled, or disabled and allowing or disallowing overriding in an organization's case | |
| Occurs when grandfathering* an application's policy violations | ||
| Occurs when revoking grandfathering* an application's policy violations | ||
Release 54 |
| ||
| Occurs when importing policies, component labels, license threat groups, and application categories | ||
| |||
| Occurs when updating the proprietary component configuration of an organization or application | ||
| |||
| Occurs when updating the continuous monitoring of an organization or application | ||
| |||
| Occurs when creating a waiver by waiving a policy violation | ||
| Occurs when deleting a waiver | ||
Release 55 |
| ||
| Emitted when creating an application category | ||
| Emitted when updating an application category | ||
| Emitted when deleting an application category | ||
| Emitted when importing an application category by importing policies | ||
| |||
| Emitted when creating a component label | ||
| Emitted when updating a component label | ||
| Emitted when deleting a component label | ||
| Emitted when importing a component label by importing policies | ||
| |||
| Logged when creating a license threat group | ||
| Logged when updating a license threat group | ||
| Logged when deleting a license threat group | ||
| Logged when importing a license threat group | ||
| |||
| Logged when changing the licenses belonging to a license threat group | ||
| |||
| Logged when creating a new policy | ||
| Logged when updating an existing policy | ||
| Logged when deleting an existing policy | ||
| Logged when a new policy is imported | ||
| |||
| Logged when changing a policy's inheritance setting | ||
| |||
| Occurs when a repository is connected to IQ Server (e.g. by enabling the NXRM audit capability for it) | ||
| Occurs when a repository is disconnected from IQ Server(e.g. by disabling the NXRM audit capability for it) | ||
| Occurs when removing a repository from IQ Server | ||
| Occurs when migrating a repository (e.g. upgrading a repository from NXRM2 to NXRM3) | ||
| |||
| Emitted when enabling or disabling quarantine for a repository | ||
| Emitted when a component is quarantined | ||
| Emitted when a component is unquarantined | ||
| Emitted when a quarantined component is deleted or updated in a repository | ||
| |||
| Occurs when an attempt is made to evaluate repository components | ||
| Indicates the initiation of a repository reevaluation, which may result in one or more repository policy evaluation eventsfor the different components within that repository | ||
| |||
| Logged when creating a new user in the server's internal realm | ||
| Logged when updating a user in the server's internal realm | ||
| Logged when deleting a user from the server's internal realm | ||
| |||
| Logged when a user from the internal realm changes their own password | ||
| Logged when a system administrator resets the password of a user from the internal realm | ||
| |||
| Logged when creating a new custom role | ||
| Logged when editing a custom role | ||
| Logged when deleting a custom role | ||
Release 56 |
| ||
| Logged when assigning users/groups to a role | ||
| |||
| Logged when re-ordering LDAP servers | ||
| |||
| Logged when creating a new LDAP server | ||
| Logged when updating an LDAP server | ||
| Logged when deleting an LDAP server | ||
| |||
| Logged when updating the connection details of an LDAP server | ||
| |||
| Logged when updating the user/group settings of an LDAP server | ||
| |||
| Logged when creating a new organization | ||
| Logged when updating an organization | ||
| Logged when deleting an organization | ||
| |||
| Logged when setting or editing an organization icon | ||
| |||
| Logged when creating a new application | ||
| Logged when automatically creating a new application during its first analysis | ||
| Logged when updating an application | ||
| Logged when deleting an application | ||
| Logged when moving an application to a new parent organization | ||
| |||
| Logged when setting or editing an application icon | ||
| |||
| Logged when assigning/unassigning application categories to/from an application | ||
| |||
| Logged when configuring automatic applications by selecting a different parent organization for it or by enabling/disabling it | ||
| |||
| Emitted when starting the server | ||
| Emitted when gracefully stopping the server | ||
| |||
| Logged when configuring the system notice | ||
| |||
| Logged when manually or automatically installing a server product license | ||
| Logged when manually uninstalling a server product license | ||
| |||
| Output when creating a new webhook | ||
| Output when updating a webhook | ||
| Output when deleting a webhook | ||
| |||
| Logged when viewing the application composition report via the browser | ||
| Logged when accessing the PDF version of the application composition report | ||
| Logged when downloading the application composition report data via the REST API | ||
| |||
| Logged when enabling or disabling success metrics reports | ||
| |||
| Logged when creating or updating a dashboard filter | ||
| Logged when deleting a dashboard filter | ||
| |||
| Logged when viewing component details from the dashboard | ||
Release 57 |
| ||
| Logged when viewing the dashboard applications tab | ||
| Logged when exporting the dashboard applications tab | ||
| |||
| Logged when viewing the dashboard components tab | ||
| Logged when exporting the dashboard components tab | ||
| |||
| Logged when viewing the dashboard violations tab | ||
| Logged when exporting the dashboard violations tab | ||
| |||
| Logged when viewing repository results | ||
| |||
| Logged when viewing component information panel data | ||
| |||
| Logged when exporting success metrics report via the REST API | ||
| |||
| Logged when creating a success metrics report | ||
| Logged when deleting a success metrics report | ||
| Logged when viewing success metrics | ||
| |||
| Logged when exporting policy violations via the REST API | ||
| |||
| Logged when searching components via the REST API | ||
| |||
| Logged when policies are evaluated for project dependencies in an IDE | ||
| |||
| Logged when evaluating components against an application's policies via the REST API | ||
| Logged when requesting the results of a component evaluation via the REST API | ||
Release 58 |
| ||
| Logged when notification emails are sent for policy violations | ||
| |||
| Logged when invoking a webhook | ||
| |||
| Logged when a Jira issue is created for policy violations | ||
Release 63 |
| ||
| Logged when the data retention policies are updated | ||
Release 70 |
| ||
| Logged when a role is granted to a user / group | ||
| Logged when a role is revoked from a user / group | ||
Release 74 |
| ||
| Logged when SAML is configured or the existing configuration is updated | ||
| Logged when SAML configuration is removed | ||
Release 76 |
| ||
| Logged when a user token is created | ||
| Logged when a user token is deleted | ||
| Logged when obsolete user tokens are purged | ||
| |||
| Logged when viewing components with waivers via the REST API | ||
Release 79 |
| ||
| Logged when creating source control configuration for an organization or an application | ||
| Logged when updating source control configuration for an organization or an application | ||
| Logged when deleting source control configuration for an organization or an application | ||
| Logged when collecting the repository URL for an application through Automatic Source Control Onboarding | ||
Release 81 |
| ||
| Logged when creating a new automatic pull request to remediate a policy violation | ||
Release 82 |
| ||
| Logged when viewing stale policy waivers via the REST API | ||
Release 83 |
| ||
| Logged when creating / changing a mail configuration | ||
| Logged when deleting a mail configuration | ||
Release 84 |
| ||
| Logged when creating / changing a proxy server configuration | ||
| Logged when deleting a proxy server configuration | ||
Release 88 |
| ||
| Logged when enabling or disabling the advanced search feature | ||
| Logged when performing an advanced search | ||
Release 92 |
| ||
| Logged when a policy waiver is viewed via the REST API | ||
Release 94 |
| ||
| Logged when creating a new pull request comment due to introduced or fixed policy violations | ||
| Logged when updating a pull request comment due to introduced or fixed policy violations | ||
Release 136 |
| ||
| Logged when anonymous access is enabled or diabled for the Quarantined Component View | ||
Release 138 |
| ||
| Logged when creating / changing the reverse proxy authentication configuration | ||
| Logged when deleting the reverse proxy authentication configuration | ||
| |||
| Logged when setting/changing the configuration for one or more properties | ||
| Logged when deleting the configuration for one or more properties | ||
Release 139 |
| ||
| Logged when creating / changing the JIRA server configuration | ||
| Logged when deleting the JIRA server configuration | ||
Release 140 |
| ||
| Logged when adding a new actions override to an existing policy | ||
| Logged when removing an existing actions override from an existing policy | ||
| |||
| Logged when creating / changing the source control configuration | ||
| Logged when deleting the source control configuration | ||
Release 160 |
|
| Logged when a repository is configured |
Release 175 |
|
| Logged when retrieving the audit logs via the REST API |
Audit Type Errors
Error | Description |
|---|---|
| Unspecific server error (e.g. due to misconfiguration or failure to communicate with external systems like LDAP) |
| Unspecific client error (e.g. due to an unacceptable request) |
| Missing or insufficient product license |
| Missing username (expected when initially logging in) |
| Insufficient user permissions |
| Incorrect username and/or password |
| Bad/expired session cookie (expected when a session times out) |
| InvalidCSRFtoken in request data submission |
| Erroneous request (e.g. due to it being malformed or missing parameters) |
| Invalid response from upstream server |
| Response timeout from upstream server |
| IQ Server is currently unavailable (e.g. due to it being overloaded or down for maintenance) |
| Non-existing request target (e.g. invalid entity identifier) |