Skip to main content

Audit Log

The audit log is located at ./log/audit.log and the log format is simply the message followed by a newline such that each audit log entry is an unformatted JSON message on its own line. The audit log can be customized in your IQ Server configuration.

Note

For each audit log entry, each optional attribute will either be present with its name and value, or will not be present at all i.e. no name or value.

Audit Attributes

Attribute name

Description

Example

timestamp

ISO 8601 formatteddate time of when the audit event occurred

2018-10-20T15:45:30.249+02:00

requestMethod

(Optional) HTTP request method which triggered the audit event

POST

requestUri

(Optional) HTTP request URI (relative to the base URL) which triggered the audit event

/rest/user/session

remoteIpAddress

(Optional) IP address of the client request that triggered the audit event as known to the server

127.0.0.1

userAgent

(Optional) Client properties as known to the server by the User-Agent property of the HTTP request

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0

forwarded

(Optional) If a proxy is involved in the request this can give information about the original client request (protocol, host request header) and/or client/proxy identifiers

for=127.0.0.1

username

Logged in username of the IQ Server's user (or *UNKNOWN if not logged in) that triggered the audit event

admin

domain

Functional area (category) in IQ Server where the audit event triggered. See audit domains and types for more details

authentication

type

The type of audit event. Typically,the action/activity that occurred within the area given by domain

login

error

(Optional) Summary of the error if this audit event resulted due to an error. See audit type errors for more details

bad-authentication

data

(Optional) Additional attributes (name/value pairs) relevant to the event

{ "applicationPublicId":"appPublicId", "applicationName":"appName", ...etc}

Audit Domains and Types

>

Since

Domain

Event Types

Description

Release 52

authentication

Audit events related to login and logout of IQ Server

login

Successful login event

The “login" events are generated on a best-effort basis when the server uses reverse proxy authentication where the proxy handles login.

logout

Successful logout event

failure

Unsuccessful login event/action

Release 53

governance.evaluation.application

Audit events related to application policy evaluation

evaluate

An application policy evaluation event, which occurs when an attempt is made to evaluate a binary scan against an application's policies

governance.component.identity

set

A claim component event, which occurs when a similar or unknown component is claimed

unset

A revoke claim event, which occurs when a component claim is revoked

governance.component.vulnerability

update

An update to the status of a vulnerability affecting a component, e.g. when marking a vulnerability as "not applicable"

governance.component.license

update

An update to the status of the license(s) associated to a component, e.g. when marking a license as "overridden"

governance.component.label

assign

An assignment of a component label to a component

remove

A removal of a component label from a component

governance.grandfathering

configure

Represents changing policy violation grandfathering for an organization or application to be inherited, enabled, or disabled and allowing or disallowing overriding in an organization's case

apply

Occurs when grandfathering an application's policy violations

revoke

Occurs when revoking grandfathering an application's policy violations

Release 54

governance.import

import

Occurs when importing policies, component labels, license threat groups, and application categories

governance.proprietary-components

configure

Occurs when updating the proprietary component configuration of an organization or application

governance.continuous-monitoring

configure

Occurs when updating the continuous monitoring of an organization or application

governance.waiver

create

Occurs when creating a waiver by waiving a policy violation

delete

Occurs when deleting a waiver

Release 55

governance.application-category

create

Emitted when creating an application category

update

Emitted when updating an application category

delete

Emitted when deleting an application category

import

Emitted when importing an application category by importing policies

governance.component-label

create

Emitted when creating a component label

update

Emitted when updating a component label

delete

Emitted when deleting a component label

import

Emitted when importing a component label by importing policies

governance.license-threat-group

create

Logged when creating a license threat group

update

Logged when updating a license threat group

delete

Logged when deleting a license threat group

import

Logged when importing a license threat group

governance.license-threat-group.licenses

configure

Logged when changing the licenses belonging to a license threat group

governance.policy

create

Logged when creating a new policy

update

Logged when updating an existing policy

delete

Logged when deleting an existing policy

import

Logged when a new policy is imported

governance.policy.inheritance

configure

Logged when changing a policy's inheritance setting

governance.repository

connect

Occurs when a repository is connected to IQ Server (e.g. by enabling the NXRM audit capability for it)

disconnect

Occurs when a repository is disconnected from IQ Server(e.g. by disabling the NXRM audit capability for it)

remove

Occurs when removing a repository from IQ Server

migrate

Occurs when migrating a repository (e.g. upgrading a repository from NXRM2 to NXRM3)

governance.repository.quarantine

configure

Emitted when enabling or disabling quarantine for a repository

retain

Emitted when a component is quarantined

release

Emitted when a component is unquarantined

reset

Emitted when a quarantined component is deleted or updated in a repository

governance.evaluation.repository

evaluate

Occurs when an attempt is made to evaluate repository components

initiate

Indicates the initiation of a repository reevaluation, which may result in one or more repository policy evaluation eventsfor the different components within that repository

security.user

create

Logged when creating a new user in the server's internal realm

update

Logged when updating a user in the server's internal realm

delete

Logged when deleting a user from the server's internal realm

security.user.password

update

Logged when a user from the internal realm changes their own password

reset

Logged when a system administrator resets the password of a user from the internal realm

security.role

create

Logged when creating a new custom role

update

Logged when editing a custom role

delete

Logged when deleting a custom role

Release 56

security.role.membership

configure

Logged when assigning users/groups to a role

security.ldap

prioritize

Logged when re-ordering LDAP servers

security.ldap.server

create

Logged when creating a new LDAP server

update

Logged when updating an LDAP server

delete

Logged when deleting an LDAP server

security.ldap.server.connection

configure

Logged when updating the connection details of an LDAP server

security.ldap.server.user-mapping

configure

Logged when updating the user/group settings of an LDAP server

governance.organization

create

Logged when creating a new organization

update

Logged when updating an organization

delete

Logged when deleting an organization

governance.organization.icon

configure

Logged when setting or editing an organization icon

governance.application

create

Logged when creating a new application

auto-create

Logged when automatically creating a new application during its first analysis

update

Logged when updating an application

delete

Logged when deleting an application

move

Logged when moving an application to a new parent organization

governance.application.icon

configure

Logged when setting or editing an application icon

governance.application.categories

configure

Logged when assigning/unassigning application categories to/from an application

governance.automatic-applications

configure

Logged when configuring automatic applications by selecting a different parent organization for it or by enabling/disabling it

server

start

Emitted when starting the server

stop

Emitted when gracefully stopping the server

server.system-notice

configure

Logged when configuring the system notice

server.license

install

Logged when manually or automatically installing a server product license

uninstall

Logged when manually uninstalling a server product license

server.webhook

create

Output when creating a new webhook

update

Output when updating a webhook

delete

Output when deleting a webhook

reporting.application-composition.report

view

Logged when viewing the application composition report via the browser

print

Logged when accessing the PDF version of the application composition report

export

Logged when downloading the application composition report data via the REST API

reporting.success-metrics

configure

Logged when enabling or disabling success metrics reports

reporting.dashboard.filter

save

Logged when creating or updating a dashboard filter

delete

Logged when deleting a dashboard filter

reporting.dashboard.component-details

view

Logged when viewing component details from the dashboard

Release 57

reporting.dashboard.application-list

view

Logged when viewing the dashboard applications tab

export

Logged when exporting the dashboard applications tab

reporting.dashboard.component-list

view

Logged when viewing the dashboard components tab

export

Logged when exporting the dashboard components tab

reporting.dashboard.violation-list

view

Logged when viewing the dashboard violations tab

export

Logged when exporting the dashboard violations tab

reporting.repository-results

view

Logged when viewing repository results

reporting.component-information

view

Logged when viewing component information panel data

reporting.success-metrics

export

Logged when exporting success metrics report via the REST API

reporting.success-metrics.report

create

Logged when creating a success metrics report

delete

Logged when deleting a success metrics report

view

Logged when viewing success metrics

reporting.policy-violations

export

Logged when exporting policy violations via the REST API

reporting.component-uses

search

Logged when searching components via the REST API

governance.evaluation.project

evaluate

Logged when policies are evaluated for project dependencies in an IDE

governance.evaluation.ad-hoc

evaluate

Logged when evaluating components against an application's policies via the REST API

export

Logged when requesting the results of a component evaluation via the REST API

Release 58

notification.mail

send

Logged when notification emails are sent for policy violations

notification.webhook

invoke

Logged when invoking a webhook

notification.issue.jira

create

Logged when a Jira issue is created for policy violations

Release 63

server.data-retention

configure

Logged when the data retention policies are updated

Release 70

security.role.membership

grant

Logged when a role is granted to a user / group

revoke

Logged when a role is revoked from a user / group

Release 74

security.saml

configure

Logged when SAML is configured or the existing configuration is updated

delete

Logged when SAML configuration is removed

Release 76

security.user.token

create

Logged when a user token is created

delete

Logged when a user token is deleted

purge

Logged when obsolete user tokens are purged

reporting.components-with-waivers

view

Logged when viewing components with waivers via the REST API

Release 79

governance.source-control

create

Logged when creating source control configuration for an organization or an application

update

Logged when updating source control configuration for an organization or an application

delete

Logged when deleting source control configuration for an organization or an application

auto-create

Logged when collecting the repository URL for an application through Automatic Source Control Onboarding

Release 81

notification.pull-request

create

Logged when creating a new automatic pull request to remediate a policy violation

Release 82

reporting.stale-waivers

view

Logged when viewing stale policy waivers via the REST API

Release 83

server.mail

configure

Logged when creating / changing a mail configuration

delete

Logged when deleting a mail configuration

Release 84

server.proxy

configure

Logged when creating / changing a proxy server configuration

delete

Logged when deleting a proxy server configuration

Release 88

reporting.advanced-search

configure

Logged when enabling or disabling the advanced search feature

search

Logged when performing an advanced search

Release 92

governance.waiver

view

Logged when a policy waiver is viewed via the REST API

Release 94

notification.pull-request.comment

create

Logged when creating a new pull request comment due to introduced or fixed policy violations

update

Logged when updating a pull request comment due to introduced or fixed policy violations

Release 136

security.quarantined-component-view-anonymous-access

configure

Logged when anonymous access is enabled or diabled for the Quarantined Component View

Release 138

server.reverse-proxy-authentication

configure

Logged when creating / changing the reverse proxy authentication configuration

delete

Logged when deleting the reverse proxy authentication configuration

server.properties

configure

Logged when setting/changing the configuration for one or more properties

delete

Logged when deleting the configuration for one or more properties

Release 139

server.jira

configure

Logged when creating / changing the JIRA server configuration

delete

Logged when deleting the JIRA server configuration

Release 140

governance.policy.actions-overrides

add

Logged when adding a new actions override to an existing policy

remove

Logged when removing an existing actions override from an existing policy

server.source-control

configure

Logged when creating / changing the source control configuration

delete

Logged when deleting the source control configuration

Release 160

governance.repository

configure

Logged when a repository is configured

Audit Type E rrors

Error

Description

server-error

Unspecific server error (e.g. due to misconfiguration or failure to communicate with external systems like LDAP)

client-error

Unspecific client error (e.g. due to an unacceptable request)

unlicensed

Missing or insufficient product license

unauthenticated

Missing username (expected when initially logging in)

unauthorized

Insufficient user permissions

bad-authentication

Incorrect username and/or password

bad-session

Bad/expired session cookie (expected when a session times out)

bad-csrf-token

InvalidCSRFtoken in request data submission

bad-request

Erroneous request (e.g. due to it being malformed or missing parameters)

bad-gateway

Invalid response from upstream server

gateway-timeout

Response timeout from upstream server

service-unavailable

IQ Server is currently unavailable (e.g. due to it being overloaded or down for maintenance)

not-found

Non-existing request target (e.g. invalid entity identifier)