Audit Log

The audit log is located at ./log/audit.log and the log format is simply the message followed by a newline such that each audit log entry is an unformatted JSON message on its own line. The audit log can be customized in your IQ Server configuration.

For each audit log entry, each optional attribute will either be present with its name and value, or will not be present at all i.e. no name or value.

Audit Attributes

Attribute name	Description	Example
`timestamp`	ISO 8601 formatted date time of when the audit event occurred	`2018-10-20T15:45:30.249+02:00`
`requestMethod`	(Optional) HTTP request method which triggered the audit event	`POST`
`requestUri`	(Optional) HTTP request URI (relative to the base URL) which triggered the audit event	`/rest/user/session`
`remoteIpAddress`	(Optional) IP address of the client request that triggered the audit event as known to the server	`127.0.0.1`
`userAgent`	(Optional) Client properties as known to the server by the User-Agent property of the HTTP request	`Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0`
`forwarded`	(Optional) If a proxy is involved in the request this can give information about the original client request (protocol, host request header) and/or client/proxy identifiers	`for=127.0.0.1`
`username`	Logged in username of the IQ Server's user (or *UNKNOWN if not logged in) that triggered the audit event	`admin`
`domain`	Functional area (category) in IQ Server where the audit event triggered. See audit domains and types for more details	`authentication`
`type`	The type of audit event. Typically, the action/activity that occurred within the area given by domain	`login`
`error`	(Optional) Summary of the error if this audit event resulted due to an error. See audit type errors for more details	`bad-authentication`
`data`	(Optional) Additional attributes (name/value pairs) relevant to the event	`{"applicationPublicId":"appPublicId", "applicationName":"appName", ...etc}`

Audit Domains and Types

Since	Domain	Event Types	Description
Release 52	`authentication`		Audit events related to login and logout of IQ Server
		`login`	Successful login event The “ login" events are generated on a best-effort basis when the server uses reverse proxy authentication where the proxy handles login.
		`logout`	Successful logout event
		`failure`	Unsuccessful login event/action
Release 53	`governance.evaluation.application`		Audit events related to application policy evaluation
		`evaluate`	An application policy evaluation event, which occurs when an attempt is made to evaluate a binary scan against an application's policies
	`governance.component.identity`
		`set`	A claim component event, which occurs when a similar or unknown component is claimed
		`unset`	A revoke claim event, which occurs when a component claim is revoked
	`governance.component.vulnerability`
		`update`	An update to the status of a vulnerability affecting a component, e.g. when marking a vulnerability as "not applicable"
	`governance.component.license`
		`update`	An update to the status of the license(s) associated to a component, e.g. when marking a license as "overridden"
	`governance.component.label`
		`assign`	An assignment of a component label to a component
		`remove`	A removal of a component label from a component
	`governance.grandfathering`
		`configure`	Represents changing policy violation grandfathering for an organization or application to be inherited, enabled, or disabled and allowing or disallowing overriding in an organization's case
		`apply`	Occurs when grandfathering an application's policy violations
		`revoke`	Occurs when revoking grandfathering an application's policy violations
Release 54	`governance.import`
		`import`	Occurs when importing policies, component labels, license threat groups, and application categories
	`governance.proprietary-components`
		`configure`	Occurs when updating the proprietary component configuration of an organization or application
	`governance.continuous-monitoring`
		`configure`	Occurs when updating the continuous monitoring of an organization or application
	`governance.waiver`
		`create`	Occurs when creating a waiver by waiving a policy violation
		`delete`	Occurs when deleting a waiver
Release 55	`governance.application-category`
		`create`	Emitted when creating an application category
		`update`	Emitted when updating an application category
		`delete`	Emitted when deleting an application category
		`import`	Emitted when importing an application category by importing policies
	`governance.component-label`
		`create`	Emitted when creating a component label
		`update`	Emitted when updating a component label
		`delete`	Emitted when deleting a component label
		`import`	Emitted when importing a component label by importing policies
	`governance.license-threat-group`
		`create`	Logged when creating a license threat group
		`update`	Logged when updating a license threat group
		`delete`	Logged when deleting a license threat group
		`import`	Logged when importing a license threat group
	`governance.license-threat-group.licenses`
		`configure`	Logged when changing the licenses belonging to a license threat group
	`governance.policy`
		`create`	Logged when creating a new policy
		`update`	Logged when updating an existing policy
		`delete`	Logged when deleting an existing policy
		`import`	Logged when a new policy is imported
	`governance.policy.inheritance`
		`configure`	Logged when changing a policy's inheritance setting
	`governance.repository`
		`connect`	Occurs when a repository is connected to IQ Server (e.g. by enabling the NXRM audit capability for it)
		`disconnect`	Occurs when a repository is disconnected from IQ Server (e.g. by disabling the NXRM audit capability for it)
		`remove`	Occurs when removing a repository from IQ Server
		`migrate`	Occurs when migrating a repository (e.g. upgrading a repository from NXRM2 to NXRM3)
	`governance.repository.quarantine`
		`configure`	Emitted when enabling or disabling quarantine for a repository
		`retain`	Emitted when a component is quarantined
		`release`	Emitted when a component is unquarantined
		`reset`	Emitted when a quarantined component is deleted or updated in a repository
	`governance.evaluation.repository`
		`evaluate`	Occurs when an attempt is made to evaluate repository components
		`initiate`	Indicates the initiation of a repository reevaluation, which may result in one or more repository policy evaluation events for the different components within that repository
	`security.user`
		`create`	Logged when creating a new user in the server's internal realm
		`update`	Logged when updating a user in the server's internal realm
		`delete`	Logged when deleting a user from the server's internal realm
	`security.user.password`
		`update`	Logged when a user from the internal realm changes their own password
		`reset`	Logged when a system administrator resets the password of a user from the internal realm
	`security.role`
		`create`	Logged when creating a new custom role
		`update`	Logged when editing a custom role
		`delete`	Logged when deleting a custom role
Release 56	`security.role.membership`
		`configure`	Logged when assigning users/groups to a role
	`security.ldap`
		`prioritize`	Logged when re-ordering LDAP servers
	`security.ldap.server`
		`create`	Logged when creating a new LDAP server
		`update`	Logged when updating an LDAP server
		`delete`	Logged when deleting an LDAP server
	`security.ldap.server.connection`
		`configure`	Logged when updating the connection details of an LDAP server
	`security.ldap.server.user-mapping`
		`configure`	Logged when updating the user/group settings of an LDAP server
	`governance.organization`
		`create`	Logged when creating a new organization
		`update`	Logged when updating an organization
		`delete`	Logged when deleting an organization
	`governance.organization.icon`
		`configure`	Logged when setting or editing an organization icon
	`governance.application`
		`create`	Logged when creating a new application
		`auto-create`	Logged when automatically creating a new application during its first analysis
		`update`	Logged when updating an application
		`delete`	Logged when deleting an application
		`move`	Logged when moving an application to a new parent organization
	`governance.application.icon`
		`configure`	Logged when setting or editing an application icon
	`governance.application.categories`
		`configure`	Logged when assigning/unassigning application categories to/from an application
	`governance.automatic-applications`
		`configure`	Logged when configuring automatic applications by selecting a different parent organization for it or by enabling/disabling it
	`server`
		`start`	Emitted when starting the server
		`stop`	Emitted when gracefully stopping the server
	`server.system-notice`
		`configure`	Logged when configuring the system notice
	`server.license`
		`install`	Logged when manually or automatically installing a server product license
		`uninstall`	Logged when manually uninstalling a server product license
	`server.webhook`
		`create`	Output when creating a new webhook
		`update`	Output when updating a webhook
		`delete`	Output when deleting a webhook
	`reporting.application-composition.report`
		`view`	Logged when viewing the application composition report via the browser
		`print`	Logged when accessing the PDF version of the application composition report
		`export`	Logged when downloading the application composition report data via the REST API
	`reporting.success-metrics`
		`configure`	Logged when enabling or disabling success metrics reports
	`reporting.dashboard.filter`
		`save`	Logged when creating or updating a dashboard filter
		`delete`	Logged when deleting a dashboard filter
	`reporting.dashboard.component-details`
		`view`	Logged when viewing component details from the dashboard
Release 57	`reporting.dashboard.application-list`
		`view`	Logged when viewing the dashboard applications tab
		`export`	Logged when exporting the dashboard applications tab
	`reporting.dashboard.component-list`
		`view`	Logged when viewing the dashboard components tab
		`export`	Logged when exporting the dashboard components tab
	`reporting.dashboard.violation-list`
		`view`	Logged when viewing the dashboard violations tab
		`export`	Logged when exporting the dashboard violations tab
	`reporting.repository-results`
		`view`	Logged when viewing repository results
	`reporting.component-information`
		`view`	Logged when viewing component information panel data
	`reporting.success-metrics`
		`export`	Logged when exporting success metrics report via the REST API
	`reporting.success-metrics.report`
		`create`	Logged when creating a success metrics report
		`delete`	Logged when deleting a success metrics report
		`view`	Logged when viewing success metrics
	`reporting.policy-violations`
		`export`	Logged when exporting policy violations via the REST API
	`reporting.component-uses`
		`search`	Logged when searching components via the REST API
	`governance.evaluation.project`
		`evaluate`	Logged when policies are evaluated for project dependencies in an IDE
	`governance.evaluation.ad-hoc`
		`evaluate`	Logged when evaluating components against an application's policies via the REST API
		`export`	Logged when requesting the results of a component evaluation via the REST API
Release 58	`notification.mail`
		`send`	Logged when notification emails are sent for policy violations
	`notification.webhook`
		`invoke`	Logged when invoking a webhook
	`notification.issue.jira`
		`create`	Logged when a Jira issue is created for policy violations
Release 63	`server.data-retention`
		`configure`	Logged when the data retention policies are updated
Release 70	`security.role.membership`
		`grant`	Logged when a role is granted to a user / group
		`revoke`	Logged when a role is revoked from a user / group
Release 74	`security.saml`
		`configure`	Logged when SAML is configured or the existing configuration is updated
		`delete`	Logged when SAML configuration is removed
Release 76	`security.user.token`
		`create`	Logged when a user token is created
		`delete`	Logged when a user token is deleted
		`purge`	Logged when obsolete user tokens are purged
	`reporting.components-with-waivers`
		`view`	Logged when viewing components with waivers via the REST API
Release 79	`governance.source-control`
		`create`	Logged when creating source control configuration for an organization or an application
		`update`	Logged when updating source control configuration for an organization or an application
		`delete`	Logged when deleting source control configuration for an organization or an application
		`auto-create`	Logged when collecting the repository URL for an application through Automatic Source Control Onboarding
Release 81	`notification.pull-request`
		`create`	Logged when creating a new automatic pull request to remediate a policy violation
Release 82	`reporting.stale-waivers`
		`view`	Logged when viewing stale policy waivers via the REST API
Release 83	`server.mail`
		`configure`	Logged when creating / changing a mail configuration
		`delete`	Logged when deleting a mail configuration
Release 84	`server.proxy`
		`configure`	Logged when creating / changing a proxy server configuration
		`delete`	Logged when deleting a proxy server configuration
Release 88	`reporting.advanced-search`
		`configure`	Logged when enabling or disabling the advanced search feature
		`search`	Logged when performing an advanced search
Release 92	`governance.waiver`
		`view`	Logged when a policy waiver is viewed via the REST API
Release 94	`notification.pull-request.comment`
		`create`	Logged when creating a new pull request comment due to introduced or fixed policy violations
		`update`	Logged when updating a pull request comment due to introduced or fixed policy violations
Release 136	`security.quarantined-component-view-anonymous-access`
		`configure`	Logged when anonymous access is enabled or diabled for the Quarantined Component View
Release 138	`server.reverse-proxy-authentication`
		`configure`	Logged when creating / changing the reverse proxy authentication configuration
		`delete`	Logged when deleting the reverse proxy authentication configuration
	`server.properties`
		`configure`	Logged when setting/changing the configuration for one or more properties
		`delete`	Logged when deleting the configuration for one or more properties
Release 139	`server.jira`
		`configure`	Logged when creating / changing the JIRA server configuration
		`delete`	Logged when deleting the JIRA server configuration
Release 140	`governance.policy.actions-overrides`
		`add`	Logged when adding a new actions override to an existing policy
		`remove`	Logged when removing an existing actions override from an existing policy
	`server.source-control`
		`configure`	Logged when creating / changing the source control configuration
		`delete`	Logged when deleting the source control configuration
Release 160	governance.repository	`configure`	Logged when a repository is configured

Audit Type Errors

Error	Description
`server-error`	Unspecific server error (e.g. due to misconfiguration or failure to communicate with external systems like LDAP)
`client-error`	Unspecific client error (e.g. due to an unacceptable request)
`unlicensed`	Missing or insufficient product license
`unauthenticated`	Missing username (expected when initially logging in)
`unauthorized`	Insufficient user permissions
`bad-authentication`	Incorrect username and/or password
`bad-session`	Bad/expired session cookie (expected when a session times out)
`bad-csrf-token`	Invalid CSRF token in request data submission
`bad-request`	Erroneous request (e.g. due to it being malformed or missing parameters)
`bad-gateway`	Invalid response from upstream server
`gateway-timeout`	Response timeout from upstream server
`service-unavailable`	IQ Server is currently unavailable (e.g. due to it being overloaded or down for maintenance)
`not-found`	Non-existing request target (e.g. invalid entity identifier)