Audit Log

IQ Server Audit Log was introduced in the Nexus IQ Server 52 release.


Audit Log Reference

By default the audit log is located at ./log/audit.log  and the log format is simply the message followed by a newline such that each audit log entry is an unformatted JSON message on its own line. The audit log can be customized in your IQ Server configuration.

For each audit log entry, each optional attribute will either be present with its name and value, or will not be present at all i.e. no name or value.

Audit attributes

Attribute name Description Example

timestamp

ISO 8601 formatted date time of when the audit event occurred

2018-10-20T15:45:30.249+02:00

requestMethod

( Optional ) HTTP request method which triggered the audit event

POST

requestUri

( Optional ) HTTP request URI (relative to the base URL) which triggered the audit event

/rest/user/session

remoteIpAddress

(Optional) IP address of the client request that triggered the audit event as known to the server

127.0.0.1

userAgent

(Optional) Client properties as known to the server by the User-Agent property of the HTTP request

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0

forwarded

(Optional) If a proxy is involved in the request this can give information about the original client request (protocol, host request header) and/or client/proxy identifiers

for=127.0.0.1

username

Logged in username of the IQ Server's user (or *UNKNOWN if not logged in) that triggered the audit event

admin

domain

Functional area (category) in IQ Server where the audit event triggered. See audit domains and types for more details

authentication

type

The type of audit event. Typically, the action/activity that occurred within the area given by domain

login

error

(Optional) Summary of the error if this audit event resulted due to an error. See audit type errors for more details

bad-authentication

data

(Optional) Additional attributes (name/value pairs) relevant to the event

{"applicationPublicId":"appPublicId","applicationName":"appName", ...etc}

Audit domains and types

Since Domain Event Types Description
Release 52

authentication


Audit events related to login and logout of IQ Server


login

Successful login event

The “ login" events are generated on a best-effort basis when the server uses reverse proxy authentication where the proxy handles login.



logout

Successful logout event


failure

Unsuccessful login event/action
Release 53

governance.evaluation.application


Audit events related to application policy evaluation


evaluate

An application policy evaluation event, which occurs when an attempt is made to evaluate a binary scan against an application's policies

governance.component.identity





set

A claim component event, which occurs when a similar or unknown component is claimed


unset

A revoke claim event, which occurs when a component claim is revoked

governance.component.vulnerability





update

An update to the status of a vulnerability affecting a component, e.g. when marking a vulnerability as "not applicable"

governance.component.license





update

An update to the status of the license(s) associated to a component, e.g. when marking a license as "overridden"

governance.component.label





assign

An assignment of a component label to a component


remove

A removal of a component label from a component

governance.grandfathering





configure

Represents changing policy violation grandfathering for an organization or application to be inherited, enabled, or disabled and allowing or disallowing overriding in an organization's case


apply

Occurs when grandfathering an application's policy violations


revoke

Occurs when revoking grandfathering an application's policy violations
Release 54

governance.import





import

Occurs when importing policies, component labels, license threat groups, and application categories

governance.proprietary-components





configure

Occurs when updating the proprietary component configuration of an organization or application

governance.continuous-monitoring





configure

Occurs when updating the continuous monitoring of an organization or application


governance.waiver





create

Occurs when creating a waiver by waiving a policy violation


delete

Occurs when deleting a waiver
Release 55

governance.application-category





create

Emitted when creating an application category


update

Emitted when updating an application category


delete

Emitted when deleting an application category


import

Emitted when importing an application category by importing policies

governance.component-label





create

Emitted when creating a component label



update

Emitted when updating a component label


delete

Emitted when deleting a component label


import

Emitted when importing a component label by importing policies

governance.license-threat-group





create

Logged when creating a license threat group


update

Logged when updating a license threat group


delete

Logged when deleting a license threat group


import

Logged when importing a license threat group

governance.license-threat-group.licenses





configure

Logged when changing the licenses belonging to a license threat group

governance.policy





create

Logged when creating a new policy


update

Logged when updating an existing policy


delete

Logged when deleting an existing policy


import

Logged when a new policy is imported

governance.policy.inheritance





configure

Logged when changing a policy's inheritance setting

governance.repository





connect

Occurs when a repository is connected to IQ Server (e.g. by enabling the NXRM audit capability for it)


disconnect

Occurs when a repository is disconnected from IQ Server (e.g. by disabling the NXRM audit capability for it)


remove

Occurs when removing a repository from IQ Server


migrate

Occurs when migrating a repository (e.g. upgrading a repository from NXRM2 to NXRM3)

governance.repository.quarantine





configure

Emitted when enabling or disabling quarantine for a repository


retain

Emitted when a component is quarantined


release

Emitted when a component is unquarantined


reset

Emitted when a quarantined component is deleted or updated in a repository

governance.evaluation.repository





evaluate

Occurs when an attempt is made to evaluate repository components


initiate

Indicates the initiation of a repository reevaluation, which may result in one or more repository policy evaluation events for the different components within that repository

security.user





create

Logged when creating a new user in the server's internal realm


update

Logged when updating a user in the server's internal realm


delete

Logged when deleting a user from the server's internal realm

security.user.password





update

Logged when a user from the internal realm changes their own password


reset

Logged when a system administrator resets the password of a user from the internal realm

security.role





create

Logged when creating a new custom role


update

Logged when editing a custom role


delete

Logged when deleting a custom role
Release 56

security.role.membership





configure

Logged when assigning users/groups to a role

security.ldap





prioritize

Logged when re-ordering LDAP servers

security.ldap.server





create

Logged when creating a new LDAP server


update

Logged when updating an LDAP server


delete

Logged when deleting an LDAP server

security.ldap.server.connection





configure

Logged when updating the connection details of an LDAP server

security.ldap.server.user-mapping





configure

Logged when updating the user/group settings of an LDAP server

governance.organization





create

Logged when creating a new organization


update

Logged when updating an organization


delete

Logged when deleting an organization

governance.organization.icon





configure

Logged when setting or editing an organization icon

governance.application





create

Logged when creating a new application


auto-create

Logged when automatically creating a new application during its first analysis


update

Logged when updating an application


delete

Logged when deleting an application


move

Logged when moving an application to a new parent organization

governance.application.icon





configure

Logged when setting or editing an application icon

governance.application.categories





configure

Logged when assigning/unassigning application categories to/from an application

governance.automatic-applications





configure

Logged when configuring automatic applications by selecting a different parent organization for it or by enabling/disabling it

server





start

Emitted when starting the server


stop

Emitted when gracefully stopping the server

server.system-notice





configure

Logged when configuring the system notice

server.license





install

Logged when manually or automatically installing a server product license


uninstall

Logged when manually uninstalling a server product license

server.webhook





create

Output when creating a new webhook


update

Output when updating a webhook


delete

Output when deleting a webhook

reporting.application-composition.report





view

Logged when viewing the application composition report via the browser


print

Logged when accessing the PDF version of the application composition report


export

Logged when downloading the application composition report data via the REST API

reporting.success-metrics





configure

Logged when enabling or disabling success metrics reports

reporting.dashboard.filter





save

Logged when creating or updating a dashboard filter


delete

Logged when deleting a dashboard filter

reporting.dashboard.component-details



view Logged when viewing component details from the dashboard

Audit type errors

Error Description

server-error

Unspecific server error (e.g. due to misconfiguration or failure to communicate with external systems like LDAP)

client-error

Unspecific client error (e.g. due to an unacceptable request)

unlicensed

Missing or insufficient product license

unauthenticated

Missing username (expected when initially logging in)

unauthorized

Insufficient user permissions

bad-authentication

Incorrect username and/or password

bad-session

Bad/expired session cookie (expected when a session times out)

bad-csrf-token

Invalid CSRF token in request data submission

bad-request

Erroneous request (e.g. due to it being malformed or missing parameters)

bad-gateway

Invalid response from upstream server

gateway-timeout

Response timeout from upstream server

service-unavailable

Server is currently unavailable (e.g. due to it being overloaded or down for maintenance)

not-found

Non-existing request target (e.g. invalid entity identifier)