Audit Log

The audit log is located at ./log/audit.log  and the log format is simply the message followed by a newline such that each audit log entry is an unformatted JSON message on its own line. The audit log can be customized in your IQ Server configuration.

For each audit log entry, each optional attribute will either be present with its name and value, or will not be present at all i.e. no name or value.

Audit Attributes

Attribute nameDescriptionExample

timestamp

ISO 8601 formatted date time of when the audit event occurred

2018-10-20T15:45:30.249+02:00

requestMethod

( Optional ) HTTP request method which triggered the audit event

POST

requestUri

( Optional ) HTTP request URI (relative to the base URL) which triggered the audit event

/rest/user/session

remoteIpAddress

(Optional) IP address of the client request that triggered the audit event as known to the server

127.0.0.1

userAgent

(Optional) Client properties as known to the server by the User-Agent property of the HTTP request

Mozilla/5.0 (Windows NT 6.1;
Win64; x64; rv:61.0)
Gecko/20100101 Firefox/61.0

forwarded

(Optional) If a proxy is involved in the request this can give information about the original client request (protocol, host request header) and/or client/proxy identifiers

for=127.0.0.1

username

Logged in username of the IQ Server's user (or *UNKNOWN if not logged in) that triggered the audit event

admin

domain

Functional area (category) in IQ Server where the audit event triggered. See audit domains and types for more details

authentication

type

The type of audit event. Typically, the action/activity that occurred within the area given by domain

login

error

(Optional) Summary of the error if this audit event resulted due to an error. See audit type errors for more details

bad-authentication

data

(Optional) Additional attributes (name/value pairs) relevant to the event

{ "applicationPublicId":"appPublicId",
"applicationName":"appName", ...etc}

Audit Domains and Types

>

SinceDomainEvent TypesDescription
Release 52

authentication


Audit events related to login and logout of IQ Server


login

Successful login event

The “ login" events are generated on a best-effort basis when the server uses reverse proxy authentication where the proxy handles login.



logout

Successful logout event


failure

Unsuccessful login event/action
Release 53

governance.evaluation.application


Audit events related to application policy evaluation


evaluate

An application policy evaluation event, which occurs when an attempt is made to evaluate a binary scan against an application's policies

governance.component.identity





set

A claim component event, which occurs when a similar or unknown component is claimed


unset

A revoke claim event, which occurs when a component claim is revoked

governance.component.vulnerability





update

An update to the status of a vulnerability affecting a component, e.g. when marking a vulnerability as "not applicable"

governance.component.license





update

An update to the status of the license(s) associated to a component, e.g. when marking a license as "overridden"

governance.component.label





assign

An assignment of a component label to a component


remove

A removal of a component label from a component

governance.grandfathering





configure

Represents changing policy violation grandfathering for an organization or application to be inherited, enabled, or disabled and allowing or disallowing overriding in an organization's case


apply

Occurs when grandfathering an application's policy violations


revoke

Occurs when revoking grandfathering an application's policy violations
Release 54

governance.import





import

Occurs when importing policies, component labels, license threat groups, and application categories

governance.proprietary-components





configure

Occurs when updating the proprietary component configuration of an organization or application

governance.continuous-monitoring





configure

Occurs when updating the continuous monitoring of an organization or application


governance.waiver





create

Occurs when creating a waiver by waiving a policy violation


delete

Occurs when deleting a waiver
Release 55

governance.application-category





create

Emitted when creating an application category


update

Emitted when updating an application category


delete

Emitted when deleting an application category


import

Emitted when importing an application category by importing policies

governance.component-label





create

Emitted when creating a component label



update

Emitted when updating a component label


delete

Emitted when deleting a component label


import

Emitted when importing a component label by importing policies

governance.license-threat-group





create

Logged when creating a license threat group


update

Logged when updating a license threat group


delete

Logged when deleting a license threat group


import

Logged when importing a license threat group

governance.license-threat-group.licenses





configure

Logged when changing the licenses belonging to a license threat group

governance.policy





create

Logged when creating a new policy


update

Logged when updating an existing policy


delete

Logged when deleting an existing policy


import

Logged when a new policy is imported

governance.policy.inheritance





configure

Logged when changing a policy's inheritance setting

governance.repository





connect

Occurs when a repository is connected to IQ Server (e.g. by enabling the NXRM audit capability for it)


disconnect

Occurs when a repository is disconnected from IQ Server (e.g. by disabling the NXRM audit capability for it)


remove

Occurs when removing a repository from IQ Server


migrate

Occurs when migrating a repository (e.g. upgrading a repository from NXRM2 to NXRM3)

governance.repository.quarantine





configure

Emitted when enabling or disabling quarantine for a repository


retain

Emitted when a component is quarantined


release

Emitted when a component is unquarantined


reset

Emitted when a quarantined component is deleted or updated in a repository

governance.evaluation.repository





evaluate

Occurs when an attempt is made to evaluate repository components


initiate

Indicates the initiation of a repository reevaluation, which may result in one or more repository policy evaluation events for the different components within that repository

security.user





create

Logged when creating a new user in the server's internal realm


update

Logged when updating a user in the server's internal realm


delete

Logged when deleting a user from the server's internal realm

security.user.password





update

Logged when a user from the internal realm changes their own password


reset

Logged when a system administrator resets the password of a user from the internal realm

security.role





create

Logged when creating a new custom role


update

Logged when editing a custom role


delete

Logged when deleting a custom role
Release 56

security.role.membership





configure

Logged when assigning users/groups to a role

security.ldap





prioritize

Logged when re-ordering LDAP servers

security.ldap.server





create

Logged when creating a new LDAP server


update

Logged when updating an LDAP server


delete

Logged when deleting an LDAP server

security.ldap.server.connection





configure

Logged when updating the connection details of an LDAP server

security.ldap.server.user-mapping





configure

Logged when updating the user/group settings of an LDAP server

governance.organization





create

Logged when creating a new organization


update

Logged when updating an organization


delete

Logged when deleting an organization

governance.organization.icon





configure

Logged when setting or editing an organization icon

governance.application





create

Logged when creating a new application


auto-create

Logged when automatically creating a new application during its first analysis


update

Logged when updating an application


delete

Logged when deleting an application


move

Logged when moving an application to a new parent organization

governance.application.icon





configure

Logged when setting or editing an application icon

governance.application.categories





configure

Logged when assigning/unassigning application categories to/from an application

governance.automatic-applications





configure

Logged when configuring automatic applications by selecting a different parent organization for it or by enabling/disabling it

server





start

Emitted when starting the server


stop

Emitted when gracefully stopping the server

server.system-notice





configure

Logged when configuring the system notice

server.license





install

Logged when manually or automatically installing a server product license


uninstall

Logged when manually uninstalling a server product license

server.webhook





create

Output when creating a new webhook


update

Output when updating a webhook


delete

Output when deleting a webhook

reporting.application-composition.report





view

Logged when viewing the application composition report via the browser


print

Logged when accessing the PDF version of the application composition report


export

Logged when downloading the application composition report data via the REST API

reporting.success-metrics





configure

Logged when enabling or disabling success metrics reports

reporting.dashboard.filter





save

Logged when creating or updating a dashboard filter


delete

Logged when deleting a dashboard filter

reporting.dashboard.component-details



viewLogged when viewing component details from the dashboard
Release 57reporting.dashboard.application-list



viewLogged when viewing the dashboard applications tab


exportLogged when exporting the dashboard applications tab

reporting.dashboard.component-list



viewLogged when viewing the dashboard components tab


exportLogged when exporting the dashboard components tab

reporting.dashboard.violation-list



viewLogged when viewing the dashboard violations tab


exportLogged when exporting the dashboard violations tab

reporting.repository-results



viewLogged when viewing repository results

reporting.component-information



viewLogged when viewing component information panel data

reporting.success-metrics



exportLogged when exporting success metrics report via the REST API

reporting.success-metrics.report



createLogged when creating a success metrics report


deleteLogged when deleting a success metrics report


viewLogged when viewing success metrics

reporting.policy-violations



exportLogged when exporting policy violations via the REST API

reporting.component-uses



searchLogged when searching components via the REST API

governance.evaluation.project



evaluateLogged when policies are evaluated for project dependencies in an IDE

governance.evaluation.ad-hoc



evaluateLogged when evaluating components against an application's policies via the REST API


exportLogged when requesting the results of a component evaluation via the REST API
Release 58notification.mail



sendLogged when notification emails are sent for policy violations

notification.webhook



invoke Logged when invoking a webhook

notification.issue.jira



createLogged when a Jira issue is created for policy violations
Release 63server.data-retention



configureLogged when the data retention policies are updated
Release 70security.role.membership



grant 

Logged when a role is granted to a user / group 



revoke Logged when a role is revoked from a user / group 
Release 74security.saml



configureLogged when SAML is configured or the existing configuration is updated


deleteLogged when SAML configuration is removed
Release 76security.user.token



createLogged when a user token is created


deleteLogged when a user token is deleted


purgeLogged when obsolete user tokens are purged

reporting.components-with-waivers



viewLogged when viewing components with waivers via the REST API
Release 79governance.source-control



createLogged when creating source control configuration for an organization or an application


updateLogged when updating source control configuration for an organization or an application


deleteLogged when deleting source control configuration for an organization or an application


auto-create

Logged when collecting the repository URL for an application through Automatic Source Control Onboarding

Release 81 notification.pull-request



createLogged when creating a new automatic pull request to remediate a policy violation

Release 82

reporting.stale-waivers



view Logged when viewing stale policy waivers via the REST API
Release 83server.mail 



configure Logged when creating / changing a mail configuration


delete Logged when deleting a mail configuration
Release 84server.proxy



configureLogged when creating / changing a proxy server configuration


deleteLogged when deleting a proxy server configuration
Release 88reporting.advanced-search



configureLogged when enabling or disabling the advanced search feature


searchLogged when performing an advanced search
Release 92

governance.waiver





viewLogged when a policy waiver is viewed via the REST API
Release 94 notification.pull-request.comment



createLogged when creating a new pull request comment due to introduced or fixed policy violations


updateLogged when updating a pull request comment due to introduced or fixed policy violations
Release 136security.quarantined-component-view-anonymous-access



configureLogged when anonymous access is enabled or diabled for the Quarantined Component View
Release 138server.reverse-proxy-authentication



configureLogged when creating / changing the reverse proxy authentication configuration


deleteLogged when deleting the reverse proxy authentication configuration

server.properties



configureLogged when setting/changing the configuration for one or more properties


deleteLogged when deleting the configuration for one or more properties
Release 139

server.jira





configureLogged when creating / changing the JIRA server configuration


deleteLogged when deleting the JIRA server configuration
Release 140governance.policy.actions-overrides



addLogged when adding a new actions override to an existing policy


removeLogged when removing an existing actions override from an existing policy

server.source-control



configureLogged when creating / changing the source control configuration


deleteLogged when deleting the source control configuration
Release 160governance.repositoryconfigureLogged when a repository is configured

Audit Type E rrors

ErrorDescription

server-error

Unspecific server error (e.g. due to misconfiguration or failure to communicate with external systems like LDAP)

client-error

Unspecific client error (e.g. due to an unacceptable request)

unlicensed

Missing or insufficient product license

unauthenticated

Missing username (expected when initially logging in)

unauthorized

Insufficient user permissions

bad-authentication

Incorrect username and/or password

bad-session

Bad/expired session cookie (expected when a session times out)

bad-csrf-token

Invalid CSRF token in request data submission

bad-request

Erroneous request (e.g. due to it being malformed or missing parameters)

bad-gateway

Invalid response from upstream server

gateway-timeout

Response timeout from upstream server

service-unavailable

IQ Server is currently unavailable (e.g. due to it being overloaded or down for maintenance)

not-found

Non-existing request target (e.g. invalid entity identifier)