Export audit logs 🚀

Audit logs can be exported only from the online database using the shell audit.sh (<ceman folder>/bin).

The command connects to the Ceman node where this command is located.

After launching the audit.sh shell, you will have to specify:

The username and password of the user that executes the export.
The filename that you want to be assigned to the output .csv file.
The starting and ending date of the export in the format yyyy-mm-dd.

For example this command:

./audit.sh -u ghibli-superuser -P export -o ./list.csv --from-date 2025-02-25 --to-date 2025-02-26

will create a list.csv file with the audit logs from Feb. 25 to Feb. 26, 2025.

🚀 To ensure the authenticity and integrity of records, and confirm that they have not been tampered with, HMAC (Hash-based Message Authentication Code) is used. For each record, the HMAC is calculated by concatenating the record's information with the HMAC of a previous record. Each HMAC is recalculated every five minutes. The concatenated HMAC of all the lines of the file is shown at the end of the exported file:

"","","","","","","","","","","","","","", "1bf72381954476ccde426945e9ca98c432ab06dacc9c2965ea79040b6596f572"

🚀 The -o parameter for the file output is present only when executing the export command.

🚀 The verify -i parameter can be used to check whether the audit logs have been tampered with. Use -i to specify the input file that must be verified. In the following example, the list.csv file is verified:

./audit.sh -u ghibli-superuser -P verify -i ./list.csv

The verify parameter will print a message that can belong to three categories:

The file is ok, there are no lines in error

######################################  
CHECK FILE: THE FILE IS OK  
HMAC: 885d5e3c1c421073794fe8a781b87a3182cf4aa4dedc0d87720663157491d8c5  
######################################

The file is ok, but there are lines in error This occurs when the file is intact, but the corresponding content in the database is not.

######################################
CHECK FILE: THE FILE IS OK
HMAC: be348c541a9a621b8c5b292801433ff2324192e5e88afd50f561e21fd8a3d563
######################################
LINES WITH ERROR:
"2025-02-26 12:21:44.593","Ceman Audit","AUD0007A","a9aca5af-3a63-47bc-98a8-704c77df7cd8","User 'ghibli-superuser' has logged in","CEMAN","10.120.1.1","ghibli-superuser","LOGIN","CEMAN","10.120.1.1","CEMAN","8af881e59541f6f4019541fdc3920015","HMAC ERROR-AUD-E01"
"2025-02-26 12:21:47.005","Ceman Audit","AUD0007A","2df8dac7-4c42-4784-a63f-f7a5b2b32826","User 'ghibli-superuser' has logged in","CEMAN","10.120.1.1","ghibli-superuser","LOGIN","CEMAN","10.120.1.1","CEMAN","8af881e59541f6f4019541fdccff0018","HMAC ERROR - PREVIOUS RECORD NOT FOUND-AUD-E02"

######################################

Look for these entries, indicating that the file is not intact in the database:

HMAC ERROR-AUD-E01: this indicates that the HMAC has been tampered with in the database.
HMAC ERROR - PREVIOUS RECORD NOT FOUND-AUD-E02: this indicates that the line was deleted from the database.

The file has been tampered with

The HMAC of the file is given for reference.

######################################
CHECK FILE: THE FILE IS TAMPERED
HMAC: da9fc54bf809cada462b0ad432815d6e5fcfaf03076dfabb126d15884dff1b22
######################################

The Audit Exporter CLI

default@ceman:/ceman/bin$ ./audit.sh 
Usage: audit [-hLV] [-C=<connectTimeoutSeconds>] [-R=<readTimeoutSeconds>]
             -u=<username> (-p=<passwordFile> | -P) [COMMAND]
Audit Exporter CLI
  -C, --connect-timeout-seconds=<connectTimeoutSeconds>
                             Connect timeout seconds (default if not specified:
                               `300`)
  -h, --help                 Show this help message and exit.
  -L, --enable-console-log   Enable console log
  -p, --password-file=<passwordFile>
                             Single-line file containing the password in clear
                               text
  -P, --password             Interactive password, prompted on console if not
                               specified
  -R, --read-timeout-seconds=<readTimeoutSeconds>
                             Read timeout seconds (default if not specified:
                               `300`)
  -u, --username=<username>  Username
  -V, --version              Print version information and exit.
Commands:
  help    Displays help information about the specified command
  export  Export Audit
  verify  Export Verify

PreviousAudit Options 🚀NextList of Audit entity types 🚀

Last updated 9 months ago