Export audit logs π
Audit logs can be exported only from the online database using the shell audit.sh
(<ceman folder>/bin
).
The command connects to the Ceman node where this command is located.
After launching the audit.sh
shell, you will have to specify:
The username and password of the user that executes the export.
The filename that you want to be assigned to the output .csv file.
The starting and ending date of the export in the format yyyy-mm-dd.
For example this command:
./audit.sh -u ghibli-superuser -P export -o ./list.csv --from-date 2025-02-25 --to-date 2025-02-26
will create a list.csv file with the audit logs from Feb. 25 to Feb. 26, 2025.
π To ensure the authenticity and integrity of records, and confirm that they have not been tampered with, HMAC (Hash-based Message Authentication Code) is used. For each record, the HMAC is calculated by concatenating the record's information with the HMAC of a previous record. Each HMAC is recalculated every five minutes. The concatenated HMAC of all the lines of the file is shown at the end of the exported file:
"","","","","","","","","","","","","","", "1bf72381954476ccde426945e9ca98c432ab06dacc9c2965ea79040b6596f572"
π The -o
parameter for the file output is present only when executing the export
command.
π The verify -i
parameter can be used to check whether the audit logs have been tampered with. Use -i
to specify the input file that must be verified. In the following example, the list.csv
file is verified:
./audit.sh -u ghibli-superuser -P verify -i ./list.csv
The verify
parameter will print a message that can belong to three categories:
The file is ok, there are no lines in error
######################################
CHECK FILE: THE FILE IS OK
HMAC: 885d5e3c1c421073794fe8a781b87a3182cf4aa4dedc0d87720663157491d8c5
######################################
The file is ok, but there are lines in error This occurs when the file is intact, but the corresponding content in the database is not.
######################################
CHECK FILE: THE FILE IS OK
HMAC: be348c541a9a621b8c5b292801433ff2324192e5e88afd50f561e21fd8a3d563
######################################
LINES WITH ERROR:
"2025-02-26 12:21:44.593","Ceman Audit","AUD0007A","a9aca5af-3a63-47bc-98a8-704c77df7cd8","User 'ghibli-superuser' has logged in","CEMAN","10.120.1.1","ghibli-superuser","LOGIN","CEMAN","10.120.1.1","CEMAN","8af881e59541f6f4019541fdc3920015","HMAC ERROR-AUD-E01"
"2025-02-26 12:21:47.005","Ceman Audit","AUD0007A","2df8dac7-4c42-4784-a63f-f7a5b2b32826","User 'ghibli-superuser' has logged in","CEMAN","10.120.1.1","ghibli-superuser","LOGIN","CEMAN","10.120.1.1","CEMAN","8af881e59541f6f4019541fdccff0018","HMAC ERROR - PREVIOUS RECORD NOT FOUND-AUD-E02"
######################################
Look for these entries, indicating that the file is not intact in the database:
HMAC ERROR-AUD-E01: this indicates that the HMAC has been tampered with in the database.
HMAC ERROR - PREVIOUS RECORD NOT FOUND-AUD-E02: this indicates that the line was deleted from the database.
The file has been tampered with
The HMAC of the file is given for reference.
######################################
CHECK FILE: THE FILE IS TAMPERED
HMAC: da9fc54bf809cada462b0ad432815d6e5fcfaf03076dfabb126d15884dff1b22
######################################
The Audit Exporter CLI
default@ceman:/ceman/bin$ ./audit.sh
Usage: audit [-hLV] [-C=<connectTimeoutSeconds>] [-R=<readTimeoutSeconds>]
-u=<username> (-p=<passwordFile> | -P) [COMMAND]
Audit Exporter CLI
-C, --connect-timeout-seconds=<connectTimeoutSeconds>
Connect timeout seconds (default if not specified:
`300`)
-h, --help Show this help message and exit.
-L, --enable-console-log Enable console log
-p, --password-file=<passwordFile>
Single-line file containing the password in clear
text
-P, --password Interactive password, prompted on console if not
specified
-R, --read-timeout-seconds=<readTimeoutSeconds>
Read timeout seconds (default if not specified:
`300`)
-u, --username=<username> Username
-V, --version Print version information and exit.
Commands:
help Displays help information about the specified command
export Export Audit
verify Export Verify
Last updated