HomeGuides
Log In
Guides

Export audit logs - NEW! 🚀

Suggest Edits

Audit logs can be exported only from the online database using the shell audit.sh (<ceman folder>/bin).

The command connects to the Ceman node where this command is located.

After launching the audit.sh shell, you will have to specify:

  • The username and password of the user that executes the export.
  • The filename that you want to be assigned to the output .csv file.
  • The starting and ending date of the export in the format yyyy-mm-dd.

For example, this command:

./audit.sh -u ghibli-superuser -P export -o ./list.csv --from-date 2025-02-25 --to-date 2025-02-26

will create a list.csv file with the audit logs from Feb. 25 to Feb. 26, 2025.

🚀 To ensure the authenticity and integrity of records, and confirm that they have not been tampered with, HMAC (Hash-based Message Authentication Code) is used. For each record, the HMAC is calculated by concatenating the record's information with the HMAC of a previous record. Each HMAC is recalculated every five minutes.
The concatenated HMAC of all the lines of the file is shown at the end of the exported file:

"","","","","","","","","","","","","","", "1bf72381954476ccde426945e9ca98c432ab06dacc9c2965ea79040b6596f572"

🚀 The -o parameter for the file output is present only when executing the export command.

🚀 The verify -i parameter can be used to check whether the audit logs have been tampered with. Use -i to specify the input file that must be verified. In the following example, the list.csv file is verified:

./audit.sh -u ghibli-superuser -P verify -i ./list.csv

The verify parameter will print a message that can belong to three categories:

  1. The file is ok, there are no lines in error
######################################  
CHECK FILE: THE FILE IS OK  
HMAC: 885d5e3c1c421073794fe8a781b87a3182cf4aa4dedc0d87720663157491d8c5  
######################################

  1. The file is ok, but there are lines in error
    This occurs when the file is intact, but the corresponding content in the database is not.
######################################
CHECK FILE: THE FILE IS OK
HMAC: be348c541a9a621b8c5b292801433ff2324192e5e88afd50f561e21fd8a3d563
######################################
LINES WITH ERROR:
"2025-02-26 12:21:44.593","Ceman Audit","AUD0007A","a9aca5af-3a63-47bc-98a8-704c77df7cd8","User 'ghibli-superuser' has logged in","CEMAN","10.120.1.1","ghibli-superuser","LOGIN","CEMAN","10.120.1.1","CEMAN","8af881e59541f6f4019541fdc3920015","HMAC ERROR-AUD-E01"
"2025-02-26 12:21:47.005","Ceman Audit","AUD0007A","2df8dac7-4c42-4784-a63f-f7a5b2b32826","User 'ghibli-superuser' has logged in","CEMAN","10.120.1.1","ghibli-superuser","LOGIN","CEMAN","10.120.1.1","CEMAN","8af881e59541f6f4019541fdccff0018","HMAC ERROR - PREVIOUS RECORD NOT FOUND-AUD-E02"

######################################

Look for these entries, indicating that the file is not intact in the database:

  • HMAC ERROR-AUD-E01: this indicates that the HMAC has been tampered with in the database.
  • HMAC ERROR - PREVIOUS RECORD NOT FOUND-AUD-E02: this indicates that the line was deleted from the database.

  1. The file has been tampered with

The HMAC of the file is given for reference. 

######################################
CHECK FILE: THE FILE IS TAMPERED
HMAC: da9fc54bf809cada462b0ad432815d6e5fcfaf03076dfabb126d15884dff1b22
######################################

The Audit Exporter CLI 

default@ceman:/ceman/bin$ ./audit.sh 
Usage: audit [-hLV] [-C=<connectTimeoutSeconds>] [-R=<readTimeoutSeconds>]
             -u=<username> (-p=<passwordFile> | -P) [COMMAND]
Audit Exporter CLI
  -C, --connect-timeout-seconds=<connectTimeoutSeconds>
                             Connect timeout seconds (default if not specified:
                               `300`)
  -h, --help                 Show this help message and exit.
  -L, --enable-console-log   Enable console log
  -p, --password-file=<passwordFile>
                             Single-line file containing the password in clear
                               text
  -P, --password             Interactive password, prompted on console if not
                               specified
  -R, --read-timeout-seconds=<readTimeoutSeconds>
                             Read timeout seconds (default if not specified:
                               `300`)
  -u, --username=<username>  Username
  -V, --version              Print version information and exit.
Commands:
  help    Displays help information about the specified command
  export  Export Audit
  verify  Export Verify

Updated 6 days ago