How to audit events in UAA logs for a user created or deleted using cf CLI
search cancel

How to audit events in UAA logs for a user created or deleted using cf CLI

book

Article ID: 298047

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

Scenario 

Let's say a user lost access to Cloud Foundry Command Line (cf CLI) and later you found out that it was deleted accidentally (or intentionally). For the purposes of auditing and investigating this event, you are looking to find out where the user creation and deletion events are logged in Cloud Foundry (CF).


Example

Create a user (test-user) using the cf CLI: 
cf create-user test-user pass1!
Delete the test-user using the cf CLI: 
cf delete-user test-user
In the Instructions section that follow we will find out where these events are logged.

Environment

Product Version: 2.8

Resolution

UAA Scim Administration Events are logged under /var/vcap/sys/log/uaa/uaa_events.log on the UAA VM deployed as part of installing Tanzu Application Service for VMs.

Looks for the following events in /var/vcap/sys/log/uaa/uaa_events.log to audit user creation and/or deletion events:

  • UserCreatedEvent - triggered when a user is created.
  • UserDeletedEvent - triggered when a user is deleted.

Example 

Following the steps above to create and delete the test-user, we can see the events which are logged pertaining to those commands in /var/vcap/sys/log/uaa/uaa_events.log:

  • UserCreatedEvent
[2020-06-08 21:57:24.532] uaa - 15 [https-jsse-nio-8443-exec-4] ....  INFO --- Audit: UserCreatedEvent ('["user_id=ec6c4622-####-#####-bea0-2a6f1645bc4f","username=test-user"]'): principal=ec6c4622-####-####-bea0-2a6f1645bc4f, origin=[client=cf, user=admin, details=(remoteAddress=10.255.200.109, tokenType=bearertokenValue=<TOKEN>, sub=2e910b05-9c55-####-####-ddea188b5454, iss=https://uaa.###.######.io/oauth/token)], identityZoneId=[uaa]
  • UserDeletedEvent
[2020-06-08 22:04:26.893] uaa - 15 [https-jsse-nio-8443-exec-8] ....  INFO --- Audit: UserDeletedEvent ('["user_id=ec6c4622-####-####-####-2a6f1645bc4f","username=test-user"]'): principal=ec6c4622-fedc-437a-bea0-2a6f1645bc4f, origin=[client=cf, user=admin, details=(remoteAddress=10.255.200.109, tokenType=bearertokenValue=<TOKEN>, sub=2e910b05-####-####-####-ddea188b5454, iss=https://uaa.###.######.io/oauth/token)], identityZoneId=[uaa]



Powered by Wolken Software