I am trying to audit all the users issuing Session Relevance calls against the WebReport API or the Root Server REST APi api/query endpoint. I’m running v9.5.13
For WebReports it looks like they are recorded in the \BES Server<date>.log file.
But I know of a script hitting 52311/api/query?output=json&relevance=… but there is no record of that user in the server_audit.log on the Root server, yet that log lists many other “Success log in. (API Connection)” events.
Does the audit_log not record connections for that endpoint?
So now I do see the event in the server_audit.log as a login but it still doesn’t record any other action by that user (as to which endpoint they hit). It seems like the audit log just records API Logins and computer deletes, but that is it.
1|Wed, 10 Jun 2020 10:43:01 -0500|INFO||||||user “xxxx” (807): Successful log in. (API Connection)
Hi,
the server_audit.log file register the login performed through the BigFix Console, the BigFix WebUI, the BigFix WebReports and the REST API “login”.
This is the Audit Log documentation link : https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Installation/r_logfiles.html
Hi, true, but it also does show the DELETE COMPUTER actions via the API, so it’s not really only authentication records. For that reason, I thought it might include other actions but I guess not. thanks
Hi,
true, only a subset of actions are registered into the server_audit.log.
The audit log service has no log levels to filter the actions to be recorded, therefore if you do not find the entry in server_audit.log it is not recorded.