Skip to main content

Audit-Event Commands

Audit-event commands are used for reviewing the Key Manager audit log.

count-audit-events

Syntax:

ssh-mgr-client count-audit-events [options] [-F <filter>] [-vvv] [-U <url>]

Returns the number of audit events that match the criteria.

For filtering (-F), you can use the same attributes that are available for the list-audit-events command (see Section list-audit-events).

The default command returns the number of audit events in the Key Manager system:

$ ssh-mgr-client count-audit-events
15730

Example for returning the number of audit events for a certain admin user:

$ ssh-mgr-client count-audit-events -F "admin_user=keyadmin01"
350

list-audit-events

Syntax:

ssh-mgr-client list-audit-events [options] \
[-F <filter>] [-vvv] [-U <url>] [-o <format>] [-C <columns>] [-H] [-B]

The default command lists all the audit events in the Key Manager audit log:

$ ssh-mgr-client list-audit-events

In large environments, the unfiltered audit log is likely to return an overwhelming number of items. For performance reasons it is recommended that you filter the search to return a smaller subset of items.

The following columns can be used for filtering (-F) and output formatting (-C):

admin_user

Username of the admin user who triggered the audit event

audit_event_type

Type of the audit event

changes

Object field changes for the audit event in JSON. Only usable for output formatting (-C).

date

Timestamp of the audit event

description

Description of the event type. Only usable for output formatting (-C).

details

Audit event details. Only usable for output formatting (-C).

id

Internal PrivX Key Manager id for audit event

job_id

Internal PrivX Key Manager id of the related job

object_id

Internal PrivX Key Manager id of the object for which the event was created

object_type

Type of the object for which the event was created

target_host_id

The host id that was the target of the job that emitted the audit event

target_hostname

The hostname that was the target of the job that emitted the audit event

task_id

Internal PrivX Key Manager id of the related task

For example, to find all the jobs performed by the Key Manager administrator superuser:

$ ssh-mgr-client list-audit-events -F "admin_user=superuser"

As another example, finding all the jobs performed by superuser; while listing their date, and auditeventtype; and sorting by auditeventtype.

$ ssh-mgr-client list-audit-events -F "admin_user=superuser" \
-C date,auditeventtype,jobid -O auditeventtype

When searching for audit events by their date, you must provide a timestamp that matches the format used the database (described in Filtering by Timestamp Fields). For example, to display all the audit events that occurred on 28th of January 2015, between 10:10 and 10:19:

$ ssh-mgr-client list-audit-events -F "date='2015-01-28 10:1'*"

show-audit-event

Syntax:

ssh-mgr-client show-audit-event -i <id> [options] \
[-vvv] [-U <url>] [-o <format>] [-C <columns>]

Displays the audit event with the given ID.

For output formatting (-C), you can use the same attributes that are available for the list-audit-events command (see list-audit-events).

Example:

$ ssh-mgr-client show-audit-event -i 3