Event Log (a.k.a. Audit Trail)

Owned by Kari Mattsson
Last updated: 14 Jan 2021 by Tomi Viljanen (Deactivated)Version comment
6 min read

Permalink: https://doc.oneportal.fi/x/IoEW



Event Logging is a rather multi-pronged subject. This chapter covers the most important operative aspects of it and tries to help in understanding how Event Logging works in practise.

Event Log is also often called Audit Trail. Technically they are the same and difference is only in the semantics. Term Audit Trail emphasises the permanent role of Event Log. Storing everything in Event Log permanently is seldom practical, but sometimes there are regulatory reasons to do so. To fulfill all requirements, it is possible to define the period of time log items are stored. Furthermore, some log items are marked for long-term retention, so those are stored for a longer period of time. There are also some Event Log items, which are stored permanently. All this is covered in more detail below.

Event Log rotation settings

Event Log rotation are system-wide settings. These settings can be found at System Preferences > Diagnostics > Event Logs tab. Portal Admin role is required to change these settings.

onePortal™-wide Event Log rotationing settings

Tech Tip: Technically Event Log entries are stored in a separate database due to their large volume compared to actual application data stored in the main database. Very often Event logs make over 99.9 % of the stored data. There are numerous other technical reasons for this splitting, which are covered in onePortal™ technical documentation.

When is an event logged?

To decide if an event is logged or not, the main criterion is the Severity Level of an event. In total there are 6 severity levels: Debug, Informational, Warning, Error, Critical, Fatal. Debug is the least severe, and Fatal is the most severe.

For each namespace there is the setting minimum Severity Level for an event to log. Any events which are less severe, or less important, are not logged. By default Warning and more severe events are logged. This is also recommended for normal daily operation. For stricter auditing requirements, use level Information. Debug is, as the name suggests, only meant for debugging and trouble-shooting purposes for a short time.

The severity levels are discussed in more detail in a Technical Documentation article.

For how long are the logged events stored?

To answer this, we need to cover the Event Log item life-time.

Event Log is split into two parts by this life-time:

  1. General Event Log; stores the vast majority of all logged items.

  2. Long life-time and Security Event Log; stores security-related and some other log items for longer time.

Both Event Log parts have ten different retention time values from 1 day to Indefinitely for General events, and from 1 year to Indefinitely for Long life-time and Security events.

There is a scheduling service in the platform, which purges (permanently deletes) log items when they expire.

General Event Log items

This is the default classification for all Event Log items. Undell otherwise stated, all Event Log items are of type General.

Because there are common legal or compliance reasons to store some Event Log items much longer, there is another classification available.

General Event Log item deletion (purge) scheduling is triggered when the item is logged. I.e. object such as user account is separate from these log items.

Long life-time Event Log items

Note, long life-cycle Event Log item deletion (purge) scheduling is triggered when the object is deleted permanently (hard-delete).

The long life-time Event Log items are currently the following:

  • Create, modify, and delete a namespace (over REST and on Management UI)

  • Create, modify, and delete a user account (over REST and on Management UI)

  • Create, modify, and delete a group (over REST and on Management UI)

  • Create, modify, and delete a group policy (over REST and on Management UI)

  • Create, modify, and delete a custom role (over REST and on Management UI)

  • Create, modify, and delete an authorisation (over REST and on Management UI)

  • Create, modify, and delete a contract (over REST and on Management UI)

  • Create, modify, and delete a Management API client (on Management UI)

  • Create, modify, and delete an OpenID client (on Management UI)

  • Create, modify, and delete a user directory (on Management UI)

  • Following modify actions for user account over any means (REST or Management UI):

    • change password (success and failure)

    • recover password (success and failure)

    • enable MFA, disable MFA

    • lock account (any reason), unlock account

  • Sign-in to and sign-out from Management UI for user account

Strike-through items above are currently being logged as General Event Log items.

The long life-time counting starts at the deletion of an object.

Permanent Event Log items

This category of Event Log items is for special purpose use. It contains rather few items, currently only the following:

  • System initial setup and initial database deployment, normally a one-time event, and the very first event log item ever

  • Cluster node (server appliance) startup (always), and shutdown (when possible)

Management UI settings for item life-time

These settings are system-wide.

There are a couple of settings which define the behaviour of removing event log items:

  • Value to be used for the currently active signed-in namespace: Namespace > Miscellaneous > Logging

    • User account with role Namespace Admin is able to change this setting.

  • Default setting value to be used for new namespaces created in the future: System Preferences > Diagnostics > Event Logs

    • User account with role Portal Admin is able to change this setting.

  • Value to be used for a selected namespace: Namespaces > select namespace > Edit namespace > Miscellaneous > Logging – value to be used for this particular namespace.

    • User account with role Portal Admin is able to change this setting.

Setting the minimum log entry severity level for namespace

Severity level for event logging for namespaces is defined in two places:

  • Value to be used for the currently active namespace: Namespace > Miscellaneous > Logging

    • User account with role Namespace Admin is able to change this setting.

  • Value to be used for a selected namespace: All namespacess > select namespace > Edit namespace > Miscellaneous > Logging – value to be used now for this particular organisation

    • Only user account with role Portal Admin is able to change this setting.

  • Value to be used for new namespaces created in the future: System Preferences > New namespace > Defaults > Miscellaneous > Logging

    • Only user account with role Portal Admin is able to change this default setting.

The setting is effective immediately after saving it.

Where can the Event Log entries be found and exported?

All Event Log entries are viewed at the same place. Select Main Menu entry Event Log. It is possible to filter events.

The image is on the view where one can select filtering criteria for viewing log events at Event Logs > Log Level > Level filter. Debug is mostly used for diagnostics and troubleshooting, while Fatal is supposed to be the last log entry after system going offline for some reason.

Not all user accounts are allowed to view all entries. User accounts with either role Namespace Admin or Namespace Auditor are able to see all event items related to their own namespace. User accounts with Portal Admin or Portal Auditor role may view all Event Log items.

On Actions menu, there is an option to export Event Log items currently on screen.

Adding an information note to Event Log

Due to regulatory reasons or corporate policy, there are occasional reasons to manually add notes to Event Log. An example is to clarify another event in the log. As no log items may be removed except via their age, adding another item in the log is the proper way to make clarifications and corrections.

Add a note by opening Actions menu on Event Log and selecting “Add informative Event Log note”.

A dialogue will open where the note can be entered or pasted from clipboard.

The added entry will have Event ID of “Admin.EventLog.Note” for easier finding of these log items.

Any note added will be of severity level Information, and it will be logged regardless of minimum log level severity setting of the organisation.

User account with any of the following roles may add this note: Portal Admin, Portal Auditor, Namespace Admin, and Namespace Auditor.