Security Event Logging for Cloud Controller and UAA

Page last updated:

This topic describes how to enable and interpret security event logging for the Cloud Controller and the User Account and Authentication (UAA) server. Operators can use these logs to retrieve information about a subset of requests to the Cloud Controller and the UAA server for security or compliance purposes.

Cloud Controller Logging

The Cloud Controller logs security events to syslog. You must configure a syslog drain to forward your system logs to a log management service.

See the Configuring System Logging in Elastic Runtime topic for more information.

Format for Log Entries

Cloud Controller logs security events in the Common Event Format (CEF). CEF specifies the following format for log entries:

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Entries in the Cloud Controller log use the following format:

CEF:CEF_VERSION|cloud_foundry|cloud_controller_ng|CC_API_VERSION|
SIGNATURE_ID|NAME|SEVERITY|rt=TIMESTAMP suser=USERNAME suid=USER_GUID
cs1Label=userAuthenticationMechanism cs1=AUTH_MECHANISM 
cs2Label=vcapRequestId cs2=VCAP_REQUEST_ID request=REQUEST
requestMethod=REQUEST_METHOD cs3Label=result cs3=RESULT 
cs4Label=httpStatusCode cs4=HTTP_STATUS_CODE src=SOURCE_ADDRESS 
dst=DESTINATION_ADDRESS cs5Label=xForwardedFor cs5=X_FORWARDED_FOR_HEADER

Refer to the following list for a description of the properties shown in the Cloud Controller log format:

  • CEF_VERSION: The version of CEF used in the logs.
  • CC_API_VERSION: The current Cloud Controller API version.
  • SIGNATURE_ID: The method and path of the request. For example, GET /v2/app:GUID.
  • NAME: The same as SIGNATURE_ID.
  • SEVERITY: An integer that reflects the importance of the event.
  • TIMESTAMP: The number of milliseconds since the Unix epoch.
  • USERNAME: The name of the user who originated the request.
  • USER_GUID: The GUID of the user who originated the request.
  • AUTH_MECHANISM: The user authentication mechanism. This can be oauth-access-token, basic-auth, or no-auth.
  • VCAP_REQUEST_ID: The VCAP request ID of the request.
  • REQUEST: The request path and parameters. For example, /v2/info?MY-PARAM=VALUE.
  • REQUEST_METHOD. The method of the request. For example, GET.
  • RESULT: The meaning of the HTTP status code of the response. For example, success.
  • HTTP_STATUS_CODE. The HTTP status code of the response. For example, 200.
  • SOURCE_ADDRESS: The IP address of the client who originated the request.
  • DESTINATION_ADDRESS: The IP address of the Cloud Controller VM.
  • X_FORWARDED_FOR_HEADER: The contents of the X-Forwarded-For header of the request. This is empty if the header is not present

Example Log Entries

The following list provides several example requests with the corresponding Cloud Controller log entries.

  • An anonymous GET request:

    CEF:0|cloud_foundry|cloud_controller_ng|2.54.0|GET /v2/info|GET 
    /v2/info|0|rt=1460690037402 suser= suid= request=/v2/info 
    requestMethod=GET src=127.0.0.1 dst=192.0.2.1 
    cs1Label=userAuthenticationMechanism cs1=no-auth cs2Label=vcapRequestId 
    cs2=c4bac383-7cc9-4d9f-b1c0-1iq8c0baa000 cs3Label=result cs3=success 
    cs4Label=httpStatusCode cs4=200 cs5Label=xForwardedFor 
    cs5=198.51.100.1
    
  • A GET request with basic authentication:

    CEF:0|cloud_foundry|cloud_controller_ng|2.54.0|GET /v2/syslog_drain_urls|GET
    /v2/syslog_drain_urls|0|rt=1460690165743 suser=bulk_api suid= 
    request=/v2/syslog_drain_urls?batch_size\=1000 requestMethod=GET 
    src=127.0.0.1 dst=192.0.2.1 cs1Label=userAuthenticationMechanism 
    cs1=basic-auth cs2Label=vcapRequestId cs2=79187189-e810-33dd-6911-b5d015bbc999
    ::eat1234d-4004-4622-ad11-9iaai88e3ae9 cs3Label=result cs3=success 
    cs4Label=httpStatusCode cs4=200 cs5Label=xForwardedFor cs5=198.51.100.1
    
  • A GET request with OAuth access token authentication:

    CEF:0|cloud_foundry|cloud_controller_ng|2.54.0|GET /v2/routes|GET 
    /v2/routes|0|rt=1460689904925 suser=admin suid=c7ca208f-8a9e-4aab-
    92f5-28795f86d62a request=/v2/routes?inline-relations-depth\=1&q\=
    host%3Adora%3Bdomain_guid%3B777-1o9f-5f5n-i888-o2025cb2dfc3 
    requestMethod=GET src=127.0.0.1 dst=192.0.2.1 
    cs1Label=userAuthenticationMechanism cs1=oauth-access-token 
    cs2Label=vcapRequestId cs2=79187189-990i-8930-52b2-9090b2c5poz0
    ::5a265621-b223-4520-afae-ab7d0ee7c75b cs3Label=result cs3=success 
    cs4Label=httpStatusCode cs4=200 cs5Label=xForwardedFor cs5=198.51.100.1
    
  • A GET request that results in a 404 error:

    CEF:0|cloud_foundry|cloud_controller_ng|2.54.0|GET /v2/apps/7f310103-
    39aa-4a8c-b92a-9ff8a6a2fa6b|GET /v2/apps/7f310103-39aa-4a8c-b92a-
    9ff8a6a2fa6b|0|rt=1460691002394 suser=bob suid=a00i2026-55io-3983-
    555o-40e611410aec request=/v2/apps/7f310103-39aa-4a8c-b92a-9ff8a6a2fa6b 
    requestMethod=GET src=127.0.0.1 dst=192.0.2.1 
    cs1Label=userAuthenticationMechanism cs1=oauth-access-token cs2Label=vcapRequestId 
    cs2=49f21579-9eb5-4bdf-6e49-e77d2de647a2::9f8841e6-e04a-498b-b3ff-d59cfe7cb7ea 
    cs3Label=result cs3=clientError cs4Label=httpStatusCode cs4=404 
    cs5Label=xForwardedFor cs5=198.51.100.1
    
  • A POST request that results in a 403 error:

    CEF:0|cloud_foundry|cloud_controller_ng|2.54.0|POST /v2/apps|POST 
    /v2/apps|0|rt=1460691405564 suser=bob suid=4f9a33f9-fb13-4774-a708-
    f60c939625cd request=/v2/apps?async\=true requestMethod=POST 
    src=127.0.0.1 dst=192.0.2.1 cs1Label=userAuthenticationMechanism 
    cs1=oauth-access-token cs2Label=vcapRequestId cs2=booc03111-9999-4003-88ab-
    20i9r33333ou::5a4993fc-722f-48bc-aff4-99b2005i9bb5 cs3Label=result 
    cs3=clientError cs4Label=httpStatusCode cs4=403 cs5Label=xForwardedFor 
    cs5=198.51.100.1
    

UAA Logging

UAA logs security events to a file located at /var/vcap/sys/log/uaa/uaa.log on the UAA virtual machine (VM). Because these logs are automatically rotated, you must configure a syslog drain to forward your system logs to a log management service.

See the Configuring System Logging in Elastic Runtime topic for more information.

Log Events

UAA logs identify the following categories of events:

  • Authorization and Password Events
  • SCIM Administration Events
  • Token Events
  • Client Administration Events
  • UAA Administration Events

To learn more about the names of the events included in these categories and the information they record in the UAA logs, see User Account and Authentication Service Audit Requirements.

Example Log Entries

The following sections provide several example requests with the corresponding UAA log entries.

Successful User Authentication

Audit: TokenIssuedEvent ('["openid","scim.read","uaa.user",
"cloud_controller.read","password.write","cloud_controller.write",
"scim.write"]'): principal=a42026d6-5533-1884-eef2-838abcd0i3e3, 
origin=[client=cf, user=bob], identityZoneId=[uaa]
  • This entry records a TokenIssuedEvent.
  • UAA issued a token associated with the scopes "openid","scim.read","uaa.user", "cloud_controller.read","password.write","cloud_controller.write","scim.write" to the user bob.

Failed User Authentication

Audit: UserAuthenticationFailure ('bob@example.com'): 
principal=61965469-c821-46b7-825f-630e12a51d6c, 
origin=[remoteAddress=198.51.100.1, clientId=cf], 
identityZoneId=[uaa]
  • This entry records a UserAuthenticationFailure.
  • The user bob@example.com originating at 198.51.100.1 failed to authenticate.

Successful User Creation

Audit: UserCreatedEvent ('["user_id=61965469-c821-
46b7-825f-630e12a51d6c","username=bob@example.com"]'): 
principal=91220262-d901-44c0-825f-633i33b55d6c, 
origin=[client=cf, user=admin, details=(198.51.100.1, 
tokenType=bearertokenValue=<TOKEN>, 
sub=20i03423-dd8e-33e1-938d-e9999e30f500, 
iss=https://uaa.example.com/oauth/token)], identityZoneId=[uaa]
  • This entry records a UserCreatedEvent.
  • The admin user originating at 198.51.100.1 created a user named bob@example.com.

Successful User Deletion

Audit: UserDeletedEvent ('["user_id=61965469-c821-
46b7-825f-630e12a51d6c","username=bob@example.com"]'): 
principal=61965469-c821-46b7-825f-630e12a51d6c, 
origin=[client=admin, details=(remoteAddress=198.51.100.1, 
tokenType=bearertokenValue=<TOKEN>, 
sub=admin, iss=https://uaa.example.com/oauth/token)], identityZoneId=[uaa]
  • This entry records a UserDeletedEvent.
  • The admin user originating at 198.51.100.1 deleted a user named bob@example.com.
Create a pull request or raise an issue on the source for this page in GitHub