Remediate audit log

The Remediate audit logs key events in the system in a central location.

The audit log records the following events:

  • Failed login attempts
  • Successful login attempts
  • Creation of a new user
  • Removal of a user
  • Addition of a data source
  • Addition of credentials
  • Removal of a data source or credential
  • Discovery Events - this includes discovery events from VR sources.
  • Running of a Task
  • Upload of a custom task
  • Removal of a custom task
  • Accept Risk events

Accessing the audit log

The audit log can be accessed by running the mayday command (see Configuring Remediate for more details). Alternatively, you can copy the log files to the Docker host by using the following command:

docker cp `docker ps -f name=remediate_audit --format "{{.ID}}"`:/app/log_vol/. ./

Log file format and samples

The log file uses the following format:

{"msg":"<Message","source":"<Service Name>","timestamp":"<Timestamp","type":"<Event Type","user":"<username>"}

For example:

{"msg":"SSH credential (e405e192-d73d-4a74-8e98-635208155cc6) added","source":"controller","timestamp":"2020-05-01 10:36:49.7111308 +0000 UTC m=+759.485022701","type":"CREDENTIALS_ADDED","user":"admin"}


{"msg":"Accepting Risk for vuln '38738' on 1 hosts","source":"controller","timestamp":"2020-09-10 15:10:52.4962584 +0000 UTC m=+8173.421309601","type":"RISK_ACCEPTED","user":"admin"}
{"msg":"Risk Acceptance '1' created for vuln '38738'","source":"controller","timestamp":"2020-09-10 15:10:52.5188046 +0000 UTC m=+8173.443854301","type":"RISK_ACCEPTED","user":"admin"}