All of the audit data recorded by CyberArk Conjur is kept within the Conjur Master and is immutable. You may utilize the Conjur UI, Conjur CLI, or syslog to SIEM to view audit data.
# View the last 10 audit events for the variable 'dev/mongo/password'
$ conjur audit resource -s -l 10 variable:dev/mongo/password
[2015-12-04 22:09:19 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-12-01 12:20:34 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-11-30 19:21:14 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-11-30 15:15:22 UTC] conjur:host:dev/redis001 checked that they can
execute conjur:variable:dev/mongo/password (false)
[2015-11-29 22:22:21 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-11-27 21:52:02 UTC] conjur:user:alice checked that they can
update conjur:variable:dev/mongo/password (true)
[2015-11-25 15:41:29 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-11-22 04:28:51 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-11-21 19:36:28 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-11-21 16:38:57 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-11-20 16:52:02 UTC] conjur:user:dennis checked that they can
read conjur:variable:dev/mongo/password (false)
On a Conjur appliance by default a tailer is set up that prints all the messages to /var/log/conjur/audit.messages
. Logrotate is set up so that the file gets rotated daily (the service restarted as appropriate). This is already set up if running the Conjur AMI.
If running Conjur as a Docker container, volume mount the directory /var/log/conjur
to the host like so:
$ docker run -d --restart always \
--name conjur-solo \
-p "443:443" -p "636:636" -p "5432:5432" -p "5433:5433" \
-v /var/log/conjur:/var/log/conjur \
conjur-appliance:4.9-stable
Pointing log aggregation tooling to that file will send Conjur audit events as easily-searchable JSON to the service. Note that the log file can be mounted anywhere on the host running the Conjur container.
The Conjur appliance contains a service named audit-tail, a small utility which connects to a local Conjur database and follows the audit tail, printing out messages in JSON format to stdout or file as they appear. It is designed to be robust enough to remember its place in the database and don't lose messages even if it is terminated. The output are JSON objects representing individual audit messages, separated by newlines. Note the whole output file is not a well-formed JSON document.
Since automatically recorded audit trails include only generalized data, they can be limited in scope. To accommodate additional information about application workflow, custom events can be inserted into the audit log as well, using the Conjur API. A custom event might be used, for instance, to track the beginning and end of rotation operations or to record the results of an LDAP synchronization.
Custom audit events are sent as JSON documents with these fields:
action
— the only mandatory field; the remaining fields are recommended
facility
— class of audit events
role
— role which performed an action reported
resource_id
— resource on which action was performed
allowed
— action success (typically true/false)
audit_message
— brief description of an event, if needed
error
— error message in case of error
timestamp
— if provided, it should be in standard ISO format: "yyyy-MM-ddTHH:mm.ssZ"
Example
{
"action": "launch",
"facility": "infra",
"role": "demo:chatbot:hubot",
"resource_id": "demo:host:dev/frontend/web003",
"audit_message": "hubot launched host dev/frontend/web003",
"allowed": true
}
A JSON document can include a single object or an array of objects. All important information about send request itself (such as Conjur identity, IP, and timestamp) is preserved in the event, as well as anything provided by client.
Custom events appear in the output of a Conjur resource if any of the following are true:
field resource_id
is set to <resource-id>
array resources
includes <resource-id>
Custom events appear in the output of a Conjur role if any of the following are true:
field role
is explicitly set to <role-id>
array roles
includes <role-id>
ID of the actor submitting an event is <role-id>