Administrative Events
Audit started
Description of audit event: This event corresponds to system auditing being enabled. A log entry is generated by starting auditing from the CLI or the Web Interface.
Audit event message syntax:
<date> <time> <log_source> user[host]: "audit start" <result>
Example of log entry:
Aug 22 10:01:51 10.64.100.6 admin[moneyball.haivision.com]: "audit start" result=succeeded
Log entry generated by: Logged in user
System shutdown
Description of audit event: This event corresponds to shutdown and halt of the system. A log entry is generated by calling the shutdown command from the CLI.
Audit event message syntax:
<date> <time> <log_source> <process_name>[<process_id>]: shutting down for system halt
Example of log entry:
Aug 22 11:05:21 10.64.100.6 shutdown[965]:shutting down for system halt
Log entry generated by: shutdown process
System reboot
Description of audit event: This event corresponds to a reboot of the system. The log entry is generated by calling the reboot command from the CLI, or by clicking the Reboot button on the Administration or Network pages of the Web Interface.
Audit event message syntax:
<date> <time> <log_source> shutdown[<process_id>]: shutting down for system reboot
Example of log entry:
Aug 22 10:46:07 10.64.100.6 shutdown[5880]: shutting down for system reboot
Log entry generated by: shutdown process
Installing a firmware upgrade
Description of audit event: This event corresponds to the installation of a firmware upgrade package. A log entry is generated by successfully completing the installation of a new package either from the CLI or Web UI.
Audit event message syntax:
<date> <time> <log_source> package: Software package <hai_package_fname> was successfully installed."
Example of log entry:
Aug 17 14:59:00 10.64.100.6 package: "Software package haios_enc_v2.1.0-14.hai was successfully installed."
Log entry generated by: package process
Additional fields:
<hai_package_fname>Name of the firmware upgrade package being installed.
Changing network settings
Description of audit event: This event corresponds to changing settings such as Hostname, IP address, DNS settings, NTP server settings, Timezone, etc.
IP address
Audit event message syntax:
<date> <time> <log_source> ipconfig: Device IP address changed to <new_ipaddress>, netmask <new_netmask>, default gateway <new_gateway>, by user <user_name>.
Example of log entry:
Aug 22 16:01:26 10.64.100.6 ipconfig: Device IP address changed to 10.64.100.6, netmask 255.255.0.0, default gateway 10.64.0.1, by user admin.
Additional fields:
<new_ipaddress>The new IP address that was set for the encoder or decoder.<new_netmask>The new netmask that was set for the encoder or decoder.<new_gateway>The new gateway address that was set for the encoder or decoder.
Hostname
Audit event message syntax:
<date> <time> <log_source> ipconfig:Hostname of device changed to "<new_hostname>" by user <user_name>.
Example of log entry:
Aug 22 15:51:34 10.64.100.6 ipconfig:Hostname of device changed to "newHostname" by user admin.
Additional fields:
<new_hostname>The new hostname that was set for the encoder or decoder.
DHCP settings
Audit event message syntax:
<date> <time> <log_source> ipconfig: Device configured to use DHCP for automatic network configuration by user <user_name>.
Example of log entry:
Aug 22 15:57:41 10.64.100.6 ipconfig: Device configured to use DHCP for automatic network configuration by user admin.
DNS settings
Audit event message syntax:
<date> <time> <log_source> ipconfig: DNS settings of device changed; domain name is <domain_name>, DNS server address is <DNS_address>, by user <user_name>.
Example of log entry:
Aug 22 15:51:34 10.64.100.6 ipconfig: DNS settings of device changed; domain name is "haivision.com", DNS server address is 10.64.0.1, by user admin
Additional fields:
<domain_name>The new domain name that was set for the encoder or decoder.<DNS_address>The new DNS address that was set for the encoder or decoder.
NTP server settings
Audit event message syntax:
<date> <time> <log_source> ipconfig:NTP server setting for device changed to "<NTP_server>" by user <user_name>.
Example of log entry:
Aug 22 15:51:34 10.64.100.6 ipconfig: NTP server setting for device changed to "10.64.0.1" by user admin.
Additional fields:
<domain_name>The new domain name that was set for the encoder or decoder.
Timezone settings
Audit event message syntax:
<date> <time> <log_source> ipconfig:Timezone of device changed to "<new_timezone>" by user <user_name>.
Example of log entry:
Aug 22 15:51:34 10.64.100.6 ipconfig: Timezone of device changed to "America/Montreal" by user admin.
Additional fields:
<new_timezone>The new time zone that was set for the encoder or decoder.
Log entry generated by: ipconfig process
Logging in via CLI
The following events correspond to actions associated with logging in via the CLI.
Successful SSH login
Description of audit event: This event corresponds to a successful login to the system via SSH.
Audit event message syntax:
<date> <time> <log_source> sshd[<process_id>]: pam_unix(sshd:session): session opened for user <user_name> by (uid=0)
Example of log entry:
Aug 22 12:33:09 10.64.100.6 sshd[1206]:pam_unix(sshd:session): session opened for user admin by (uid=0)
Log entry generated by: sshd process
Failed SSH login
Description of audit event: This event corresponds to a failed attempt to login to the system via SSH.
Audit event message syntax:
<date> <time> <log_source> sshd[<process_id>]: error: PAM:Authentication failure for <user_name> from <host_address>
Example of log entry:
Aug 22 12:35:44 10.64.100.6 sshd[1246]: error: PAM:Authentication failure for admin from moneyball.haivision.com
Log entry generated by: sshd process
Successful serial port login
Description of audit event: This event corresponds to a successful login to the system via the serial port.
Audit event message syntax:
<date> <time> <log_source> login[<<process_id>>]: pam_unix(login:session): session opened for user <user_name> by LOGIN(uid=0)
Example of log entry:
Aug 22 12:40:39 10.64.100.6 login[1250]: pam_unix(login:session): session opened for user admin by LOGIN(uid=0)
Log entry generated by: login process
Failed serial port login
Description of audit event: This event corresponds to a failed attempt to login to the system via the serial port.
Audit event message syntax:
<date> <time> <log_source> login[<process_id>]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tts/0 ruser= rhost= user=<user_name>
Example of log entry:
Aug 22 12:43:50 10.64.100.6 login[1286]: pam_unix(login:auth):authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tts/0 ruser= rhost= user=admin
Log entry generated by: login process
Logging in via the Web Interface
The following events correspond to actions associated with logging in via the Web UI.
Successful Web UI login
Description of audit event: This event corresponds to a successful login to the system via the web interface.
Audit event message syntax:
<date> <time> <log_source> web.cgi: pam_unix(wci:session): session opened for user <user_name> by (uid=0)
Example of log entry:
Aug 22 12:50:55 10.64.100.6 web.cgi: pam_unix(wci:session): session opened for user admin by (uid=0)
Log entry generated by: web.cgi process
Failed Web UI login
Description of audit event: This event corresponds to a failed attempt to login to the system via the web interface.
Audit event message syntax:
<date> <time> <log_source> web.cgi: pam_unix(wci:auth):authentication failure; logname= uid=0 euid=0 tty=wci/X ruser= rhost=<host_address> user=<user_admin>
Example of log entry:
Aug 22 12:53:59 10.64.100.6 web.cgi:pam_unix(wci:auth): authentication failure; logname= uid=0 euid=0 tty=wci/X ruser= rhost=10.64.104.80 user=admin
Log entry generated by: web.cgi process
Enabling services
Description of audit event: This event corresponds to the enabling, via CLI or Web UI, of one of the following services: SSH, HTTP, RTSP, SNMP, Telnet, Talkback, VF.
Audit event message syntax:
<date> <time> <log_source> service: <service_name> service started and enabled at system startup by <user_name> at <host_address>.
Example of log entry:
Aug 22 13:03:44 10.64.100.6 service:snmp service started and enabled at system startup by admin at 10.64.104.80.
Log entry generated by: service process
Disabling services
Description of audit event: This event corresponds to the disabling, via CLI or Web UI, of one of the following services: SSH, HTTP, RTSP, SNMP, Telnet, Talkback, VF.
Audit event message syntax:
<date> <time> <log_source> service: <service_name> service stopped by <user_name> at <host_address>.
Example of log entry:
Aug 22 13:03:41 10.64.100.6 service:snmp service stopped by admin at 10.64.104.80.
Log entry generated by: service process
Creating administrative user accounts
Description of audit event: This event corresponds to the creation of users with an administrative role. A log entry is generated by an attempt to create such an account using the CLI account command or the Web Interface accounts page.
Audit event message syntax:
<date> <time> <log_source> <user_name>[host_address]: "account <target_user> create role=admin" <event_result>
Example of log entry:
Aug 22 14:23:18 10.64.100.6 admin[moneyball.haivision.com]: "account testadmin create role=admin" result=succeeded
Log entry generated by: Logged in admin user (<user_name>)
Deleting administrative user accounts
Description of audit event: This event corresponds to the deletion of users with an administrative role. A log entry is generated by an attempt to delete such an account using the CLI account command or the Web Interface accounts page.
Audit event message syntax:
<date> <time> <log_source> <user_name>[host_address]: "account <target_user> delete" <event_result>
Example of log entry:
Aug 22 14:33:52 10.64.100.6 admin[moneyball.haivision.com]: "account testadmin delete" result=succeeded
Log entry generated by: Logged in admin user (<user_name>)
Changing user passwords
Description of audit event: This event corresponds to the changing of a user password. A log entry is generated by an attempt to change a user password using the CLI account command or the Web Interface accounts page.
Audit event message syntax:
<date> <time> <log_source> <user_name>[host_address]: "account <target_user> passwd " <event_result>
Example of log entry:
Aug 22 14:44:07 10.64.100.6 admin[moneyball.haivision.com]: "account testadmin passwd" result=succeeded
Log entry generated by: Logged in admin user (<user_name>)
Logging out (manually and after a timeout)
The following events correspond to attempts to manually log out of a session after it has timed out.
Logging out from the Web UI
Description of audit event: This event corresponds to manually logging out of a session opened from the web interface.
Audit event message syntax:
<date> <time> <log_source> web.cgi: pam_unix(wci:session): session closed for user <user_name>
Aug 22 14:54:05 10.64.100.6 web.cgi: pam_unix(wci:session): session closed for user admin
Log entry generated by: web.cgi process
Logging out from the serial port
Description of audit event: This event corresponds to manually logging out of a session opened from the serial port.
Audit event message syntax:
<date> <time> <log_source> login:pam_unix(login:session): session closed for user <user_name>
Example of log entry:
Aug 22 14:55:11 10.64.100.6 login[1287]: pam_unix(login:session): session closed for user admin
Log entry generated by: login process
Logging out from SSH
Description of audit event: This event corresponds to manually logging out of a session opened from the web interface.
Audit event message syntax:
<date> <time> <log_source> <user_name>[host_address]: "account <target_user> passwd " <event_result>
Example of log entry:
Aug 22 14:56:57 10.64.100.6 sshd[1470]: pam_unix(sshd:session): session closed for user admin
Log entry generated by: sshd process