Documentation

English

Bahasa Indonesia
日本語

English

Bahasa Indonesia
日本語

Security Audit Trail & System Log Integration

Cockpit records a secure history of every administrative action, login attempt, and configuration change. This is essential for tracing security incidents and tracking system changes.

What is an Audit Trail? 📝

💡 Analogy: The Flight Recorder (Black Box)

Think of the security audit trail like an airplane's black-box flight recorder. It silently records every single button the pilots (administrators) press and every response from the airplane (servers). If a virtual machine goes missing or a setting is changed incorrectly, you don't have to guess what happened—you open the flight recorder and see the exact chronological list of actions.

The system automatically records the following events:

  • Logging In & Out: Successful logins, logouts, password resets, failed login attempts, and locked accounts.
  • Virtual Machine Actions: Who created, deleted, started, stopped, or migrated a virtual machine.
  • Network & Disk Changes: Creating network bridges, formatting storage pools, or registering new storage connections.
  • Permission Changes: Creating user accounts, changing user groups, or assigning permissions scoped to specific folders.

Log Format: What is recorded?

Every log entry contains these key details so you have the full picture:

  • Timestamp: The exact date and time (in high-precision UTC time) when the action occurred.
  • Subject (Who did it?): The username and network IP address of the administrator who triggered the action.
  • Action (What happened?): The specific command or API call (e.g., VM_POWER_OFF or USER_CREATED).
  • Object (To what?): The unique identification code and name of the resource that was changed (e.g., VM sales-reporting-app).
  • Status: Whether the action succeeded, failed (with error messages), or was blocked because the user lacked permissions.

Forwarding Logs to a Security Warehouse (SIEM)

In large organizations, security teams use a central log database called a SIEM (Security Information and Event Management, like Splunk or Elasticsearch) to watch for security events across the entire company.

💡 Analogy: Streaming Telemetry to Land

Instead of keeping the flight logs only inside the airplane's black box (which could be lost if the server goes down), Cockpit can stream a live copy of every log entry to your company's central security control center.

How to set up log streaming (Syslog):

  1. Log into Cockpit as an administrator.
  2. Navigate to Settings > System > Syslog Forwarding.
  3. Click Add Forwarding Target.
  4. Specify target settings:
    • Host: The IP address of your company's log server.
    • Protocol: UDP, TCP, or TLS (we recommend TLS as it encrypts the log data).
    • Port: Usually 514 (the standard logging port) or a custom port provided by your security team.
    • Format: RFC 5424 (a standard structured layout) or JSON format.
  5. Click Save and restart the service to begin streaming logs.