Offline docs (switch to live docs) UI-only CLI-only

Reviewing audit logs

Unlocking the mysteries of MAAS audit events

Errors or typos? Topics missing? Hard to read? Let us know!

If you're intrigued by the digital breadcrumbs that MAAS systems leave behind, you've come to the right place. Get ready to take a deep dive into MAAS audit events — those digital fingerprints that tell us what's happening under the hood. This guide will give you the tools to query, understand, and utilise these events like a pro.

What are MAAS audit events?

Think of MAAS audit events as the digital footprints on the MAAS landscape. You can unearth them via the command line with a nifty command that looks like this:

maas $PROFILE events query level=AUDIT

Unleash that command, and you'll be greeted with a wall of JSON output, packed with insights:

Machine-readable output follows:
{
    "count": 14,
    "events": [
        {
            "username": "admin",
            "node": "e86c7h",
            "hostname": "valued-moth",
            "id": 12729,
            "level": "AUDIT",
            "created": "Mon, 25 Apr. 2022 21:51:23",
            "type": "Node",
            "description": "Started deploying 'valued-moth'."
        },
        {
            "username": "admin",
            "node": "e86c7h",
            "hostname": "valued-moth",
            "id": 12725,
            "level": "AUDIT",
            "created": "Mon, 25 Apr. 2022 21:51:18",
            "type": "Node",
            "description": "Acquired 'valued-moth'."
        },
        {
            "username": "admin",
            "node": null,
            "hostname": "valued-moth",
            "id": 12502,
            "level": "AUDIT",
            "created": "Mon, 25 Apr. 2022 21:44:51",
            "type": "Node",
            "description": "Aborted 'commissioning' on 'valued-moth'."
        },
        {
            "username": "admin",
            "node": null,
            "hostname": "valued-moth",
            "id": 12497,
            "level": "AUDIT",
            "created": "Mon, 25 Apr. 2022 21:41:52",
            "type": "Node",
            "description": "Started commissioning on 'valued-moth'."
        },
        {
            "username": "admin",
            "node": null,
            "hostname": "valued-moth",
            "id": 12493,
            "level": "AUDIT",
            "created": "Mon, 25 Apr. 2022 21:41:18",
            "type": "Node",
            "description": "Started releasing 'valued-moth'."
        },
        {
            "username": "admin",
            "node": null,
            "hostname": "valued-moth",
            "id": 12486,
            "level": "AUDIT",
            "created": "Mon, 25 Apr. 2022 21:40:42",
            "type": "Node",
            "description": "Acquired 'valued-moth'."
        },
        {
            "username": "admin",
            "node": null,
            "hostname": "valued-moth",
            "id": 12479,
            "level": "AUDIT",
            "created": "Mon, 25 Apr. 2022 21:40:34",
            "type": "Node",
            "description": "Started releasing 'valued-moth'."
        },
        {
            "username": "admin",
            "node": null,
            "hostname": "valued-moth",
            "id": 134,
            "level": "AUDIT",
            "created": "Thu, 21 Apr. 2022 19:36:48",
            "type": "Node",
            "description": "Started deploying 'valued-moth'."
        },
        {
            "username": "admin",
            "node": null,
            "hostname": "valued-moth",
            "id": 130,
            "level": "AUDIT",
            "created": "Thu, 21 Apr. 2022 19:36:21",
            "type": "Node",
            "description": "Acquired 'valued-moth'."
        },
        {
            "username": "admin",
            "node": null,
            "hostname": "unknown",
            "id": 18,
            "level": "AUDIT",
            "created": "Thu, 21 Apr. 2022 19:21:46",
            "type": "Settings",
            "description": "Updated configuration setting 'completed_intro' to 'True'."
        },
        {
            "username": "admin",
            "node": null,
            "hostname": "unknown",
            "id": 14,
            "level": "AUDIT",
            "created": "Thu, 21 Apr. 2022 19:20:49",
            "type": "Settings",
            "description": "Updated configuration setting 'upstream_dns' to '8.8.8.8'."
        },
        {
            "username": "admin",
            "node": null,
            "hostname": "unknown",
            "id": 13,
            "level": "AUDIT",
            "created": "Thu, 21 Apr. 2022 19:20:49",
            "type": "Settings",
            "description": "Updated configuration setting 'maas_name' to 'neuromancer'."
        },
        {
            "username": "admin",
            "node": null,
            "hostname": "unknown",
            "id": 12,
            "level": "AUDIT",
            "created": "Thu, 21 Apr. 2022 19:20:47",
            "type": "Settings",
            "description": "Updated configuration setting 'http_proxy' to ''."
        },
        {
            "username": "admin",
            "node": null,
            "hostname": "unknown",
            "id": 11,
            "level": "AUDIT",
            "created": "Thu, 21 Apr. 2022 19:20:24",
            "type": "Authorisation",
            "description": "Logged in admin."
        }
    ],
    "next_uri": "/MAAS/api/2.0/events/?op=query&level=AUDIT&owner=admin&after=12729",
    "prev_uri": "/MAAS/api/2.0/events/?op=query&level=AUDIT&owner=admin&before=11"
}

Deciphering the code: key elements of an audit event

Each line of output is a cryptic story waiting to be told, containing the following elements:

username: The masked crusader behind the action. Sometimes, the mask slips off and this field is empty, usually because MAAS itself has initiated the event.
node: The $SYSTEM_ID often encountered in CLI. It's linked to a specific node involved in the ruckus, whether or not it started it.
hostname: Usually the region controller or a machine involved. If it's empty, that's MAAS playing puppeteer in the background.
id: Think of this as the social security number for events — unique and identifying.
level: It's like the DEFCON status of the event: AUDIT, DEBUG, you name it.
created: The moment in time the event was forged.
description: The narrative. It's where the action is described, and it's seldom left blank.
type: The category of event, as illustrated below.

name	description
AUTHORISATION	Authorisation
IMAGES	Images
NETWORKING	Networking
NODE	Node
NODE_HARDWARE_SYNC_BLOCK_DEVICE	Node Block Device hardware sync state change
NODE_HARDWARE_SYNC_BMC	Node BMC hardware sync state change
NODE_HARDWARE_SYNC_CPU	Node CPU hardware sync state change
NODE_HARDWARE_SYNC_INTERFACE	Node Interface hardware sync state change
NODE_HARDWARE_SYNC_MEMORY	Node Memory hardware sync state change
NODE_HARDWARE_SYNC_PCI_DEVICE	Node PCI Device hardware sync state change
NODE_HARDWARE_SYNC_USB_DEVICE	Node USB Device hardware sync state change
POD	Pod
SETTINGS	Settings
TAG	Tag
ZONES	Zones

For a closer look at how to leverage these digital footprints, check out our guide on how to work with audit event logs.

Audit events are a subset of the MAAS event logs. This article will provide reference material for those who want to review and report on events designated as MAAS audit events.

About MAAS audit events

MAAS audit events can be viewed using the CLI with a command similar to the following:

maas $PROFILE events query level=AUDIT

Such a command would produce JSON output like this:

These MAAS audit events consist of the following information:

username: the name of the user whose actions triggered the event. This field is frequently blank, since many recordable events are triggered by MAAS and not by a specific user.
node: this is the $SYSTEM_ID frequently used in the CLI to reference node. This field is filled if a particular node participated in the event, even if the node did not trigger that event.
hostname: this is the node which triggered the event. Generally, this will be the name of the region controller, the name of a machine, or blank. Blank entries are events triggered by MAAS itself, such as Starting rack boot image import, which are not triggered by node.
id: a unique ID number assigned to table records as a primary key.
level: the level of event, such as AUDIT, DEBUG, etc.
created: the timestamp when this event entry was created.
description: a long text description of what took place. This field is almost always populated; this is the primary information used for auditing MAAS events.
type: this is the type of event that occurred, as shown in the following table.

For information on how to use these audit events to answer specific questions, see How to work with audit event logs.