Mastering MAAS audit logs for robust management and oversight
Errors or typos? Topics missing? Hard to read? Let us know!
MAAS audit logs provide detailed records of changes in machines, users, and settings. The AUDIT level logs are particularly useful for tracing historical changes in a MAAS instance. They are crucial for system integrity, troubleshooting, compliance, and governance.
Fetching audit events from the CLI
Use the maas CLI's events query command to retrieve audit logs. Fetch all audit logs with:
maas $PROFILE events query level=AUDIT
For the latest 20 audit events:
maas $PROFILE events query level=AUDIT limit=20 after=0
Parsing the output for meaningful data
Audit logs are in JSON format, suitable for parsing with tools like jq. For example:
maas $PROFILE events query level=AUDIT | jq -r '.events[] | {user, node, action}'
Alternatively, use text processing utilities like grep, cut, sort, and sed for analysis.
Decoding the structure of audit logs
Audit logs typically follow a verb/noun structure. Examples include:
Started testing on 'example-node'Marked 'old-node' brokenDeleted the machine 'retired-system'Audit logs detail node activities including commissioning phases, test results, deployment statuses, and actions like acquiring, rescuing, and deleting.
User and setting related audit types
Audit logs also track user activities, account modifications, system configuration changes, and updates to scripts or DHCP snippets.
Fine-tuning your audit queries with filters
Refine audits using filters in the events query command. For events related to a specific node:
maas $PROFILE events query hostname=my-node
For delete actions by a specific user:
maas $PROFILE events query username=jane level=AUDIT | grep "Deleted "
Combining filters yields more targeted audit records, aiding in tailored governance.
MAAS audit logs are essential for understanding system history. Effectively querying, filtering, and interpreting these logs are key skills for system troubleshooting, compliance, and oversight.