Skip to main content

Illumio Core 21.5 Administration Guide

Event Types, Syntax, and Record Format

When working with events, it is important to recognize their type, REST API schema, syntax, and record information.

Types of Events

The Illumio Core includes the following general categories of auditable events:

  • Organizational events: Organizational events are further grouped by their source:

    • API-related events: Events occurring from a use of the REST API, including the PCE web console

    • System-related events: Events caused by some system-related occurrence

  • Traffic events

Anonymized Database Dumps

To troubleshoot customer-reported issues, Illumio Customer Support sometimes requests that you supply an anonymized dump of the PCE database.

To safeguard your organization's privacy, the event information is not included in the anonymized database dump.

REST API Events Schema

The Events schema in JSON is downloadable from this documentation portal in the zipfile of the REST API schemas. From the documentation portal Home page, go to the Develop category > REST API Public Schemas (Archive File).

Event Syntax

The names of recorded auditable events in have the following general syntax:

resource.verb[.success_or_failure]

Where:

  • resource is a PCE and VEN object, such as PCE user or VEN agent component.

  • verb describes the action of the event on that resource.

  • In CEF and LEEF formats, the success or failure of the verb is included in the recorded event type. This indicator is not needed in the JSON format.

Events Record Information

The following information is included in a event record, which answers the who, what, where, how, and when:

Type of information

Description

Who

  • VEN identified by hostname and agent href

  • User identified by username and href

  • PCE system identified by “system”

What

The action that triggered the event, including the following data:

  • Resource type + operation + success or failure

  • Application Request ID

  • Status of successful events and failed events:

    • In case of failure, exception type and exception message.

    • All failures related to security, such as authentication and authorization.

    • Severity as INFO, WARNING, ERROR.

  • The pre-change and post-change values of the affected resources.

Where

The target resource of the action, composed of the following data:

  • Identifier of the target resource (primary field).

  • Friendly name for the target resource. For example:

    • workload/VEN: hostname

    • user.username

    • ruleset, label, service, etc: name, key/value

How

API endpoint, method, HTTP status code, and source IP address of the request.

When

Timestamp of the event's occurrence. This timestamp is not the time the event was recorded.

Event Record Structure

Regardless of export format (JSON, CEF, or LEEF), the records and fields for all events share a common structure. This common structure of composite events makes post-processing of event data easier.

Bulk change operations on many resources simultaneously are recorded as individual operations on the resource within a single composite event. Failed attempts to change a configuration, such as incorrect authentication, are also collected.

Common Fields

Field Name

Description

href

Unique event identifier; contains a UUID.

timestamp

Exact time that the event occurred in RFC 3339 format with fractional seconds.

pce_fqdn

The fully qualified domain name of the PCE; especially useful for Supercluster deployments or if there are multiple PCEs sending data to the SIEM server.

created_by

Identifies creator of the event; could be a user, the system, or a workload.

event_type

Name of the event; for more information, see the List of Event Types table.

status

“Success” or “failure;” if the status is null, the event is for information only and doesn't indicate success or failure.

severity

“Informational,” “warning,” or “error” indicating the severity of the event.

version

Schema version for events.

Events Displayed in PCE Web Console

The PCE web console provides an ongoing log of all Organization events that occur in the PCE. For example, Organization events capture actions such as users logging in and logging out, and failed login attempts; when a system object is created, modified, deleted, or provisioned; when a workload is paired or unpaired; and so on.

From the platform and API perspective, Organization events are referred to internally as auditable_events and are generated by the auditable_events_service.

You can use the filter at the top of the page to search for events by type of event, event severity level, and when the event occurred.

Cross-Site Request Forgery Protection

A cross-site request forgery (CSRF) is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is an application functionality using predictable URL or form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a website has for a user.

For more details on this attack, see the CSRF article on the Web Application Security Consortium website.

Illumio Core can notify you of this type of attack in the following ways:

  • The PCE web console logs the attack as an Organization Event called “CSRF token validation failure.”

  • The event is logged in the Illumio Core REST API as authz_csrf_validation_failure in the audit_log_events_get.schema.

  • The event authz_csrf_validation_failure appears in the PCE syslog output if you have deployed the PCE as a software.

Important

When you see this event occur, you should immediately investigate the issue because the request might not have originated from a valid user.

See also: