Control Center audit logging

The serviced service writes messages to an audit log file on the master host when configuration changes occur on Control Center hosts. The messages record the time, user identity, and information about the change in plain text.

The default location of the serviced audit log file is /var/log/serviced. The location is determined by the SERVICED_LOG_PATH variable in /etc/default/serviced. The log file name is serviced-audit.log.

The serviced audit log directory contains additional files:
  • serviced.access.log records HTTP/S requests and is always present.
  • application-audit.log records application audit messages, and is present only if an application is configured to write audit messages through Control Center. (Zenoss Resource Manager is configured for audit logging through Control Center, Zenoss Core is not.)
The files in the serviced audit log directory are managed by logrotate. The serviced RPM installation process installs logrotate, if necessary, and creates /etc/cron.hourly/serviced. Then, the anacron service invokes logrotate every hour. The operations that logrotate performs on audit log files are specified in /opt/serviced/etc/logrotate.conf. The default configuration rotates, compresses, and removes files as necessary to ensure that the logs occupy no more than 10GB of storage. To store larger volumes of log files, choose one or more of the following options:
  • Mount the serviced audit log directory on a larger local or remote file system.
  • Modify the logrotate configuration file.
  • Forward the log files to a log management application.
  • Use a cron job to copy the files to a larger local or remote file system.