Skip to Content
0
Jan 26, 2023 at 12:46 PM

Audit Logging in CF

79 Views Last edit Jan 30, 2023 at 09:08 AM 7 rev

Hi SAP team,

Incident number: 74994 / 2023
I managed to extract the audit logs using the API for several subaccounts in Cloud Foundry environment.

The log format is in the following way:

{
    "message_uuid": "e3a533c1-57b3-42b5-b514-8934ec5b6a6a",
    "time": "2018-10-04T08:12:00.239Z",
    "tenant": "c6da83a8-dc72-4374-b8f7-42b37a990000",
    "org_id": "82f1da92-e5b3-4cc5-1234-56789123456",   
    "space_id": "82f1da92-e5b3-4cc5-1234-56789123456",
    "app_or_service_id": "82f1da92-e5b3-4cc5-1234-56789123456",
    "als_service_id": "c18f9b6d-a8af-431c-a187-749ebc590000",
    "user": "test",
    "category": "audit.security-events",
    "format_version": "",
    "message": {
        "uuid": " e3a533c1-57b3-42b5-b514-8934ec5b6a6a ",
        "user": "test",
        "time": "2018-10-04T08:12:00.239Z",
        "ip": "10.58.183.15",
        "data": "{\"level\":\"INFO\",\"origin\":null,\"msgNo\":1,\"msgId\":\"a2cf08ee-eedd-455b-bbd6-    400d6b611116\",\"message\":\"ClientAuthenticationSuccess ('Client authentication success'): principal=sb-40ae21f3-5034-40dd-ac0d-0c9d3e0ebb06!b3034|auditlog-management!b3034, origin=[remoteAddress=52.58.183.15, clientId=sb-40ae21f3-5034-40dd-ac0d-0c9d3e0ebb06!b3034|auditlog-management!b3034], identityZoneId=[c6da83a8-dc72-4374-b8f7-42b37a99db2b]\",\"user\":null,\"version\":\"1.0\"}",
        "id": "cb046a0f-cc23-406b-a1d2-22ee6cf89a4d",
        "category": "audit.security-events",
        "tenant": "c6da83a8-dc72-4374-b8f7-42b37a990000"
      }
}

When analyzing the retrieved data I noticed that the "org_id" ,"space_id" and "app_or_service_id" are identical id's for each log and for each subaccount. Example:

    "org_id": "82f1da92-e5b3-4cc5-1234-56789123456",
    "space_id": "82f1da92-e5b3-4cc5-1234-56789123456",  
    "app_or_service_id": "82f1da92-e5b3-4cc5-1234-56789123456",

For each unique subaccount logs the "org_id" ,"space_id" and "app_or_service_id" are the same in the logs output. To put it differently, the "org_id" ,"space_id" and "app_or_service_id" do not change even if the logs are retrieved for another subaccount.

While checking whether the "org_id" or "space_id" match any of the subaccount organizational or space uuid I could not find a match.

Could you please explain me why is it so?
Thanks a lot in advance.