How to get Event list and Audit Information of the VM Instances in OpenStack

Problem

• What is the process to list all the events of the VM (shutdown, migrate, start) in Platform9 Managed OpenStack?
• How to identify which user performed an event on the VM instance.

Environment

• Platform9 Managed OpenStack - v5.0 and Higher

Answer

There are 2 ways to get details of the events for a VM Instance.

Method1:

• Run the below command which list all the VMs. VM-UUID can be found the VM details through web console.

$ openstack server list -all | grep <vm-uuid>

• Run the below command to get complete details of the affected VM.

$ openstack server show <vm-uuid>

• Identify the hypervisor where the VM is running (OS-EXT-SRV-ATTR:host) and SSH to the hypervisor. This information is also visible in the web console.
• Check the ostackhost logs in the hypervisor and grep for the req-ID to get the details.

$ cat /var/log/pf9/ostackhost.log | grep <req-id> | tail

• Observe and identify the example log traces like below which explain the details of the VM.

INFO nova.virt.libvirt.driver [<req-UUID> example name tenant] [instance: <VM-UUID>] Instance shutdown successfully after 40 seconds.

• In the above log, instead of <example name> and <tenant> , there is information of the user who initiated the action and tenant.

Method2

• Follow till step2 of Method1 to get complete details of the VM Instance.
• Run the below command to get list of the events of the VM Instance.

$ openstack server event list <vm-uuid>

• Identify the Request ID of event which needs to be investigated.
• Get the details of the Request using the below command:

$ openstack server event show <vm-uuid> <req-id>

• In the output of this command, identify which user had initiated the request in the <user_id> field.
• Run the below command to identify the username of the user who initiated the request

$ openstack user list | grep <user-id>