A number of the libvirt virtualization drivers (QEMU/KVM and LXC) include
support for logging details of important operations to the host's audit
subsystem. This provides administrators / auditors with a canonical historical
record of changes to virtual machines' / containers' lifecycle states and
their configuration. On hosts which are running the Linux audit daemon,
the logs will usually end up in /var/log/audit/audit.log
The libvirt audit integration is enabled by default on any host which has
the Linux audit subsystem active, and disabled otherwise. It is possible
to alter this behaviour in the /etc/libvirt/libvirtd.conf
configuration file, via the audit_level
parameter
audit_level=0
- libvirt auditing is disabled regardless
of host audit subsystem enablement.audit_level=1
- libvirt auditing is enabled if the host
audit subsystem is enabled, otherwise it is disabled. This is the
default behaviour.audit_level=2
- libvirt auditing is enabled regardless
of host audit subsystem enablement. If the host audit subsystem is
disabled, then libvirtd will refuse to complete startup and exit with
an error.
In addition to have formal messages sent to the audit subsystem it is
possible to tell libvirt to inject messages into its own logging
layer. This will result in messages ending up in the systemd journal
or /var/log/libvirt/libivrtd.log
on non-systemd hosts.
This is disabled by default, but can be requested by setting the
audit_logging=1
configuration parameter in the same file
mentioned above.
Libvirt defines three core audit message types each of which will be described below. There are a number of common fields that will be reported for all message types.
pid
uid
subj
msg
Some fields in the msg
string are common to audit records
virt
qemu
or lxc
vm
uuid
exe
hostname
addr
terminal
res
success
or failed
Reports change in the lifecycle state of a virtual machine. The msg
field will include the following sub-fields
op
start
, stop
or init
reason
vm-pid
init-pid
init
process in a container. Only if op=init
and virt=lxc
pid-ns
init
process in a container. Only if op=init
and virt=lxc
Reports the association of a security context with a guest. The msg
field will include the following sub-fields
model
selinux
or apparmor
vm-ctx
img-ctx
Reports the usage of a host resource by a guest. The fields include will vary according to the type of device being reported. When the guest is initially booted records will be generated for all assigned resources. If any changes are made to the running guest configuration, for example hotplug devices, or adjust resources allocation, further records will be generated.
The msg
field will include the following sub-fields
reason
resrc
vcpu
old-vcpu
new-vcpu
The msg
field will include the following sub-fields
reason
resrc
mem
old-mem
new-mem
The msg
field will include the following sub-fields
reason
resrc
disk
old-disk
new-disk
The msg
field will include the following sub-fields
reason
resrc
net
old-net
new-net
If there is a host network interface associated with the guest NIC then further records may be generated
reason
resrc
net
net
rdev
The msg
field will include the following sub-fields
reason
resrc
fs
old-fs
new-fs
The msg
field will include the following sub-fields
reason
resrc
hostdev
or dev
dev
resrc=dev
disk
resrc=hostdev
chardev
resrc=hostdev
The msg
field will include the following sub-fields
reason
resrc
tpm
device
The msg
field will include the following sub-fields
reason
resrc
rng
old-rng
new-rng
The msg
field will include the following sub-fields
reason
resrc
chardev
old-chardev
new-chardev
The msg
field will include the following sub-fields
reason
resrc
smartcard
old-smartcard
new-smartcard
The msg
field will include the following sub-fields
reason
resrc
redir
bus
usb
alloweddevice
USB redir
allowed
The msg
field will include the following sub-fields
reason
resrc
cgroup
cgroup