A number of the libvirt virtualization drivers (QEMU/KVM and LXC) include
support for logging details of important operations to the host's audit
subsystem. This provides administrators / auditors with a canonical historical
record of changes to virtual machines' / containers' lifecycle states and
their configuration. On hosts which are running the Linux audit daemon,
the logs will usually end up in /var/log/audit/audit.log
The libvirt audit integration is enabled by default on any host which has
the Linux audit subsystem active, and disabled otherwise. It is possible
to alter this behaviour in the /etc/libvirt/libvirtd.conf
configuration file, via the audit_level
parameter
audit_level=0
- libvirt auditing is disabled regardless
of host audit subsystem enablement.audit_level=1
- libvirt auditing is enabled if the host
audit subsystem is enabled, otherwise it is disabled. This is the
default behaviour.audit_level=2
- libvirt auditing is enabled regardless
of host audit subsystem enablement. If the host audit subsystem is
disabled, then libvirtd will refuse to complete startup and exit with
an error.
In addition to have formal messages sent to the audit subsystem it is
possible to tell libvirt to inject messages into its own logging
layer. This will result in messages ending up in the systemd journal
or /var/log/libvirt/libivrtd.log
on non-systemd hosts.
This is disabled by default, but can be requested by setting the
audit_logging=1
configuration parameter in the same file
mentioned above.
Libvirt defines three core audit message types each of which will be described below. There are a number of common fields that will be reported for all message types.
Some fields in the msg
string are common to audit records
qemu
or lxc
success
or failed
Reports change in the lifecycle state of a virtual machine. The msg
field will include the following sub-fields
start
, stop
or init
init
process in a container. Only if op=init
and virt=lxc
init
process in a container. Only if op=init
and virt=lxc
Reports the association of a security context with a guest. The msg
field will include the following sub-fields
selinux
or apparmor
Reports the usage of a host resource by a guest. The fields include will vary according to the type of device being reported. When the guest is initially booted records will be generated for all assigned resources. If any changes are made to the running guest configuration, for example hotplug devices, or adjust resources allocation, further records will be generated.
The msg
field will include the following sub-fields
vcpu
The msg
field will include the following sub-fields
mem
The msg
field will include the following sub-fields
disk
The msg
field will include the following sub-fields
net
If there is a host network interface associated with the guest NIC then further records may be generated
net
The msg
field will include the following sub-fields
fs
The msg
field will include the following sub-fields
hostdev
or dev
resrc=dev
resrc=hostdev
resrc=hostdev
The msg
field will include the following sub-fields
tpm
The msg
field will include the following sub-fields
rng
The msg
field will include the following sub-fields
redir
usb
allowedUSB redir
allowed
The msg
field will include the following sub-fields
cgroup