Skip to content

Event Logging

PPA emits a rich set of events via Syslog. In combination with a SEIM, these can be used to create a comprehensive audit trail of activity on the appliance.

Supported events

PPA emits messages for the following events:

Event name Description
TaskStart Task has started
TaskCancel Task has been cancelled
TaskWaitHook Task wait hook has received user input
TaskLog Task has sent a custom syslog message
SecretAuthorized Secret access has been authorized (by a running task)
VaultAuthorized Vault access has been authorized (by a running task)
ImageBuild Task image has built (Task Builder)
ImageDeploy Task image has been deployed (Task Builder)
ImageUpdateMetadata Task image metadata has been edited
ImageUpdateOwner Task image owner has been edited
ImageUpdateDelegates Task image delegated groups have been edited
ImageArchive Task image has been deleted
PlaybookInsert Playbook has been created
PlaybookUpdate Playbook has been edited
PlaybookUpdateMaintainers Playbook maintainer groups have been edited
PlaybookDelete Playbook has been deleted
AgentInsert Agent has been created
AgentUpdate Agent has been edited
AgentDelete Agent has been deleted
RoleInsert Role has been created
RoleUpdate Role has been edited
RoleDelete Role has been deleted
VaultInsert Vault has been created
VaultUpdate Vault has been edited
VaultDelete Vault has been deleted
ScheduleInsert Schedule has been created
ScheduleUpdate Schedule has been edited
ScheduleDelete Schedule has been deleted
ConfigUpdate Configuration has been edited
UserAuth User has signed in
UserSetActive User has been activated/deactivated
APIKeyRegenerate Key has been regenerated
Techout Techout has been generated

Message fields

PPA provides the following additional fields:

Field name Description
user User responsible for triggering the event
image Task image name (if relevant)
task Task uuid (if relevant)
details Additional contextual information

The details field contains different information depending on the type of event. Here are some examples:

UserAuth

{
  "context": {
    "addr": "123.456.789.10",
    "auth_type": "password"
  }
}

TaskCancel

{
  "context": {
    "trigger": "ui"
  },
  "type": "task",
  "owner": "ppa.demo.user"
}

VaultInsert

{
  "inserted": {
    "driver": "hashicorp-vault",
    "host": "ppa.demo.vault:8200",
    "name": "PPA demo vault"
  },
  "type": "vault"
}

ImageUpdateMetadata

{
  "updated": {
    "name": {
      "current": "Current Name",
      "previous": "Previous Name"
    },
    "tags": {
      "added": ["demo", "qa", "v2.5.0"],
      "removed": ["v2.4.0"]
    }
  },
  "type": "image",
  "owner": "ppa.demo.user"
}