Security audit log
Basic overview
The following page explains the different events that are logged when using the ‘Security audit log’.
A ‘Security audit log’ can be used to track relevant activities performed in Valsight.
The relevant files to activate the security audit log are located in the Valsight settings (navigation bar) → Metric and Logs → Download ‘Valsight Security Audit Log Files (ZIP)’.
What is logged?
Each event has the following aspects that are logged via the security audit log:
| Header | Description |
|---|---|
| Time | When the event occurred |
| User | The logged in user who caused the event |
| Object type | On what object type has the vent occurred (Group. User, Project, Model, …) |
| Object key | The exact object on which the event occurred |
| Project | The exact project in which the event occurred |
| Action type | Which event occurred |
| Action parameter1 | Additional info if all other headers aren’t enough |
| Action parameter2 | Additional info if all other headers aren’t enough |
| Action parameter3 | Additional info if all other headers aren’t enough |
Precise details about newly logged objects and what we log on them:
| Domain Object | Action Type | Detail |
|---|---|---|
| AssumptionGroup | Property change | Name |
| DataParameter | Deleted | Except when deleted by deleting a workspace, model or project |
| Property change | Everything except description | |
| DataParameterVariant | Line-item data change | |
| Delete | Except when deleted by deleting a workspace, project or data parameter | |
| Dimension | Created | |
| Deleted | Except when deleted by deleting a project | |
| Property change | Everything except description | |
| ExternalDataSource | Deleted | Except when deleted by deleting a project |
| Level | Created | |
| Deleted | ||
| Property change | Everything | |
| Model | Property change | Only modelConfig changes are logged |
| Deleted | Except when deleted by deleting a project | |
| Node | Property change | Everything except description and displayConfig |
| PlanningWorkflow | Deleted | Except when deleted by deleting a project |
| ProjectVariable | Created | |
| Property change | Both name and value | |
| Deleted | Except when deleted by deleting a project | |
| ScenarioExportTemplate | Deleted | Except when deleted by deleting a project |
| SimulationRun | Property change | The values name, baseline and parentSimulationRun |
| Deleted | Except when deleted by deleting a project or workspace | |
| SimulationRunVariable | Created | |
| Property change | Includes the value of the original. This also logged when we create a variable override, to log the changes between the project’s and scenario’s values. | |
| Deleted | Except when deleted by deleting a project, model, workspace or scenario | |
| SimulationWorkspace | Property change | Everything in the simulationConfig |
| Deleted | Except when deleted by deleting a project | |
| WorkflowStep | Deleted | Except when deleted by deleting a workflow or project |
Logged events
Add+Create/Remove+Delete/Change
| Event | Action type | Action Parameter 1 | Action Parameter 2 | Action Parameter 3 | Added in Version |
|---|---|---|---|---|---|
| Adding permissions | Added permission | For which user/group is the permission added | / | / | SINCE BEGINNING |
| Adding a role to the user or group | Added role | name of the role | / | / | SINCE BEGINNING |
| Adding an user to a group | Added user to group | user | / | / | SINCE BEGINNING |
| Creating an user or group | Created | ’preAuth’, ‘SAML’, ‘openIdConnect’ or no parameter | / | / | SINCE BEGINNING |
| Create project variables | Created | ‘value’ | variable value | / | 5.8.0 |
| Update project variables | Property change | parameter type either ‘name’ or ‘value’ | parameter old value | parameter new value | 5.8.0 |
| Scenario variable | Created | / | / | / | 5.8.0 |
| Update scenario variable | Property change | ‘value’ | Value of project variable the scenario variable is overriding | scenario variable value | 5.8.0 |
| Delete scenario variable | Deleted | / | / | / | 5.8.0 |
| Dimension row added | Property change | dimRowAdded | name of each level and the value added to the level (including extended levels) | / | 5.8.0 |
| Removing permissions | Removed permission | For which user/group is the permission removed | / | / | SINCE BEGINNING |
| Removing a role from the user or group | Removed role | name of the role | / | / | SINCE BEGINNING |
| Removing user from the group | Removed user from the group | user | / | / | SINCE BEGINNING |
| Deleting an user or group | Deleted | / | / | / | SINCE BEGINNING |
| Node deletion | Deleted | names of the node, its model and project | / | / | 4.0.0 |
| Model deleted | Deleted | name of the model, name of the project space | / | / | 5.8.0 |
| Workspace deleted | Deleted | the name of the project space it belongs to | / | / | 5.8.0 |
| Data source deleted | Deleted | the name of the project space it belongs to | / | / | 5.8.0 |
| Workflow deleted | Deleted | the name of the project space it belongs to | / | / | 5.8.0 |
| Submission deleted | Deleted | the name of the project space it belongs to | / | / | 5.8.0 |
| Dimension deleted | Deleted | the name of the project space it belongs to | / | / | 5.8.0 |
| Templates deleted | Deleted | the name of the project space it belongs to | / | / | 5.8.0 |
| Project variable deleted | Deleted | / | / | / | 5.8.0 |
| Scenario variable deleted | Deleted | / | / | / | 5.8.0 |
| A line item variant is deleted | Deleted | data parameter variant’s key | / | / | 5.8.0 |
| Changing the project or application setting | Changed setting | A detailed description on which setting was changed, what was the previous value and what is the new value | / | / | SINCE BEGINNING |
| Changing password of the user | Password changed | / | / | / | SINCE BEGINNING |
| Changed data access permissions on a dimension or level (value) | Data permissions | / | / | / | 3.1.0 |
| Moving a node | Node changed models | old model | new model | / | 4.0.0 |
| A line item variant is updated | Line-item data change | / | / | / | 5.0.0 |
| A line item was selected or unselected from a scenario | Line item selection | ’selected’ or ‘unselected’ | parameter’s key | / | 3.1.0 |
| A line item variant is ‘selected’ or ‘unselected’ from being associated with a scenario | Line-item selection | ’selected’ or ‘unselected’ | data parameter variants’s key | / | 5.0.0 |
| User enabled or disabled | Property change | ’enabled’ | old value | new value | 3.7.0 |
Actions by users
| Event | Action type | Action Parameter 1 | Action Parameter 2 | Action Parameter 3 | Added in Version |
|---|---|---|---|---|---|
| User creates, deletes or reverts a version | Versioning action | ’versioned’, ‘shared’, ‘unshared’, ‘deleted version’ or ‘reverted’ | optional: the created version or version you are reverting from | optional: workflow’s key if it was a submission | 3.1.0 |
| User links or unlinks levels | Object linking | ’extended’ or ‘extension removed’ | the key of the level that we extending by or removing extension to | / | 3.1.0 |
| User removes a value from a level | Property change | ’levelValueRemove’ | the value | 3.1.0 | |
| User changes a value of a level | Property change | ’levelValueChange’ | the value | 3.1.0 | |
| User change a parent value of a value | Property change | ’levelValueParentChange’ | the value | <old_parent> → <new_parent> | 3.1.0 |
| User renames an object | Property change | ’name’ | old name | new name | 3.1.0 |
| User changes a property on an object | Property change | name of the property | new value | 3.1.0 | |
| User moves a line item from one group to another | Property change | ’movedFromGroup’ or ‘movedToGroup’ | the group | 3.1.0 | |
| User does an action on a debug page | Special admin action | action name | HTTP method used | 3.1.0 | |
| User logged in | User logged in | ’preAuth’, ‘SAML’, ’ openIdConnect’ or no parameter | / | / | SINCE BEGINNING |
| User failed to login | Failed login | User that failed to login | empty or ”credentials OK - user blocked’ or ‘credentials OK - IP blocked’ | / | SINCE BEGINNING |
| User uploads a file that may change a DS or dimension table | File upload | / | / | / | 3.1.0 |
| User downloaded log files | Log download | ’server.log’ or ‘securityAudit.csv’ | / | / | 3.1.0 |
| User was denied access to modify data | Data permissions write denied | Level value | Data permission class name | / | 3.8.8 |
| User performed an action that caused time dimension data to be regenerated | Time dimension change | [<start_date>…<end_date>]…Q<year_start_quarter> | / | / | 3.1.0 |
| User saved or discarded the workspace | Workspace save action | ’save’, ‘discard’, ‘saveAs’ | / | / | 3.1.0 |
| User changed data of a line item | Line item data change | / | / | / | 3.1.0 |
| User changed data of a line item variant | Line item data change | / | / | / | 5.0.0 |
| User changes line item name | Property change | ‘name’ | old name | new name | 5.0.0 |
| User changes line item slider minimum | Property change | ‘sliderMin’ | old value | new value | 5.8.0 |
| User changes line item slider maximum | Property change | ‘sliderMax’ | old value | new value | 5.8.0 |
| User changes line item slider step | Property change | ‘sliderStep’ | old value | new value | 5.8.0 |
| User created new API key | API key created | / | / | / | 3.6.0 |
| A user’s session ends either through an explicit logout or an inactivity timeout. NOTE: If the session ends to an inactivity logout it can take 30 - 40 minutes for it to be registered as having expired in the log. Thus the time of the log entry can not be seen as the time the session actually expired. | User logged out | Username of the user associated with the session | / | / | 5.8.0 |
| User changed the dimension table from a data source table | Property change | ‘dimensionTable’ | ‘autoDim’ | Audit key of the data source table | 5.8.0 |
Block events
| Event | Action type | Action Parameter 1 | Action Parameter 2 | Action Parameter 3 | Added in Version |
|---|---|---|---|---|---|
| User blocked, due to too many unsuccessful consecutive logins | User blocked | ’unsuccessful logins’ | / | / | SINCE BEGINNING |
| Blocked user manually unblocked | User unblocked | ’on boot’ or no parameter | / | / | SINCE BEGINNING |
| Blocking IPs due to too many unsuccessful consecutive logins from the same IP | IP blocked | The blocked IP | / | / | SINCE BEGINNING |
File export/import
Event | Action type | Action Parameter 1 | Action Parameter 2 | Action Parameter 3 | Added in Version |
|---|---|---|---|---|---|
Chart exported | File export | ‘Formatted export’ or ‘Raw export’ | / | / | 5.8.0 |
Workspace Export | File export | ‘Formatted export’ or ‘Raw export’ | / | / | 5.8.0 |
Line item Download Excel | File Export | ‘Data parameter download’, | DataParameter audit key | / | 5.8.0 |
Assumption group Download Excel Note: A separate log line will be made for each line item in the assumption group | File Export | ‘Assumption group download’ | AssumptionGroup audit key | / | 5.8.0 |
Download excel for all assumption groups Note: A separate log line will be made for each line item in the each of the assumption groups | File Export | ‘Bulk workspace download’ | Workspace audit key | / | 5.8.0 |
Node data preview download | File Export | Audit key of either the Baseline or SimulationRun associated with the data preview | / | / | 5.8.0 |
Project export | File Export | / | / | / | 5.8.0 |
Tampered project import | Tampered project import | Detailed reason, one of the following:
| / | / | 6.0.0 |
Others
| Event | Action type | Action Parameter 1 | Action Parameter 2 | Action Parameter 3 | Added in Version |
|---|---|---|---|---|---|
| host header poisoning - The supplied host header is not included in the allowlist | Bad Host Header | Actual host header | / | / | 3.3.0 |
| Jdbc / Odata table import | External Datasource import | imported tables names | / | / | 4.0.0 |