Audit event export#
Package Security Manager (On-prem) can be configured to automatically generate and export a list of events from the system to external storage, such as an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, or to a valid network storage location.
Anaconda records the following events for export, organized by type:
Event types
artifact
artifact_copied
artifact_downloaded
artifact_generated
artifact_metadata_updated
artifact_registered
artifact_removed
artifact_skipped
artifact_view_refreshed
authentication
auto_role_added
auto_role_deleted
auto_role_updated
build
build_channel_cve_notification
channel
channel_created
channel_cve_count_update
channel_deleted
channel_group_added
channel_group_deleted
channel_refresh_complete
channel_reindex
channel_unfrozen
channel_updated
cve
cve_deleted
cve_update_finished
cve_updated
group
group_user_added
group_user_deleted
mirror
mirror_deleted
mirror_registered
mirror_updated
mirroring
mirroring_completed
mirroring_failed
mirroring_started
mirroring_stopped
report
report_generated
sbom
sbom_deleted
sbom_updated
user
user_token_created
user_token_metadata_updated
user_token_revoked
user_token_updated
To establish a background job to generate and export a chronological recording of events that have occurred within the system:
Open a terminal and connect to your instance of Package Security Manager.
Open your installer directory, where the
docker-compose.yml
file is located, by running the command:# Replace <INSTALLER> with the name of your installer directory cd <INSTALLER>.
Open your
docker-compose.yml
file using your preferred file editor.Find the
repo_worker:
section of the file.Add the following variables to the
repo_worker:
environment:
section:Variable
Description
REPO_ENABLE_GENERATE_AUDIT_REPORTS=true
Required. Enables the background job to operate.
REPO_SCHEDULE_AUDIT_REPORT_CRON=<CRON>
Required. Sets the frequency of the job. Replace
<CRON>
with a valid CRON expression.REPO_AUDIT_REPORT_FS=<PARENT_DIRECTORY>
Required. Replace
<PARENT_DIRECTORY>
with an S3 bucket location or a valid file directory path, likefile://{BASE_PATH}/statedir/audit-logs
REPO_AUDIT_REPORT_DOWNLOAD_AS=<FORMAT>
Optional. Can set the output for the report as either
csv
orjson
. If this value is not provided, the report will default tocsv
format.REPO_CONFIGURE_AUDIT_EVENT_TYPES=<TYPE>,<TYPE>
Optional. Specifies that the job only generates and exports these value types in the report. Replace
<TYPE>
with event types as described above. Separate types with a comma. You can include as many event types as you require. If this variable is not provided, you will generate a report for all events.REPO_AUDIT_REPORT_FS_KMS_ID=<KMS_ID>
As necessary. Replace
<KMS_ID>
with your S3 bucket KMS ID, if it has one.Restart the
repo_worker
container by running the following command:docker compose up -d
Note
If you are using the REPO_CONFIGURE_AUDIT_EVENT_TYPES=
variable, the report will include the artifact_downloaded
events even if you do not include it.