Skip to content

VM audit & logs

What does the Audit & Logs mean?

  • The screen displays the Alert Summary and the logs being generated from the VAE core.

  • After a model is trained for a VM process, the VM is monitored and VAE calculates the reconstruction error for that model.

  • Reconstruction error: In the testing phase, Anomaly detection compares the VM’s current behavior with the model that has been created and calculates a mean squared error called the reconstruction error.

  • Since the behavior of the VM cannot be exactly the same as it was during the training period, a baseline of value 10 is used to filter out false positives. If the reconstruction error goes above 10, then the behavior is considered anomalous and an alert log is sent out. The alert log consists of the value of the reconstruction error along with the summary of the VM during that timestamp. The summary includes:

  • General information

  • Instance name,
  • Instance Group,
  • Instance ID,
  • status of Instance,
  • command issued at the given timestamp.

  • VM resource information

  • CPU,
  • memory,
  • read/write block,
  • process count.

  • Process activities

  • forked,
  • executed,
  • killed process count.

  • File activities

  • opened,
  • deleted,
  • created,
  • file count, etc.

  • Network activities

  • inbound/outbound connections,
  • port counts, etc.

  • On the left side of the VM audit log screen, we can see an Alert summary of each Instance or VM consisting of Instance name, each Process, Alert counts, and severities.

  • Select any Process in the alert summary to see the detailed forensic view of the particular VM.

  • Audit & Logs screen visualises the reconstruction error over time in a graph. This way, the user can look at the graph and see if the VM has been in an anomalous state for a long period of time.

Back to top