VxSuite TDP - v4
  • System Overview
    • Election Package
      • VxSuite Election Definition
      • Ballot Definition CDF
    • Hand Marked Ballots
    • Machine Marked Ballots
    • Cast Vote Records
    • VxScan Polls Reports
    • VxAdmin Results Exports
      • Tally Reports
      • Ballot Count Reports
      • CSV Exports
      • Write-In Adjudication Report
      • CDF ERR Export
    • Software Overview
    • User Roles
    • VxAdmin Function
    • VxCentralScan Function
    • VxAdmin & VxCentralScan Hardware
    • VxScan Function
    • VxScan Hardware
    • VxMark Function
    • VxMark Hardware
    • Ballot Interpretation
    • Diagnostics
    • Signed Hash Validation
  • System Performance & Specifications
    • Supported Voting Variations & Languages
    • System Limits
      • Maximum Tabulation Rate
    • Paper Ballot Specifications
    • Reliably Detectable Marks
    • Processing Capabilities
  • System Security, Auditing & Logging
    • System Security Architecture
      • Access Control
      • Artifact Authentication
        • Hashing of Continuously Exported Cast Vote Records
        • Preserving Voter Privacy
      • System Integrity
      • Networking
      • Password and Credential Policies
      • Defense-in-Depth and Least Privilege
      • Cryptography
    • Physical Security
    • Procedural and Operational Security
    • Audit Procedure
    • Logging
    • Vulnerability Management
    • Risk Assessment
    • Hardware Criticality and Supplier Analysis
  • Software Installation
    • Trusted Build
      • Build Machine Configuration
        • Installing Debian 12 on VxBuild
      • Online Phase
      • Offline Phase
      • Final Configuration
        • Secure Boot Signing
      • Hash/Checksum Verification of Dependencies
      • Virt Manager - Network Access & Troubleshooting
    • Imaging Machines
      • Preparing USB Drives for Imaging
      • Imaging
      • Basic Configuration Wizard
      • Verifying the Image Installed on a Machine
  • System Operations & Training Manual
  • System Inspection & Logic and Accuracy Testing
  • System Maintenance Manual
  • Usability & Accessibility
  • Audio Visual & Display Screen Settings
  • Quality Assurance Manual
  • Warranty Model
  • Public Documents
Powered by GitBook
On this page
  • Application Log Events
  • Log Management
  • Default VotingWorks Log Format
  • CDF Log Format
  • Error Logs
  • 15.1-D Logging Event Types Table
Export as PDF
  1. System Security, Auditing & Logging

Logging

All VxSuite applications use the same framework to log user actions, application processes, and errors. The logs are persisted to disk and can be exported by election managers or system administrators.

Application Log Events

VxSuite applications use a shared logging library to capture required or otherwise important application log events. The core metadata for each application log event maps roughly to VVSG 2.0 standards, with some additional fields:

  • Log Event ID - Internal identifier for each event. The full list of log event IDs with descriptions is included in the automatically generated log documentation.

  • Log Event Type - Describes whether the event is a status update or an action, and whether it originated with the user, application, or larger system. The full list of log event types with descriptions is included in the automatically generated log documentation.

  • User - If there was an authenticated user role at the time of a user action, describes the role as system_administrator, election_manager, poll_worker or vendor. If no user was authenticated, then unknown. If event does not originate from the user but rather automatically from the application or operating system, it will be system.

  • Disposition - For actions that can fail or succeed, success or failure. Otherwise na for not applicable.

  • Source - Indicates where in the system's architecture the log came from, whether it be the frontend renderer, the frontend server, the backend server, a hardware daemon, or the operating system.

  • Message - The log message itself, which may not be present if the log event ID sufficiently describes the event.

  • Other Metadata - Other metadata can be freely included. For example, if a user adds manual tallies on VxAdmin, the metadata of those manual tallies will be included in the logging.

  • Time Written - Timestamp of when the log was created.

Log Management

The shared logging library formats the log events as JSON and pushes them to application processes' stdout. All stdout output from the application processes - both the application log events and any process output - is sent to the system's logger utility and assigned the tag votingworksapp.

VxSuite uses rsyslog, an advanced implementation of the Syslog protocol, to centralize and manage logs from votingworksapp and other sources. rsyslog has advantages over the built-in Linux syslog implementation of the Syslog protocol, including JSON structured messages, advanced filtering, and increased performance. Using rsyslog, different types of logs are directed to different log files in /var/log/votingworks/:

Log File
Contents

vx-logs.log

Key logs required by VVSG 2.0 or otherwise critical for understanding the behavior of the application or device, including:

  • all application log events

  • USB device connection events

  • machine boot and shutdown events

  • all sudo actions

  • password events

  • dm-verity events

auth.log

All operating system authentication-related events. Note that this will not include voting system authentication events such as logging in with a smart card - these events are in vx-logs.log

syslog

All other events emitted from the application or the operating system that do not fall into the other log files.

vx-logs.log is the most important and informative file in most cases. The other files rarely need to be referenced. All logs required by VVSG certification will exist in vx-logs.log.

Because each log file can grow very large, the application will rotate logs if necessary with the logrotate utility on each startup. Previous log files will be compressed and suffixed with a timestamp.

Including the various log files and log rotation, below is an example of the list of log files that might appear on a device:

/var/log/votingworks/vx-logs.log
/var/log/votingworks/vx-logs.log-20241104.gz
/var/log/votingworks/vx-logs.log-20241105.gz
/var/log/votingworks/auth.log
/var/log/votingworks/syslog
/var/log/votingworks/syslog-20241105.gz

Default VotingWorks Log Format

{
    "timeLogWritten":"2024-11-05T15:51:51.246232-08:00",
    "host":"VotingWorks",
    "source":"vx-scan-backend",
    "eventId":"auth-login",
    "eventType":"user-action",
    "user":"poll_worker",
    "message":"User logged in.",
    "disposition":"success",
}

The default VotingWorks log format is how logs are formatted when emitted from the application and how they appear in vx-logs.log. It is a direct mapping of theApplication Log Events fields.

CDF Log Format

Logs can be exported in CDF format, in which case the vx-logs.log file is replaced by a vx-logs.cdf.json file with the logging attributes mapped as follows:

CDF Attribute

ElectionEventLog.GeneratedTime

ISO formatted timestamp of when logs were exported

ElectionEventLog.Device

List containing only the current device

Device.Type

The CDF DeviceType matching the type of machine:

  • VxAdmin -> "ems"

  • VxScan -> "scan-single"

  • VxCentralScan -> "scan-batch"

  • VxMark -> "bmd"

Device.Id

The serial number of the device

Device.Version

The software version e.g. "v3.1.2"

Device.Event

List of all events

Event.Id

A VotingWorks defined identifier for the type of event, such as "save-election-package-complete"

Event.Disposition

"success", "failure", "na", or "other"

Event.OtherDisposition

If the disposition is "other", the details appear here

Event.Sequence

The index of the log in the list of logs, zero-indexed

Event.TimeStamp

ISO formatted timestamp of when the event was logged

Event.Type

Log event type

Event.Description

Log message

Event.Details

JSON including the log source and any additional logging metadata

Event.UserId

The user at the time of the log

Error Logs

The log export flow exposed in all VxSuite applications also allows for exporting an errors-only version of the logs. This will only export a log file for logs where the disposition is "failure" and covers all software and hardware errors that have occurred on the machine.

15.1-D Logging Event Types Table

A full list of all logs made in the system with a description of each one can be found here. For convenience a table is provided below mapping Table 15-1 from VVSG 2.0 Requirement 15.1-D to the appropriate logs in the VotingWorks system. The details and descriptions provided in Table 15-1 have been simplified for brevity in this table. Some items have been expanded into multiple rows to more precisely specify linked logs.

General System Functions

System Event
Detail
Logging Details

Device generated error and exception messages

Errors can be logged with any LogEventId but are indicated by a Disposition of failure. All logs contain a Source. Every error is logged when it occurs and each log can be assumed to correspond to one instance of that error occurring unless otherwise stated in the log. VxScan violations of physical security include scanner cover open logs: scanner-state-machine-event

scanner-state-machine-transition VxScan violations of physical security include scanner cover open logs: mark-scan-state-machine-event

paper-handler-state-machine-transition

Critical system status messages

diagnostic and status messages upon startup

machine-boot-init machine-boot-complete

Critical system status messages

"zero totals" check

polls-opened toggled-test-mode

Critical system status messages

the initiation or termination of scanner and communications equipment operation

scanner-state-machine-event

scanner-state-machine-transition

mark-scan-state-machine-event

paper-handler-state-machine-transition

Critical system status messages

Printer errors

printer-status-changed

printer-print-complete

paper-handler-state-machine-transition With disposition of failure

Critical system status messages

Detection or remediation of malware or other malicious software

The system will not boot if malicious software is detected. dmverity-boot

Critical system status messages

Cryptographic boot validation success/failure

dmverity-boot

Non-critical status messages

device-attached usb-device-change-detected scanner-state-machine-event

scanner-state-machine-transition

mark-scan-state-machine-event

paper-handler-state-machine-transition Various other logs

Events that require election official intervention

device-unattached scanner-state-machine-event

scanner-state-machine-transition

mark-scan-state-machine-event

paper-handler-state-machine-transition auth-login Various other logs

Device shutdown and restarts

machine-shutdown-init machine-shutdown-complete

Changes to system configuration settings

It is not possible to change these configuration settings any attempt to do so will result in a sudo-action log.

Integrity checks for executables, configuration files, data, and logs

election-configured and import-cast-vote-record-complete logs will have failures if there were errors authenticating the files.

The addition and deletion of files

file-saved database-create-complete database-destroy-complete scanner-state-machine-event

System readiness results

diagnostic-init diagnostic-complete diagnostic-error election-configured polls-opened toggled-test-mode

Removable media events

usb-device-change-detected

Backup and restore

import-cast-vote-records-complete export-cast-vote-records-complete file-saved

Authentication and Access Control

System Event
Detail
Logging Details

Authentication related events

Login/logoff events

sudo-action auth-login auth-logout auth-pin-entry

Account lockout events

auth-pin-entry-lockout auth-logout

Password changes

password-change smart-card-program-complete

Access control related events

sudo-action password-change

User account and role (or groups) management activity

Programming smart cards to create new user accounts: smart-card-program-complete. All other security changes can only be made through configuring a new election-package with those settings: election-configured. Attempts to bypass or make changes to roles or permissions outside of this will not be allowed and result in a sudo-action and/or password-change log.

Networking

System Event
Logging Details

Enabling or disabling networking functionality

It is not possible to enable wired or wireless networking. Any attempt to bypass protections in place blocking this will result in an error and a sudo-action log.

Software

System Event
Logging Details

Installing, upgrading, patching, or modifying software or firmware

dmverity-boot

Changes to configuration settings

sudo-action password-change

Abnormal process exits

unknown-error

Successful and failed database connection attempts (if a database is uses)

database-connect-init database-connect-complete

Changes to cryptographic keys

sudo-action

Voting Functions

System Event
Detail
Logging Details

Ballot definition and modification

election-configured election-unconfigured

Voting events

Opening and closing polls

polls-opened polls-closed voting-paused voting-resumed reset-polls-to-paused

Voting events

Casting a vote

VxMark: vote-cast VxScan: scanner-state-machine-event with the event scanStart to indicate the voter has started feeding a ballot. If the voter has to cast from adjudication there will be an accept event.

Voting events

Canceling a vote during verification

VxMark: ballot-invalidated VxScan: scanner-state-machine-event with event reject

Voting events

Success or failure of log and election results exportation

export-cast-vote-record-complete file-saved

PreviousAudit ProcedureNextVulnerability Management

Last updated 13 days ago