PlanetLab Logs

PlanetLab logs are in two parts: I) PLC API access control logs, II) Per-node SSH logs.

I)PLC API access control logs


Each record in the 'events' file is a specific operation call made at PLC. Record fields are:

1) event_id: Unique identifier for the event. Event is a synonym for a remote operation call.

2) person_id: Unique ID belonging to the PlanetLab user who performed the call.

3) node_id: Unique ID belonging to the PlanetLab node which performed the call. A valid call has either the person_id or node_id field set.

4) fault_code: Indicates the result of a call, success or failure. Possible values for failure:

0 "Success"
100 Invalid method X"/td>
102 "Invalid argument"
103 "Failed to authenticate call"
106 "Database error"
108 "Permission denied"


5) call_name: The operation name. Refer to documentation for PLC API operations: http://www.planet-lab.org/doc/plc_api

6) call: The specific operation call parameters which are anonymized.

7) message: Optional message given by PLC after execution.

8) runtime: Time in seconds to perform the call.

9) time: Timestamp of the call.

10) auth_type: The method of authentication that the caller uses. (check out: http://www.planet-lab.org/doc/plc_api#Authentication)

Example:

Record in the 'events' file:

“1727553 8 \N 0 AddSliceToNodes (ANON, 13938, [10834]) \N 0.15730190277100001 2008-12-19 15:22:43.635522 password”

Explanation:

1) event_id: 1727553

2) person_id: 8

3) node_id: N/A

4) fault_code: 0

5) call_name: AddSliceToNodes

6) (ANON, 13938, [10834])

7) message:

8) runtime: 0.157301902771

9) time: 2008-12-19 15:22:43.635522

10) auth_type: password

Using PLC API method prototype:

In order to understand what the operation does, we check the description at http://www.planet-lab.org/doc/plc_api :

AddSliceToNodes (auth, slice_id_or_name, node_id_or_hostname_list)


The point to note here is that, the “AddSliceToNodes” operation gets three arguments. Whenever we see 'ANON' in an event record, that means the original log record has been altered for anonymity. Here, the actual 'auth' Python structure provided by the caller is deleted.

In some other operation parameters, the user emails are replaced by their Ids in order to perform anonimization, but still to be able to identify the user record being changed, looked up, etc. So if we see a dictinary parameter such as “{'email': 15398}”, this is because we replaced actual email address with user ID, which are both unique identifiers for a user.

The ID's for slices, persons, nodes are related to ID's of sites such that, each of those objects belongs to a site. This mapping is provided in this page as well.

It is important to read the PLC API page, and also to have a knowledge of Python lists and dictionaries to understand the way parameters are passed into the operation calls.

II) Per-node SSH logs


SSH logs are kept at every PlanetLab node. The content of those logs are made up of both SSH related logs, and also PlanetLab specific logging.

Here is some information about the format and meaning of different log entries that can be found inside the provided SSH log files.

Some different types of messages, indicated with their first two words, are as follows:

Accepted publickey
Bad protocol
Connection closed
delete user
Did not
fatal: Read
input_userauth_request: invalid
Invalid user
new user:
Postponed publickey
Received disconnect
reverse mapping



Full version examples of these are:

Accepted publickey for isi_tilestyle from 68.181.236.70 port 61843 ssh2
Bad protocol version identification 'POST http://tabletme.com/pills/cialis.php HTTP/1.1' from 94.76.199.10
Connection closed by 128.84.96.58
delete user `arizona_stork_install'
Did not receive identification string from 68.181.236.70
fatal: Read from socket failed: Connection reset by peer
input_userauth_request: invalid user uw_iplane
Invalid user uw_iplane from 128.208.3.157
new user: name=arizona_stork_install, UID=1421, GID=504, home=/home/arizona_stork_install, shell=/bin/vsh
Postponed publickey for pl_netflow from 128.112.139.45 port 45239 ssh2
Received disconnect from 202.121.135.4: 11: Bye Bye
Received disconnect from 80.223.117.241: 11: Closed due to user request.
reverse mapping checking getaddrinfo for arizona [134.193.129.81] failed - POSSIBLE BREAK-IN ATTEMPT!



The researchers interested in SSH log files should take a look at sshd logging both on the web and Linux man pages to understand the entries. For example, “Accepted publickey” means a successful login to the machine.


Log files / Info
Author
Description
PLC API logs
Soner
PlanetLab Central logs for API calls
SSH logs
Soner
Logs by March 8
SSH logs
Soner
Logs by June 8
SSH
logs

Soner
Logs by June 19
SSH
logs

Soner
Logs by July 5
SSH
logs

Soner
Logs by August 1
Slice
info

Soner
PlanetLab slice to site
mappings
Node
info

Soner
PlanetLab node to site
mappings
Person
info

Soner
PlanetLab user to site
mappings