Audit log

System reports information about user actions that could change Management Service state or behaviour such as:

  • changes of configuration

  • changes of users, roles, access etc.

  • changes of business entities such as device, scan workflow, price lists etc.

  • access to Management Service

  • authorization failures, attempts to get unauthorised access to resources (403)

  • undefined resourcess access (404)

  • other failures (technical errors)

Most of actions are logged as double row with action input and action output (or technical error).

Format

Audit messages are in format according to Syslog specification (RFC5424), so these attributes are logged:

  • Facilty - ("16" - that means local use 0)

  • Severity - ("6" - normal information) - there aren't now another cases. (See RFC for more info)

  • Version - "1"

  • Time - local time in ISO8601 format (it must respect RFC5424 specification, e.g. 2016-10-02T17:14:41.662+02:00)

  • Host - "localhost" or machine domain name or machine IP

  • App name - "MANAGEMENT_SERVICE"

  • Process ID - "-"

  • Message type ID - unique ID of the type of message (e.g. "USER_SAVE", "DEVICE_CREATE" ), the full list of available IDs can be obtained via API. For details how to access the API and usage see https://<management_url>/swagger-ui.html#/Audit

  • Structured message parameters as pair of name=value according to specification, e.g. "[web@18060 iut="3" eventSource="Application" eventID="1011"]"

    • Structured message parameters ID - "web@18060" for message strucutred parameters comming from web interface

    • These parameters are logged (its value of the parameter may be null or blank if isn't possible to detect):

      • auditPoint - point from message comes from, could have values:

        • METHOD_INPUT - for message with action input parameters

        • METHOD_OUTPUT - for message with action output parameters

        • METHOD_EXCEPTION - for message with action exceptional (technical error) parameters

      • crudType - type of the CRUD operation

        • CREATE - create resource

        • READ - read resource

        • UPDATE - update resource

        • DELETE - delete resource

        • CREATE_OR_UPDATE - create or update resource (when it couldn't be resolved if action creates or updates one)

        • UNKNOWN - action where couldn't be CRUD operation set

      • requestId - id of the request to track all action depending on the same request

      • requestIp - IP of the client machine

      • requestPath - path of the resource

      • sessionId - id of the user session

      • tenantDomain - domain of the tenant

      • tenantIdentification - unique identification of the tenant

      • userId - unique user identification

      • userName - name of the user

  • Message with it's parameters

    • Human readable message description

    • After message description there are message parameters in format similar to structured parameters, i.e. name=value such as "[param1="3" eventSource="Application" eventID="1011"]".

Technical parts of message (facility, severity, version, app name, process id) can be customized in the following section.

Configuration

Audit log message system can be configured as standard log4j2 logger according to documentation (for configuring syslog see this Syslog appender documentation). For information of the configuration file location see YSoft SafeQ Management Service Logs.

In configuration it's possible to change audit log format, setting up syslog server or disable audit log completely.

In Management Service log4j2.xml there's commented example of configuration:

...
<Appenders>
...
<!-- example of file audit log in RFC5424 format -->
<RollingFile name="management_audit_app" fileName="${cml_home}/logs/management-service-audit.log" filePattern="${cml_home}/logs/management-service-audit.log.%d{yyyy-MM-dd-HH}.%i">
<RFC5424Layout newLine="true" appName="MANAGEMENT_SERVICE" includeMDC="false" facility="LOCAL0"></RFC5424Layout>
<Policies>
<TimeBasedTriggeringPolicy/>
<SizeBasedTriggeringPolicy size="20 MB"/>
</Policies>
<DefaultRolloverStrategy max="500"/>
</RollingFile>
...
<!-- example of file audit log for syslog server -->
<Syslog name="management_audit_server_app"
format="RFC5424" host="127.0.0.1"
port="8515"
protocol="TCP"
appName="MANAGEMENT_SERVICE"
includeMDC="false"
facility="LOCAL0"
enterpriseNumber="18060"
newLine="true"
messageId="defaultMessageId"
id="defaultStructDataId"
mdcId="defaultMdcStructDataId"/>
...
</Appenders>
...
<!-- usage of appenders for syslog -->
<Logger name="EventLogger" level="info" additivity="false">
<AppenderRef ref="console_app"/>
<AppenderRef ref="management_log_app"/>
<AppenderRef ref="management_audit_app"/>
<AppenderRef ref="management_audit_server_app"/>
</Logger>
...