Audit log
System reports information about user actions that could change Management Service state or behaviour such as:
changes of configuration
changes of users, roles, access etc.
changes of business entities such as device, scan workflow, price lists etc.
access to Management Service
authorization failures, attempts to get unauthorised access to resources (403)
undefined resourcess access (404)
other failures (technical errors)
Most of actions are logged as double row with action input and action output (or technical error).
Format
Audit messages are in format according to Syslog specification (RFC5424), so these attributes are logged:
Facilty - ("16" - that means local use 0)
Severity - ("6" - normal information) - there aren't now another cases. (See RFC for more info)
Version - "1"
Time - local time in ISO8601 format (it must respect RFC5424 specification, e.g. 2016-10-02T17:14:41.662+02:00)
Host - "localhost" or machine domain name or machine IP
App name - "MANAGEMENT_SERVICE"
Process ID - "-"
Message type ID - unique ID of the type of message (e.g. "USER_SAVE", "DEVICE_CREATE" ), the full list of available IDs can be obtained via API. For details how to access the API and usage see https://<management_url>/swagger-ui.html#/Audit
Structured message parameters as pair of name=value according to specification, e.g. "[web@18060 iut="3" eventSource="Application" eventID="1011"]"
Structured message parameters ID - "web@18060" for message strucutred parameters comming from web interface
These parameters are logged (its value of the parameter may be null or blank if isn't possible to detect):
auditPoint - point from message comes from, could have values:
METHOD_INPUT - for message with action input parameters
METHOD_OUTPUT - for message with action output parameters
METHOD_EXCEPTION - for message with action exceptional (technical error) parameters
crudType - type of the CRUD operation
CREATE - create resource
READ - read resource
UPDATE - update resource
DELETE - delete resource
CREATE_OR_UPDATE - create or update resource (when it couldn't be resolved if action creates or updates one)
UNKNOWN - action where couldn't be CRUD operation set
requestId - id of the request to track all action depending on the same request
requestIp - IP of the client machine
requestPath - path of the resource
sessionId - id of the user session
tenantDomain - domain of the tenant
tenantIdentification - unique identification of the tenant
userId - unique user identification
userName - name of the user
Message with it's parameters
Human readable message description
After message description there are message parameters in format similar to structured parameters, i.e. name=value such as "[param1="3" eventSource="Application" eventID="1011"]".
Technical parts of message (facility, severity, version, app name, process id) can be customized in the following section.
Configuration
Audit log message system can be configured as standard log4j2 logger according to documentation (for configuring syslog see this Syslog appender documentation). For information of the configuration file location see YSoft SafeQ Management Service Logs.
In configuration it's possible to change audit log format, setting up syslog server or disable audit log completely.
In Management Service log4j2.xml there's commented example of configuration:
...
<Appenders>
...
<!-- example of file audit log in RFC5424 format -->
<RollingFile name=
"management_audit_app"
fileName=
"${cml_home}/logs/management-service-audit.log"
filePattern=
"${cml_home}/logs/management-service-audit.log.%d{yyyy-MM-dd-HH}.%i"
>
<RFC5424Layout newLine=
"true"
appName=
"MANAGEMENT_SERVICE"
includeMDC=
"false"
facility=
"LOCAL0"
></RFC5424Layout>
<Policies>
<TimeBasedTriggeringPolicy/>
<SizeBasedTriggeringPolicy size=
"20 MB"
/>
</Policies>
<DefaultRolloverStrategy max=
"500"
/>
</RollingFile>
...
<!-- example of file audit log
for
syslog server -->
<Syslog name=
"management_audit_server_app"
format=
"RFC5424"
host=
"127.0.0.1"
port=
"8515"
protocol=
"TCP"
appName=
"MANAGEMENT_SERVICE"
includeMDC=
"false"
facility=
"LOCAL0"
enterpriseNumber=
"18060"
newLine=
"true"
messageId=
"defaultMessageId"
id=
"defaultStructDataId"
mdcId=
"defaultMdcStructDataId"
/>
...
</Appenders>
...
<!-- usage of appenders
for
syslog -->
<Logger name=
"EventLogger"
level=
"info"
additivity=
"false"
>
<AppenderRef ref=
"console_app"
/>
<AppenderRef ref=
"management_log_app"
/>
<AppenderRef ref=
"management_audit_app"
/>
<AppenderRef ref=
"management_audit_server_app"
/>
</Logger>
...