Viewing administration activity in the admin log

App Connect Enterprise stores a log of administration activity for each integration node and integration server.

About this task

Admin logs are generated for administration activities that occur at the level of integration nodes, managed integration servers, and independent integration servers. At the integration node level, the admin log contains information about events such as starting and stopping integration servers. At the integration server level, the admin log contains information about the admin events that occur on that server. The logs contain information such as the date and time of an action, the description and result of the action (success or failure), and the username and authorized role of the user who initiated the action.

The admin log is enabled by default, and you can view the data either by selecting the Admin Log tab in the App Connect Enterprise web user interface, or by using the administration REST API. The web user interface shows the most recent data for the integration node or server since it started, including the BIP message number, message text, timestamp, username, and authorized role. It also shows a set of tags for each entry, which can be used to identify such things as the message flow, the application, and the action that was performed. Admin events that are held in the integration node or server in-memory buffer are loaded and displayed when the tab is first selected. To display events that have occurred since the tab was opened, click Refresh. The timestamp shows when the tab was last refreshed.

You can filter the entries that are displayed in the web user interface, as described in Filtering admin log entries in the web user interface.

In addition to displaying admin log entries in the web user interface, you can write admin log entries for an integration node or server to a file, as described in Writing admin log entries to a file. For independent integration servers, you can configure administration logging to write to the console. For information about configuring administration logging, see Configuring administration logging.

Admin log entries are created for administration actions that are made through all MQSI commands, regardless of whether the integration node or server is running. When a command is run against a running integration node or server, the admin log entries are made by the integration node or server. These admin log events are held in an in-memory list, which can be accessed through the administration REST API and viewed through the Admin Log tab of the web user interface. If the admin logging fileLog option has been enabled for the integration node or server, the entries are also written to the AdminLog file. When a command is run against an integration node or server that is not running, the command writes the event to the AdminLog file, but it is not accessible to the administration REST API and cannot be viewed through the web user interface.

The username and role that are logged in an admin log entry depend on whether the request is made against a local or remote integration node or integration server (independent or managed), and on whether REST administration basic authentication or authorization is enabled:
  • For command, toolkit, web user interface, and REST API requests issued to a local integration node or integration server (where local means on the same machine):
    • The username is always the logged-in user on the machine.
    • If authorization is enabled, the authorized role is also set to the username.
  • For command, toolkit, web user interface, and REST API requests issued to a remote integration node or integration server (where remote means on a separate machine or using a connection that is specified using a hostname and port):
    • If basic authentication is enabled, the username is set to the authenticated user as verified through a locally-created user using the mqsiwebuseradmin command or LDAP.
    • If basic authentication is not enabled, the username is no-auth-user.
    • If authorization is enabled, the authorized role is the role that the user is assigned through the mqsiwebuseradmin command or LDAP groups. If the user has multiple roles, the authorized role is the one that granted them access for the request URL and method.
    • If authorization is not enabled, the authorized role is always no-auth-role.

You can disable the admin log by setting the enabled property in the AdminLog section of the node.conf.yaml or server.conf.yaml file for the integration node or server to false. The changes take effect when the integration node or server is restarted. For more information about how to configure administration logging for an integration node or server, see Configuring administration logging.