Configuring the level of audit information

Depending on your need, you can change the default setting that IBM Security Guardium Key Lifecycle Manager uses to collect audit information.

About this task

You can use the Audit page to change the audit information levels (Low or High) that are written to the audit log. Alternatively, you can use the following REST services to list and change the Audit.event.types property in the SKLMConfig.properties file:

Get Single Config Property REST Service and Update Config Property REST Service

Note: You can specify the value of the Audit.event.types property to be different than the value of the set audit level (Low or High). The audit level is then marked as Custom. You can create this audit level only by using the REST interface. A Custom level audits all failure events, and success events for the event types that you specify in the Audit.event.types property.
Your role must have the permission to the configure action.

Procedure

  1. Go to the appropriate page or directory.
    • Graphical user interface

      Log on to the graphical user interface. Click IBM Security Guardium Key Lifecycle Manager > Configuration > Audit and Debug.

    • REST interface

      Open the Swagger UI or a REST client.

  2. Change the value of the audit information level.
    • In the graphical user interface, select one of the following values for the Audit setting, then click OK.
      Low
      Logs minimal audit records.
      Selecting Low audits failure events only and sets the following property values in the SKLMConfig.properties file.
      Audit.event.types = all
      Audit.event.outcome = failure
      High (default)
      Stores the maximum number of audit records.
      Selecting High audits all failure and success events, and sets the following property values in the SKLMConfig.properties file.
      Audit.event.types = all
      Audit.event.outcome = success,failure
      Custom
      Stores audit records based on the specification that is provided in the configuration properties file.

      You cannot select this option. It is automatically selected and available only when the value of the Audit.event.outcome property is different than the value of the set audit level (Low or High).

    • REST interface
      1. Obtain the user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
      2. To run Get Single Config Property REST Service, send the HTTP GET request. Pass the user authentication identifier that you obtained in Step a along with the request message as shown in the following example.
        GET https://localhost:<port>/SKLM/rest/v1/configProperties/
        Audit.event.types
        Content-Type: application/json
        Accept : application/json
        Authorization: SKLMAuth userAuthId=139aeh34567m
        Accept-Language : en

        Success response might be as shown in the following example.

        Status Code : 200 OK
        Content-Language: en
        {"property":"Audit.event.types","value":"all"}
      3. Specify the necessary change. For example, you can use Update Config Property REST Service to limit the selection to two event types to store in the audit log by sending the following HTTP request:
        PUT https://localhost:<port>/SKLM/rest/v1/configProperties
        Content-Type: application/json
        Accept: application/json
        Authorization: SKLMAuth authId=139aeh34567m
        Accept-Language: en
        { "Audit.event.types": "runtime,audit_management"}

What to do next

Rerun an operation that previously returned an error. Then, examine the audit log for details. For more information, see Audit records.