Audit logging configuration

The Auditing service creates an audit trail of security-related events. These events include all security-related settings changes and user login and logout operations. You can configure which audit events to log and how much information to include based on your auditing requirements.

The auditing configuration is controlled by the iisAdmin command. Security auditing trails assist in the detection of access to controlled information and application usage. Monitoring and analysis of the logged audit information can lead to improvements in the control of data access and the prevention of malicious or careless unauthorized access to sensitive data or configuration settings. The monitoring of application and individual user access, including system administration actions, provides an historic record of activity. This information allows you to adjust user or group security roles to enable or prevent access to application features. This information can also assist in showing compliance with corporate security policies.

The following events log audit records:

  • Creation and removal of users and groups
  • Assignment or removal of a user from a group
  • User password changes (does not log the password)
  • Changes to security roles assigned to users or groups
  • Changes to user or group permissions on a project and the associated project-level security roles that are assigned
  • Changes to mapped engine credentials
  • User login
  • User logout
  • Session termination
  • Session timeout
  • Changes to audit logging configuration settings

See Types of audit events for more information about these events.

Configuring auditing events

Use the iisAdmin command to configure auditing events. Use the following command to configure audit logs for different events:
  • Linux cue graphicUNIX cue graphic
    cd IS_install_path/ASBServer/bin
    ./ -set -key value -value value
  • Windows cue graphic
    cd IS_install_path\ASBServer\bin
    iisAdmin.bat -set -key value -value value
For example, to create an audit event for logout, use the following command:
./ -set -key -value ALL

Audit log files

The default naming convention for the audit files is ISauditLog_N.log.

The default path where audit files are located:
IBM® WebSphere® Application Server Network Deployment
  • Linux cue graphicUNIX cue graphic WAS_install_path/profiles/InfoSphere/logs
  • Windows cue graphic WAS_install_path\profiles\InfoSphere\logs
IBM WebSphere Application Server Liberty Profile
  • Linux cue graphicUNIX cue graphic IS_install_path/wlp/usr/servers/iis/logs
  • Windows cue graphic IS_install_path\wlp\usr\servers\iis\logs