NCIM audit logging

Edit online

You can configure the GUI to log user interactions with the NCIM database.

About this task

You can configure the GUI to keep a log of HTTP requests made by a GUI user that interact with the NCIM topology database.

Note: This feature can log usernames, which might be considered personally identifiable information with respect to local privacy laws.

NCIM audit logging is disabled by default.

The logged information is contained in the .log file for the component that performed the logged action.

The default format of log messages is: [timestamp] [thread name or ID] [Java class name].[reason] AUDIT: [read or write] [URL] [username] [session ID] [request parameters].

[Java class name]
Which part of the application the message came from.
[reason]
The reason is enter for the start of a request, or fail for a request that failed to complete successfully. A fail reason might be followed by letters that give a more specific reason for the failure. There is no message to indicate that the request succeeded, because most requests succeed.
[read or write]
If read, the request was read-only. If write, the request potentially modified some customer data. You must look at the request parameters to determine whether data was modified. The fields that are written after read or write are defined by the audit.log.message.template and audit.log.exclude.parameters.
[URL]
The URL requested by the user in a browser excluding the host and port.
[username], [session ID]
These parameters are reported by WebSphere Application Server, and can be used to follow the activity of a user's session.
[request parameters]
The parameters of the HTTP request, either in the URL or the request body. Parameters listed in the audit.log.exclude.parameters property are not logged.

An example log message follows: [2022-09-02T17:35:53.953] [WebContainer : 5] RetrieveMibInfo.enter AUDIT: read /ibm/console/ncp_mibbrowser/RetrieveMibInfo defaultWIMFileBasedRealm/itnmadmin zmrre8l_Tn4_B_Q5RcOCOGo variable -> "1.3.6.1.2.1.2.2.1.10"

To configure NCIM audit logging, complete the following steps:

Procedure

  1. To enable NCIM audit logging, create the following file (or back up and update it if it already exists) and set the audit.log.enabled property to true: $NMGUI_HOME/profile/logs/tnm/audit.properties.
  2. To configure NCIM audit logging, add or edit the following properties in the audit.properties file:
    audit.log.reads
    If true, log read-only actions. If false, do not log read-only actions. Read-write actions are always logged.
    audit.log.enters
    If true, log when a method is entered successfully. Failures are always logged.
    audit.log.message.template
    The template for log messages.
    %1$s
    This string is replaced with read or write, for read-only or read-write actions.
    %5$s
    This string is replaced with the URL.
    %2$s
    This string is replaced with the username.
    %3$s
    This string is replaced with the session ID.
    %4$s
    This string is replaced with the parameters of the action and their values. Parameters specified in the audit.log.exclude.parameters property are excluded.

    By default, all of the above strings are included in the order: %1$s %5$s %2$s %3$s %4$s.

    audit.log.exclude.parameters
    A comma-separated list of the parameters to be excluded from log messages. Names are case-sensitive. The default value is csrfToken,projectID,modelID,dojo.preventCache.