Process flow for [logging] and logcfg logging

Edit online

You can configure WebSEAL auditing you use both the [logging] stanza and the [aznapi-configuration] stanza.

When you use both configuration settings, WebSEAL processes the [aznapi-configuration] stanza before the [logging] stanza.

For example, assuming the following entries in the WebSEAL configuration file:

[logging]
requests = yes
requests-file =request.log

[aznapi-configuration]
logcfg = stats.pdweb.authn:file path=stats.log,log_id=stats
logcfg = http.agent:file path=abc.log,log_id=httplogs
logcfg = http.ref:file log_id=httplogs

WebSEAL processes these entries in the following manner:

  1. The [aznapi-configuration] stanza is read.
  2. The stats.log file with log_id=stats is opened. All stats.pdweb.authn events are logged to this file.
  3. The abc.log file with log_id=httplogs is opened. All http.agent events are logged to this file.
  4. Because the next log agent uses log_id=httplogs, all http.ref events are logged to the previously opened abc.log file.
  5. The [logging] stanza is read.
  6. HTTP request logging is enabled. All http.clf events are logged to the request.log file that uses the default log_id=clf. See the following example for an explanation of this default identifier.

HTTP logging using the [logging] stanza operates by generating its own default log agent entries. Each HTTP log file has a default value for the log_id parameter.

Log file log_id
request.log log_id=clf
referer.log log_id=ref
agent.log log_id=agent

If a logcfg entry in the [aznapi-configuration] stanza contains the same log_id as one used in the [logging] stanza, the HTTP log file is not created. Audit events with the same log_id are directed to 1 log file only. That 1 log file is always the first one opened.

In the following example, the abc.log file with log_id=clf is opened first. Because the HTTP requests logging defined in the [logging] stanza uses a default log_id=clf, the requests.log file is never created and all http.clf (requests) events are directed to abc.log file.

[logging]
requests = yes
requests-file = request.log

[aznapi-configuration]
logcfg = http.agent:file path=abc.log,log_id=clf
logcfg = http.ref:file log_id=clf

HTTP logging can be configured in the [logging] and [aznapi-configuration] stanzas. Therefore, it is possible to have duplicate entries for HTTP events in a log file when both mechanisms are enabled.

In the following example, http.clf audit events are recorded twice in the abc.log file:
  • From the event logging configuration.
  • From the enabled request logging, which uses log_id=clf by default. The requests.log is not created because the abc.log file with log_id=clf is opened first.
[logging]
requests = yes
requests-file =request.log

[aznapi-configuration]
logcfg = http.agent:file path=abc.log,log_id=clf
logcfg = http.ref:file log_id=clf
logcfg = http.clf:file log_id=clf