Auditing is defined as the logging of audit records. It includes the collection of data about system activities that affect the secure operation of the Security Access Manager server processes. Each Security Access Manager server can capture audit events whenever any security-related auditable activity occurs.
Auditing uses the concepts of a record, an audit event, and an audit trail. Each audited activity is called an audit event. The output of a specific server event is called a record. An audit trail is a collection of multiple records that document the server activity.
When configuring for auditing, think about the source of the events that you want to capture. Audit trail files can capture authorization, authentication, and management events that are generated by the Security Access Manager servers. There are multiple sources for auditing events that you want to gather. You can collect either a combination or all the different types of auditing events at the same time. Table 1 shows some of the event types that can be used for native auditing.
Event category | Description |
---|---|
audit.authz | Authorization events for WebSEAL servers |
audit.azn | Authorization events for base servers |
audit.authn | Authentication, credential acquisition authentication, password change, and logout events |
audit.authn.successful | Successful authentication credential acquisition authentication, password change, and logout events |
audit.authn.unsuccessful | Failed authentication credential acquisition authentication, password change, and logout events |
audit.http | HTTP access events |
audit.http.successful | Successful HTTP access events |
audit.http.unsuccessful | Failed HTTP access events |
audit.mgmt | Management events |
http | HTTP logging information |
http.clf | HTTP request information defined by the request-log-format configuration entry in the [logging] stanza. clf stands for common log format. |
http.ref | HTTP Referrer header information |
http.agent | HTTP User Agent head information |