Auditing Service
The Auditing Service allows you to log a set of events into a separate audit log file. All events are organized in groups. For example, the logging events User created and User deleted are grouped together and can therefore only be switched on or off together.
In the WebSphere® Integrated Solutions Console, the portal Auditing Service is listed as WP AuditService.
The section about available events later in this topic lists and describes the events that are available for auditing.
The audit logging output is written to the audit log file. No other log messages are written to this file. For an explanation of the contents of the audit log file refer to the section about the audit log file later in this topic.
Auditing service configuration
By default the audit logging service is disabled. This means that the service is loaded, but does not register any event listeners for audit logging. The auditing service configuration is controlled by the Auditing Service.
- audit.service.enable = (false)
- This is the global switch. Use it to switch the service on (true) or off (false). The default setting is false.
The actual log file access of the service can be configured by using the following property:
- audit.logFileName = log/audit_$create_time.log
- This property defines the location and the name of the audit log
file. The placeholder $create_time is replaced
by a timestamp during filename generation. A second placeholder $APPSERVER_NAME is
used for a vertical cluster configurations to make the log file name
unique. Example:
audit.logFileName = log/audit_$APPSERVER_NAME_$CREATE_TIME.log
The auditing service allows you to have the transaction ID written to the audit log file. The project ID can also be written to the audit log file. As these IDs can be very long and might not be required in every environment, you can disable the inclusion of the IDs.
- audit.showTransactionID.enable = (true)
- Use this property to disable transaction IDs in the audit log. To do this, change the value to false. The default value is true.
- audit.projects.enable = (true)
- Use this property to disable project IDs in the audit log. To do this, change the value to false. The default value is true.
You determine the events that you want to be logged by enabling the appropriate properties as required. Set the events that you want to enable to the value true. The following groups of events are defined:
audit.groupEvents.enable
audit.userEvents.enable
audit.portletEvents.enable
audit.roleEvents.enable
audit.roleBlockEvents.enable
audit.ownerEvents.enable
audit.resourceEvents.enable
audit.externalizationEvents.enable
audit.userInGroupEvents.enable
audit.webModuleEvents.enable
audit.applicationRoleEvents.enable
audit.principalToApplicationRoleMappingEvents.enable
audit.roleToApplicationRoleMappingEvents.enable
audit.domainAdminDataEvents.enable
audit.designerDeployServiceEvents.enable
audit.impersonationEvents.enable
audit.taggingEvents.enable
audit.ratingEvents.enable
audit.projectPublishEvents.enable The default value for all of these properties is false. That means that no events will be logged by default, even if you have switched the service on by setting the property audit.service.enable to true. For more details about which events are included in each group refer to the section about Available events.
To enable one or more groups of events, change the default value of the appropriate audit.eventGroup.enable property to true.
Available events
This section lists the events that you can log by using the auditing service. They are listed by the groups in which they are available. If you enable one group, all events in that group are logged.
| Audit logging group | Audit logging event | Meaning of the event |
|---|---|---|
| audit.groupEvents | Group created event | A new user group has been created via portal UIs. |
| audit.groupEvents | Group modified event | A user group has been modified via portal UIs. |
| audit.groupEvents | Group deleted event | A user group has been deleted via portal UIs. |
| audit.groupEvents | User created event | A new user has been created via portal UIs. |
| audit.groupEvents | User modified event | A user has been modified via portal UIs. |
| audit.groupEvents | User deleted event | A user has been deleted via portal UIs. |
| audit.portletEvents | Portlet Application created event | A new web module or portlet application has been created via portal UIs. |
| audit.portletEvents | Portlet Application modified event | A web module or portlet application has been modified via portal UIs. |
| audit.portletEvents | Portlet Application deleted event | A web module or portlet application has been deleted via portal UIs. |
| audit.roleEvents | Role assigned event | A portal role has been assigned to a user. The user has been given the specified type of access permission on all resources that are affected by this role. For example, this can be EDITOR on Page1. |
| audit.roleEvents | Role unassigned event | A portal role has been unassigned from a user. The user no longer has the specified access rights on the resources that are affected by this role. For example, the user is no longer EDITOR on Page1. |
| audit.roleBlockEvents | Role block modified event | The portal role block information of a resource has been changed. The event message contains a list of blocked and non-blocked roles on the given resource. As roles can either be inherited or propagated, there are two separate lists for inheriting roles and propagating roles. If only propagating role blocks have been changed, the list for inheriting roles is empty and vice versa. |
| audit.ownerEvents | Resource owner modified event | The owner of a resource has been changed. |
| audit.resourceEvent | Resource created event | A new resource has been registered. This event is triggered if the resource is registered in Portal Access Control. |
| audit.resourceEvents | Resource modified event | A registered resource has been modified. This event is triggered if the resource is modified in Portal Access Control. |
| audit.resourceEvents | Resource deleted event | A registered resource is no longer registered in Portal Access Control. This usually happens when a resource is deleted. |
| audit.externalizationEvents | Resource externalized event | A resource has been externalized. This means that access permissions to this resource are no longer controlled by Portal Access Control, but by an external Access Manager. For example, this can be Tivoli® Access Manager. |
| audit.externalizationEvents | Resource internalized event | A resource has been internalized. It is now controlled by Portal Access Control and no longer by an external Access Manager. |
| audit.userInGroupEvents | User added to group event | A user has been added to a group. The user is now a member of this group and therefore inherits access rights from the group. |
| audit.userInGroupEvents | User removed from group event | A user has been removed from a group. The user is no longer a member of that group and does no longer have the inherited access rights. |
| audit.webModuleEvents | Web Module installed event | A new web module has been installed or deployed. |
| audit.webModuleEvents | Web Module uninstalled event | An installed web module has been uninstalled. |
| audit.applicationRoleEvents | Application role created event | An application role has been created. |
| audit.applicationRoleEvents | Application role deleted event | An application role has been deleted. |
| audit.principalToApplicationRoleMappingEvent | Application role assigned event | An application role has been assigned to a user. The user has been given the access permissions contained in all the roles that are aggregated in this application role. |
| audit.principalToApplicationRoleMappingEvents | Application role unassigned event | An application role has been unassigned from a user. The user no longer has the access permissions contained in all the roles that are aggregated in this application role. |
| audit.roleToApplicationRoleMappingEvents | Role added to application role event | A portal role has been added to an application role. All permissions contained in the portal role are added to the application role. Effective immediately, these added permissions are given to all users or groups to whom the application role is currently assigned. |
| audit.roleToApplicationRoleMappingEvents | Role removed from application role event | A portal role has been removed from an application role. The users who had this application role no longer have the access permissions that are contained by this role. |
| audit.domainAdminDataEvents.enable | Domain administration data initialized event | The administrative data for a domain, such as administrative user, administrative group, and virtual root resource, has been initialized during the startup of the portal. For the lifetime of the current portal process, this user and group have administrative permissions on the domain resource hierarchy, starting from the virtual root resource. For details about this refer to the Access Control Data Management Service. This event is always thrown for each defined domain during server startup. As this is done by the system, no performing user will be logged. |
| audit.designerDeployServiceEvents.enable | Component installed event | A portlet application has been created by using IBM® Lotus® Component Designer. |
| audit.designerDeployServiceEvents.enable | Component modified event | A portlet application created by using IBM Lotus Component Designer has been modified. |
| audit.designerDeployServiceEvents.enable | Component uninstalled event | A portlet application created by using IBM Lotus Component Designer has been deleted. |
| audit.impersonationEvents | Impersonation started event | A user started impersonation with another user. Previewing as another user is not logged by this event. |
| audit.impersonationEvents | Impersonation ended event | A user ended impersonation with another user. Previewing as another user is not logged by this event. |
| audit.impersonationEvents | Impersonation attempted with no permission event | A user tried to impersonate another user but has no permission. The attempt to preview as another user without permission is not logged by this event. |
Audit log file
The audit log file contains one audit log message per line. All log messages start with a timestamp, followed by the optional transaction ID, the message code and the event message. Each event message contains the following:
- The user ID of the user who has performed the action which triggered the audit event
- Additional information about the event itself.
Events for actions that run in a transaction are written to the log file when the transaction is committed. If the transaction is rolled back, no event messages are written to the log file.
Events for actions that do not run in a transaction are written to the log immediately. In such cases it is not guaranteed that the related action was completed successfully.