Question & Answer
How can I collect usage information for Concurrent User and Authorized User charge metrics to ensure compliance with IBM Business Process Manager (BPM) Hybrid Entitlement?
To dynamically move users and workload across domains on demand, IBM Business Process Manager (BPM) Hybrid Entitlement offers IBM BPM on Cloud bundled with IBM BPM term licenses in a single part number. You can now commit to a cost-effective IBM BPM hybrid platform without worrying about how to deploy and use the software. However, while IBM BPM on Cloud provides usage information directly from the Reports page, IBM BPM does not provide usage information for concurrent and authorized users.
This technote includes a Java tool for tracking IBM BPM usage. The tool analyzes audit log files from the IBM WebSphere Application Server (WAS) Auditing Facility, and then aggregates the user count for a specified time frame. You can use the output from the tool to ensure compliance with the license entitlement:
- Concurrent users: Use 30-minute time slices (-t 30) to calculate concurrent users, then identify the 30-minute time slice with the highest number of users (e.g. over a day, or over a month) to determine your usage.
- Authorized users: Use the monthly reports to count the total number of unique users per month.
- The IBM WebSphere Application Server (WAS) Auditing Facility must be enabled. For more information, see the Auditing the security infrastructure topic in the IBM WebSphere Application Server Knowledge Center.
- Java Runtime Environment (JRE) V7 must be installed. IBM SDK for Java is part of your IBM BPM installation or you can download it for free from IBM developer kits.
2. Configuring the Auditing Facility
If are enabling the Auditing Facility only for the user counter tool, ensure that you configure the following settings:
- Event type filters. Use the filters to specify the types of auditable security events. For this tool, it is sufficient to enable the following filter:
- Audit service provider and audit event factory. You can use the default values for both settings.
- The number and size of the audit logs. You need to keep audit log files from all application servers in the IBM BPM deployment environment for the full time period for which you want to calculate metrics. You must ensure that the log files required to calculate the metrics are available. Based on the amount of data logged in your system, you can customize the maximum number of audit log files and the maximum size of a log file. Depending on your settings, WebSphere Application Server might either overwrite the log files or stop the server if the maximum number of files is reached. If you use the default values, the audit log files are stored in in the $(LOG_ROOT) directory of each JVM. The file names have the following format: BinaryAudit_<cell_name>_<node_name>_<server_name>_<timestamp>.log
|Event name||Outcome of event|
3. Running the tool
- To ensure that dates are interpreted correctly, use the same locale to run the tool that is used by the application servers.
- Because the tool analyzes all the audit logs in the audit log directory and its subdirectories, copy the audit log files from all your application servers into dedicated subdirectories, for example:
Run the tool from the command line:
java -Duser.language=en -Duser.country=US -jar usercounter-1.0.2.jar [-t <time slice in minutes>] [-verbose] [-norealm] <starting directory>
Required. The parent directory for the audit log files. Even on Windows systems, use the forward slash as the file path separator, e.g. c:/temp/auditlogs. The starting directory can be relative.
-t <time slice in minutes>
Optional. By default, the tool aggregates users that access the system in any given 60-minute time slice, and also for the month. Change the time slice by specifying a different value. For example, -t 1440 creates daily reports.
Optional. Includes the user names that were found in the given time slice. A set of ignored user names is part of every report. The tool uses heuristics to exclude system accounts.
Optional. In some Single Sign-On environments, the RegistryUser field in an audit log entry might not contain the realm name as a prefix. For such environments, a regular run of the tool might return 0 users. A verbose run of the tool would show many ignored entries. The -norealm parameter tolerates audit log entries without realm name.
3.4 Sample output
C:\temp\usercount7>java -Duser.language=en -Duser.country=US -jar usercounter-1.0.2.jar -t 1440 ../usercount
Time slice report:
Time slice starting at: Fri Jul 22 02:00:00 CEST 2016: 3
Time slice starting at: Sat Jul 23 02:00:00 CEST 2016: 2
Time slice starting at: Sun Jul 24 02:00:00 CEST 2016: 2
Time slice starting at: Mon Jul 25 02:00:00 CEST 2016: 8
Time slice starting at: Thu Aug 25 02:00:00 CEST 2016: 3
ignored entries: [...]
15 June 2018