Audit 1.0

The Audit feature is used to report and track auditable events to ensure the integrity of your system.

The Audit feature introduces an infrastructure that serves two purposes:

  • Confirming the effectiveness and integrity of the existing configuration

  • Identifying areas where improvement to the configuration might be needed

The Audit feature can capture a range of auditable events that include events related to authentication, authorization, and logout. The feature provides a default audit file handler implementation that emits human-readable audit records to a file-based log. Each audit record is emitted in JSON format.

Enabling this feature

To enable the Audit 1.0 feature, add the following element declaration into your server.xml file, inside the featureManager element:

<feature>audit-1.0</feature>

Examples

Managing audit log files

The following example shows how to increase the individual file size to 100 MB, reduce the maximum number of archived audit log files to 50, and specify the compact attribute:

<auditFileHandler maxFiles="50" maxFileSize="100" compact=”true”>
</auditFileHandler>

Configuring the audit events to log

To specify only the audit events and outcomes that might be relevant in an environment, the events element can be defined with the audit event name and outcome. The following example specifies audit events and outcomes in the auditFileHandler element:

<auditFileHandler maxFiles="5" maxFileSize="20" compact="true">
    <events name="AuditEvent_1" eventName="SECURITY_AUTHN" outcome="SUCCESS"/>
    <events name="AuditEvent_2" eventName="SECURITY_AUTHN" outcome="REDIRECT"/>
    <events name="AuditEvent_3" eventName="SECURITY_AUTHN" outcome="FAILURE"/>
    <events name="AuditEvent_4" eventName="SECURITY_AUTHZ"/>
</auditFileHandler>

Encrypting and signing audit data

The following example shows the audit file handler with encryption and signing enabled. The encrypt and sign attributes must be specified in the auditFileHandler element along with the alias names of the certificates and the keystores that contain the certificates. The keystore element contains the private or public key that is used to encrypt and sign the data:

<keyStore id="auditEncKeyStore” password="Liberty" location="server1/resources/security/AuditEncryptionKeyStore.jks" type="JKS" />

<keyStore id="auditSignKeyStore" password="{aes}EzY9Oi0rJg==" location="server1/resources/security/AuditSigningKeyStore2.jks" type="JKS" />

<auditFileHandler encrypt="true" encryptAlias="#auditencryption#" encryptKeyStoreRef="auditEncKeyStore" sign="true" signingAlias="auditsigning2" signingKeyStoreRef="auditSignKeyStore"
</auditFileHandler>

Configuring the audit log format

The JSON logging format makes it easier to manage log data by providing more structure to generated data. The following example shows how to configure the Audit feature to generate audit logs in the JSON logging format:

<logging messageFormat="json" messageSource="audit,message"/>

Features that this feature enables

Supported Java versions

  • JavaSE-1.8

  • JavaSE-11.0

  • JavaSE-15.0

Developing a feature that depends on this feature

If you are developing a feature that depends on this feature, include the following item in the Subsystem-Content header in your feature manifest file.

com.ibm.websphere.appserver.audit-1.0; type="osgi.subsystem.feature"