Audit logs

Audit logs record events that help you analyze the server runtime environment and applications. You can use audit logs to confirm the effectiveness of the existing environment configuration and identify areas where improvement to the configuration might be needed.

A runtime environment provides a state that contains the resources that are needed to support the processes that help to run an application. The data that applications generate in the server runtime environment is transmitted by the audit file handler and stored in audit logs. Audit logs provide a record of what action was conducted on the environment, when the action was conducted, why the action was conducted, and who is responsible for the action. All relevant data that is associated with the action is included in the audit event. You can report and track the audit events to ensure the integrity of your configured environment. The audit outcome helps to determine the status of the audit event after the associated actions are completed.

Audit events

An audit event is any action that occurs within the environment that can be represented by components. The following table shows the components that represent the audit event, the fields within the audit event that are associated with the components, and descriptions of the actions that occur within the audit event:

Audit event components
ComponentFieldDescription

What

eventName

outcome

What action occurred?
What was the result of the action?

When

eventTime

When did the action happen?

Who

initiator.host.address
initiator.host.agent

Who (person or service) initiated the action?

OnWhat

target.id
target.typeURI

What resource was targeted by the action?

Where

observer.id
observer.name

Where was the action observed?

FromWhere

observer.typeURI

From where did the action initiate?

ToWhere

target.host.address

To where was the action targeted?

Audit outcomes

An audit outcome is the final result of an audit event. The final result of audit events is specified as one of the following outcome types: SUCCESS, FAILURE, ERROR, REDIRECT, DENIED, INFO, and WARNING.

Audit file handler

An audit file handler emits audit data to an on-premises audit.log file. By default, the audit file handler writes audit records to an audit log file until the file reaches 20 MB. The audit log file is then archived and a new audit log file is started. The maximum number of archived audit log files, by default, is 100 after which the oldest archived log file is overwritten. To configure the audit file handler, you can configure the auditFileHandler element in the server.xml file. For more information, see the Audit feature. The audit file handler can be customized by specifying any of the config attributes, along with the auditFileHandler element. For more information, see auditFileHandler.

Audit logs can provide important details regarding the success or failure of user authentication. The following examples show the results of the success or failure of user authentication:

Successful form login flow to access a servlet application example

The following example demonstrates audit events that are logged for a successful form login with security authentication that is followed by role-based authorization to a web servlet application.

Security authentication redirects the user to a login form for entering an ID and password. The session field in the audit event records the HTTP session for this user interaction:

{
   "eventName": "SECURITY_AUTHN",
   "eventSequenceNumber": 2,
   "eventTime": "2020-07-31 11:52:38.091 CDT",
   "initiator": {
      "host": {
         "address": "127.0.0.1",
         "agent": "Apache-HttpClient/4.1.2 (java 1.8)"
      }
   },
   "observer": {
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "name": "SecurityService",
      "typeURI": "service/server"
   },
   "outcome": "redirect",
   "reason": {
      "reasonCode": "302",
      "reasonType": "HTTP"
   },
   "target": {
      "appname": "FormLoginServlet",
      "credential": {
         "type": "FORM"
      },
      "host": {
         "address": "127.0.0.1:8010"
      },
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "method": "GET",
      "name": "/formlogin/SimpleServlet",
      "realm": "BasicRealm",
      "session": "hYhd2wzjGOdn6_oyokUTBdb",
      "typeURI": "service/application/web"
   }
}

The login form is successfully displayed and prompts the user to enter the user ID and password:

{
   "eventName": "SECURITY_AUTHN",
   "eventSequenceNumber": 3,
   "eventTime": "2020-07-31 11:52:38.572 CDT",
   "initiator": {
      "host": {
         "address": "127.0.0.1",
         "agent": "Apache-HttpClient/4.1.2 (java 1.8)"
      }
   },
   "observer": {
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "name": "SecurityService",
      "typeURI": "service/server"
   },
   "outcome": "success",
   "reason": {
      "reasonCode": "200",
      "reasonType": "HTTP"
   },
   "target": {
      "appname": "/login.jsp",
      "credential": {
         "token": "BasicRealm",
         "type": "BASIC"
      },
      "host": {
         "address": "127.0.0.1:8010"
      },
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "method": "GET",
      "name": "/formlogin/login.jsp",
      "realm": "BasicRealm",
      "session": "hYhd2wzjGOdn6_oyokUTBdb",
      "typeURI": "service/application/web"
   }
}

{
   "eventName": "SECURITY_AUTHZ",
   "eventSequenceNumber": 4,
   "eventTime": "2020-07-31 11:52:38.622 CDT",
   "initiator": {
      "host": {
         "address": "127.0.0.1",
         "agent": "Apache-HttpClient/4.1.2 (java 1.8)"
      }
   },
   "observer": {
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "name": "SecurityService",
      "typeURI": "service/server"
   },
   "outcome": "success",
   "reason": {
      "reasonCode": "200",
      "reasonType": "HTTP"
   },
   "target": {
      "appname": "/login.jsp",
      "credential": {
         "type": "BASIC"
      },
      "host": {
         "address": "127.0.0.1:8010"
      },
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "method": "GET",
      "name": "/formlogin/login.jsp",
      "realm": "BasicRealm",
      "session": "hYhd2wzjGOdn6_oyokUTBdb",
      "typeURI": "service/application/web"
   }
}

The user1 user ID is successfully authorized to access the FormLoginServlet application because the user is in the required Employee or Manager role:

\{
   "eventName": "SECURITY_AUTHZ",
   "eventSequenceNumber": 6,
   "eventTime": "2020-07-31 11:52:39.410 CDT",
   "initiator": {
      "host": {
         "address": "127.0.0.1",
         "agent": "Apache-HttpClient/4.1.2 (java 1.8)"
      }
   },
   "observer": {
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "name": "SecurityService",
      "typeURI": "service/server"
   },
   "outcome": "success",
   "reason": {
      "reasonCode": "200",
      "reasonType": "HTTP"
   },
   "target": {
      "appname": "FormLoginServlet",
      "credential": {
         "token": "user1",
         "type": "LtpaToken2"
      },
      "host": {
         "address": "127.0.0.1:8010"
      },
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "method": "GET",
      "name": "/formlogin/SimpleServlet",
      "realm": "BasicRealm",
      "role": {
         "names": "[Employee, Manager]"
      },
      "session": "hYhd2wzjGOdn6_oyokUTBdb",
      "typeURI": "service/application/web"
   }
}

Failed form login authentication example

The following example demonstrates the audit events that are logged for a failed form login by a user who cannot be authenticated against the user registry.

Security authentication redirects the user to a login form for entering a user ID and password. The session field in the audit event records the HTTP session for this user interaction.

After the login form prompts the user to enter the user ID and password, the baduser user ID fails authentication against the user registry and the user login is denied:

{
   "eventName": "SECURITY_AUTHN",
   "eventSequenceNumber": 5,
   "eventTime": "2020-07-31 13:46:55.205 CDT",
   "initiator": {
      "host": {
         "address": "127.0.0.1",
         "agent": "Apache-HttpClient/4.1.2 (java 1.8)"
      }
   },
   "observer": {
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "name": "SecurityService",
      "typeURI": "service/server"
   },
   "outcome": "denied",
   "reason": {
      "reasonCode": "403",
      "reasonType": "HTTP"
   },
   "target": {
      "appname": "null",
      "credential": {
         "token": "baduser",
         "type": "FORM"
      },
      "host": {
         "address": "127.0.0.1:8010"
      },
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "method": "POST",
      "name": "/formlogin/j_security_check",
      "realm": "BasicRealm",
      "session": "0EREOocFtP9s4VvptJ4DHhi",
      "typeURI": "service/application/web"
   }
}