Audit log events reference list (CADF format)

The Open Liberty Audit feature captures auditable events that contain security details from the server runtime environment and applications. You can use the data that is generated from the audit events to analyze the configured environment.

Open Liberty can generate audit events in either CADF or JSON format. The audit events can be captured in the following CADF format types to help identify different areas where the configured environment can be improved:

SECURITY_AUDIT_MGMT

You can use the SECURITY_AUDIT_MGMT event to capture the the audit information from the management of the audit service. The following table provides the fields for the SECURITY_AUDIT_MGMT event and a description of each field:

SECURITY_AUDIT_MGMT event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: AuditService in the case of the audit service; AuditHandler: name of handler implementation in the case of a handler start.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

target.id

Identifier of the target of the action.

target.typeURI

Unique URI for the target of the event: server/audit/start in the case of an AuditService or handler start; server/audit/stop in the case of an AuditService or handler stop.

The following example shows the SECURITY_AUDIT_MGMT event that captures the start of the audit service and audit file handler:

{
    "eventName":"SECURITY_AUDIT_MGMT",
    "eventSequenceNumber":"0",
    "eventTime":"2018-07-10 12:15:34.339",
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"AuditService",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "target": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "typeURI":"service/audit/start"
    }
}
{
    "eventName":"SECURITY_AUDIT_MGMT",
    "eventSequenceNumber":"1",
    "eventTime":"2018-07-10 12:15:34.471",
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"AuditHandler:AuditFileHandler",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "target": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "typeURI":"service/audit/start"
    }
}

SECURITY_MEMBER_MGMT

You can use the SECURITY_MEMBER_MGMT event to capture the audit information from SCIM operations or member management. The following table provides the fields for the SECURITY_MEMBER_MGMT event and a description of each field.

SECURITY_MEMBER_MGMT event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

initiator.host.address

Host address of the initiator of the event.

initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: SecurityService.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

reason.reasonType

A value that indicates the underlying mechanism, such as HTTP or HTTPS, associated with the request.

target.action

What action was being performed on the target.

target.appname

Name of the application to be accessed or run on the target.

target.credential.token

Token name of the user that is performing the action.

target.credential.type

Token type of the user that is performing the action.

target.entityType

Generic name of the member being acted upon: PersonAccount, Group.

target.host.address

Host and port of the target.

target.id

Identifier of the target of the action.

target.method

Method being invoked on the target, such as, GET or POST.

target.name

Name of the target. The name includes urbridge, scim, or vmmservice, depending on the flow of the request. For example, if the call comes through a SCIM operation, the target name is scim.

target.realm

Realm name that is associated with the target.

target.repositoryId

Repository identifier that is associated with the target.

target.session

Session identifier that is associated with the target.

target.typeURI

Unique URI for the target of the event: server/vmmservice/action.

target.uniqueName

Unique name of the member being acted upon.

The following example shows a SECURITY_MEMBER_MGMT user record creation action:

{
    "eventName":"SECURITY_MEMBER_MGMT",
    "eventSequenceNumber":"13",
    "eventTime":"2018-07-24 10:58:45.284 EDT",
    "initiator": {
        "host": {
            "address":"127.0.0.1",
            "agent":"Java/1.8.0"
        }
    },
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"SecurityService",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"HTTPS"
    },
    "target": {
        "action":"create",
        "appname":"RESTProxyServlet",
        "credential": {
            "token":"adminUser",
            "type":"BASIC"
        },
        "entityType":"PersonAccount",
        "host": {
            "address":"127.0.0.1:63571"
        },
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "method":"POST",
        "name":"/ibm/api/scim/Users",
        "realm":"sampleCustomRepositoryRealm",
        "repositoryId":"sampleCustomRepository",
        "session":"myQz9fZu2ZUW0nEUWvEaiQC",
        "typeURI":"service/vmmservice/create",
        "uniqueName":"cn=usertemp,o=ibm,c=us"

    }

}

The following example shows a SECURITY_MEMBER_MGMT user lookup action:

{
    "eventName":"SECURITY_MEMBER_MGMT",
    "eventSequenceNumber":"14",
    "eventTime":"2018-07-24 10:58:45.343 EDT",
   "initiator": {
        "host": {
            "address":"127.0.0.1",
            "agent":"Java/1.8.0"
        }
    },
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"SecurityService",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"HTTPS"
    },
    "target": {
        "action":"get",
        "appname":"RESTProxyServlet",
        "credential": {
            "token":"adminUser",
            "type":"BASIC"
        },
        "entityType":"PersonAccount",
        "host": {
            "address":"127.0.0.1:63571"
        },
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "method":"POST",
        "name":"/ibm/api/scim/Users",
        "realm":"sampleCustomRepositoryRealm",
        "repositoryId":"sampleCustomRepository",
        "session":"myQz9fZu2ZUW0nEUWvEaiQC",
        "typeURI":"service/vmmservice/get",
        "uniqueName":"cn=usertemp,o=ibm,c=us"
    }
}

SECURITY_API_AUTHN

You can use the SECURITY_API_AUTHN event to capture the audit information from the login and authentication for servlet 3.0 APIs. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field.

SECURITY_API_AUTHN event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

initiator.host.address

Host address of the initiator of the event.

initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: SecurityService.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

reason.reasonType

A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request.

target.appname

Name of the application to be accessed or run on the target.

target.credential.token

Token name of the user that is performing the action.

target.credential.type

Token type of the user that is performing the action, such as, BASIC, FORM or CLIENTCERT

target.host.address

Host and port of the target.

target.id

Identifier of the target of the action.

target.method

Method that is being invoked on the target, such as, GET or POST.

target.name

Context root.

target.params

Names and values of any parameters that are sent to the target with the action.

target.realm

Realm name that is associated with the target.

target.session

HTTP session ID.

target.typeURI

Unique URI for the target of the event: service/application/web.

The following example shows a SECURITY_API_AUTHN event that results in a redirect:

{
    "eventName":"SECURITY_API_AUTHN",
    "eventSequenceNumber":"2",
    "eventTime":"2018-07-24 13:03:24.142 EDT",
    "initiator": {
        "host": {
            "address":"127.0.0.1",
            "agent":"Apache-HttpClient/4.1.2 (java 1.5)"
        }
    },
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"SecurityService",
        "typeURI":"service/server"
    },
    "outcome":"failure",
    "reason": {
        "reasonCode":"401",
        "reasonType":"HTTP"
    },
    "target": {
        "appname":"ProgrammaticAPIServlet",
        "credential": {
            "token":"user2",
            "type":"BASIC"
        },
        "host": {
            "address":"127.0.0.1:8010"
        },
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "method":"GET",
        "name":"/basicauth/ProgrammaticAPIServlet",
        "params":"testMethod=login,logout,login&user=user2&password=*******",
        "realm":"BasicRealm",
        "session":"MDqMWXO--7cmdu4Oqkt8J3i",
        "typeURI":"service/application/web"

    }
}

SECURITY_API_AUTHN_TERMINATE

You can use the SECURITY_API_AUTHN_TERMINATE event to capture the audit information from the log out for servlet 3.0 APIs. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field.

SECURITY_API_AUTHN_TERMINATE event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

initiator.host.address

Host address of the initiator of the event.

initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: SecurityService.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

reason.reasonType

A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request.

target.appname

Name of the application to be accessed or run on the target.

target.credential.token

Token name of the user that is performing the action.

target.credential.type

Token type of the user that is performing the action, such as, BASIC, FORM or CLIENTCERT.

target.host.address

Host and port of the target.

target.id

Identifier of the target of the action.

target.method

Method that is being invoked on the target, such as GET or POST.

target.name

Context root.

target.params

Names and values of any parameters that are sent to the target with the action.

target.realm

Realm name that is associated with the target.

target.session

HTTP Session ID.

target.typeURI

Unique URI for the target of the event: service/application/web.

The following example shows a successful SECURITY_API_AUTHN_TERMINATE event:

{
    "eventName":"SECURITY_API_AUTHN_TERMINATE ",
    "eventSequenceNumber":"3",
    "eventTime":"2018-07-24 13:03:24.193 EDT",
    "initiator": {
        "host": {
            "address":"127.0.0.1",
            "agent":"Apache-HttpClient/4.1.2 (java 1.5)"
        }
    },
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"SecurityService",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"HTTP"
    },
    "target": {
        "appname":"ProgrammaticAPIServlet",
        "credential": {
            "token":"user1",
            "type":"BASIC"
        },
        "host": {
            "address":"127.0.0.1:8010"
        },
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "method":"GET",
        "name":"/basicauth/ProgrammaticAPIServlet",
        "params":"testMethod=login,logout,login&user=user2&password=*******",
        "realm":"BasicRealm",
        "session":"MDqMWXO--7cmdu4Oqkt8J3i",
        "typeURI":"service/application/web"
    }
}

SECURITY_AUTHN

You can use the SECURITY_AUTHN event to capture the audit information from basic authentication, form login authentication, client certificate authentication, and JASPI authentication. The following table provides the fields for the SECURITY_AUTHN event and a description of each field.

SECURITY_AUTHN event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

initiator.host.address

Host address of the initiator of the event.

initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: SecurityService.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

reason.reasonType

A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request.

target.appname

Name of the application to be accessed or run on the target.

target.credential.token

Token name of the user that is performing the action.

target.credential.type

Token type of the user that is performing the action, such as, BASIC, FORM or CLIENTCERT.

target.host.address

Host and port of the target.

target.id

Identifier of the target of the action.

target.method

Method that is being invoked on the target, such as GET or POST.

target.name

Context root.

target.params

Names and values of any parameters that are sent to the target with the action.

target.realm

Realm name that is associated with the target.

target.session

HTTP session ID.

target.typeURI

Unique URI for the target of the event: service/application/web.

The following example shows a successful SECURITY_AUTHN event:

{
    "eventName":"SECURITY_AUTHN",
    "eventSequenceNumber":"6",
    "eventTime":"2018-07-24 13:03:28.652 EDT",
   "initiator": {
        "host": {
            "address":"127.0.0.1",
            "agent":"Apache-HttpClient/4.1.2 (java 1.5)"
        }
    },
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"SecurityService",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"HTTP"
    },
    "target": {
        "appname":"ProgrammaticAPIServlet",
        "credential": {
            "token":"user1",
            "type":"BASIC"
        },
        "host": {
            "address":"127.0.0.1:8010"
        },
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "method":"GET",
        "name":"/basicauth/ProgrammaticAPIServlet",
        "params":"testMethod=login,logout,login&user=invalidUser&password=*********",
        "realm":"BasicRealm",
        "session":"vvmysQmVNHt4OfCRNIflZBt",
        "typeURI":"service/application/web"
    }
}

SECURITY_AUTHN_DELEGATION

You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runAs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field.

SECURITY_AUTHN_DELEGATION event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

initiator.host.address

Host address of the initiator of the event.

initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: SecurityService.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

reason.reasonType

A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request.

target.appname

Name of the application to be accessed or run on the target.

target.credential.token

Token name of the user that is performing the action.

target.credential.type

Token type of the user that is performing the action, such as, BASIC, FORM or CLIENTCERT.

target.delegation.users

List of users in the delegation flow, starting with the initial user that is invoking the action.

target.host.address

Host and port of the target.

target.id

Identifier of the target of the action.

target.method

Method that is being invoked on the target, such as GET or POST.

target.name

Context root.

target.params

Names and values of any parameters that are sent to the target with the action.

target.realm

Realm name that is associated with the target.

target.runas.role

RunAs role name that is used in the delegation.

target.session

HTTP session ID.

target.typeURI

Unique URI for the target of the event: service/application/web.

The following example shows a successful SECURITY_AUTHN_DELEGATION event:

{
    "eventName":"SECURITY_AUTHN_DELEGATION ",
    "eventSequenceNumber":"12",
    "eventTime":"2018-07-16 10:38:02.281",
    "initiator": {
        "host": {
            "address":"127.0.0.1",
            "agent":"Apache-HttpClient/4.1.2 (java 1.5)"
        }
    },
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"SecurityService",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"EJB"
    },
    "target": {
        "appname":"SecurityEJBA01Bean",
        "credential": {
            "token":"user2",
            "type":"BASIC"
        },
        "delegation": {
            "users":"user:BasicRealm/user2; user:BasicRealm/user99"
        },
        "host": {
            "address":"127.0.0.1:8010"
        },
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "method":"GET",
        "name":"/securityejb/SimpleServlet",
        "params":"testInstance=ejb01&testMethod=runAsSpecified",
        "realm":"BasicRealm",
      "runas": {
            "role":"Employee"
        },
        "session":"b3g01JoFvsy7uKDNBqH7An-",
        "typeURI":"service/application/web"
    }
}

SECURITY_AUTHN_FAILOVER

You can use the SECURITY_AUTHN_FAILOVER event to capture the audit information from failover to basic authentication. The following table provides the fields for the SECURITY_AUTHN_FAILOVER event and a description of each field.

SECURITY_AUTHN_FAILOVER event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

initiator.host.address

Host address of the initiator of the event.

initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: SecurityService.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

reason.reasonType

A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request.

target.appname

Name of the application to be accessed or run on the target.

target.authtype.failover

Name of the failover authentication mechanism.

target.authtype.original

Name of the original authentication mechanism.

target.credential.token

Token name of the user that is performing the action.

target.credential.type

Token type of the user that is performing the action, such as, BASIC, FORM, or CLIENTCERT.

target.host.address

Host and port of the target.

target.id

Identifier of the target of the action.

target.method

Method that is being invoked on the target, such as GET or POST.

target.name

Context root.

target.params

Names and values of any parameters that are sent to the target with the action.

target.realm

Realm name that is associated with the target.

target.session

HTTP session ID.

target.typeURI

Unique URI for the target of the event: service/application/web.

The following example shows a SECURITY_AUTHN_FAILOVER event:

{
    "eventName":"SECURITY_AUTHN_FAILOVER",
    "eventSequenceNumber":"4",
    "eventTime":"2018-07-24 13:05:03.777 EDT",
    "initiator": {
        "host": {
            "address":"127.0.0.1",
            "agent":"Apache-HttpClient/4.1.2 (java 1.5)"
        }
    },
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"SecurityService",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"HTTPS"
    },
    "target": {
        "appname":"ClientCertServlet",
        "authtype": {
            "failover":"BASIC",
            "original":"CLIENT_CERT"
        },
        "credential": {
            "token":"LDAPUser1",
            "type":"BASIC"
        },
        "host": {
            "address":"127.0.0.1:8020"
        },
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "method":"GET",
        "name":"/clientcert/SimpleServlet",
        "realm":"SampleLdapIDSRealm",
        "session":"-7moVRZaL1mU2SVf0RHP28x",
        "typeURI":"service/application/web"
    }
}

SECURITY_AUTHN_TERMINATE

You can use the SECURITY_AUTHN_TERMINATE event to capture the audit information from a form logout. The following table provides the fields for the SECURITY_AUTHN_TERMINATE event and a description of each field.

SECURITY_AUTHN_TERMINATE event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

initiator.host.address

Host address of the initiator of the event.

initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: SecurityService.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

reason.reasonType

A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request.

target.appname

Name of the application to be accessed or run on the target.

target.authtype.failover

Name of the failover authentication mechanism.

target.authtype.original

Name of the original authentication mechanism.

target.credential.token

Token name of the user that is performing the action.

target.credential.type

Token type of the user that is performing the action, such as, BASIC, FORM or CLIENTCERT.

target.host.address

Host and port of the target.

target.id

Identifier of the target of the action.

target.method

Method that is being invoked on the target, such as GET or POST.

target.name

Context root.

target.params

Names and values of any parameters that are sent to the target with the action.

target.realm

Realm name that is associated with the target.

target.session

HTTP session ID.

target.typeURI

Unique URI for the target of the event: service/application/web.

The following example shows a SECURITY_AUTHN_TERMINATE event:

{
    "eventName":"SECURITY_AUTHN_TERMINATE",
    "eventSequenceNumber":"13"
    "eventTime":"2018-07-24 13:02:50.813 EDT",
    "initiator": {
        "host": {
            "address":"127.0.0.1",
            "agent":"Apache-HttpClient/4.1.2 (java 1.5)"
        }
    },
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"SecurityService",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"HTTP"
    },
    "target": {
        "credential": {
            "token":"user1",
            "type":"FORM"
        },
        "host": {
            "address":"127.0.0.1:8010"
        },
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "method":"POST",
        "name":"/formlogin/ibm_security_logout",
        "realm":"BasicRealm",
        "session":"oNbsJSCYJrg2SPqzlL-5YxG",
        "typeURI":"service/application/web"

    }

}

SECURITY_AUTHZ

You can use the SECURITY_AUTHZ event to capture the audit information from Java Authorization Contract for Containers (JACC) web authorization, unprotected servlet authorization, JACC EJB authorization, and EJB authorization. The following table provides the fields for the SECURITY_AUTHZ event and a description of each field.

SECURITY_AUTHZ event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time the event occurred.

initiator.host.address

Host address of the initiator of the event.

initiator.host.agent

Name of monitoring agent associated with the initiator.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: SecurityService.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

reason.reasonType

A value that indicates the underlying mechanism, such as HTTP and HTTPS, that is associated with the request.

target.appname

Name of the application to be accessed or run on the target.

target.credential.token

Token name of the user that is performing the action.

target.credential.type

Token type of the user that is performing the action, such as, BASIC, FORM or CLIENTCERT.

target.ejb.beanname

EJB bean name for EJB authorization.

target.ejb.method.interface

EJB method interface for EJB authorization.

target.ejb.method.signature

EJB method signature for EJB authorization.

target.ejb.module.name

EJB module name for EJB authorization.

target.host.address

Host and port of the target.

target.id

Identifier of the target of the action.

target.method

Method that is being invoked on the target, such as GET or POST.

target.name

Context root.

target.params

Names and values of any parameters that are sent to the target with the action.

target.realm

Realm name that is associated with the target.

target.role.names

Roles that are identified as being needed. If none are specified, permit all roles for EJBs.

target.session

HTTP session ID.

target.typeURI

Unique URI for the target of the event: service/application/web.

The following example shows a successful WEB authorization event:

{
    "eventName":"SECURITY_AUTHZ",
    "eventSequenceNumber":"4",
    "eventTime":"2018-07-16 10:37:56.259",
    "initiator": {
        "host": {
            "address":"127.0.0.1",
            "agent":"Apache-HttpClient/4.1.2 (java 1.5)"
        }
    },
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"SecurityService",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"HTTP"
    },
    "target": {
        "appname":"SecurityEJBServlet",
        "credential": {
            "token":"user2",
            "type":"BASIC"
        },
        "host": {
            "address":"127.0.0.1:8010"
        },
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "method":"GET",
        "name":"/securityejb/SimpleServlet",
        "params":"testInstance=ejb01&testMethod=runAsSpecified",
        "realm":"BasicRealm",
        "role": {
            "names":"[AllAuthenticated]"
        },
        "session":"NNLU_QCIGIOPHhKLWY1BxVJ",
        "typeURI":"service/application/web"
    }
}

The following example shows a successful EJB authorization:

{
    "eventName":"SECURITY_AUTHZ",
    "eventSequenceNumber":"5",
    "eventTime":"2018-07-16 10:37:56.719",
    "initiator": {
        "host": {
            "address":"127.0.0.1",
            "agent":"Apache-HttpClient/4.1.2 (java 1.5)"
        }
    },
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"SecurityService",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"EJB Permit All"
    },
    "target": {
        "appname":"securityejb",
        "credential": {
            "token":"user2",
            "type":"BASIC"
        },
        "ejb": {
            "beanname":"SecurityEJBA01Bean",
            "method": {
                "interface":"Local",
                "signature":"runAsSpecified:"
            },
            "module": {
                "name":"SecurityEJB.jar"
            }
        },
        "host": {
            "address":"127.0.0.1:8010"
        },
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "method":"runAsSpecified",
        "name":"/securityejb/SimpleServlet",
        "params":"testInstance=ejb01&testMethod=runAsSpecified",
        "realm":"BasicRealm",
        "session":"NNLU_QCIGIOPHhKLWY1BxVJ",
        "typeURI":"service/application/web"
    }
}

SECURITY_JMS_AUTHN

You can use the SECURITY_JMS_AUTHN event to capture the audit information from JMS authentication. The following table provides the fields for the SECURITY_JMS_AUTHN event and a description of each field.

SECURITY_JMS_AUTHN event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

initiator.host.address

Host address of the initiator of the event.

initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: JMSMessagingImplementation.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

reason.reasonType

A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request.

target.credential.token

Token name of the user that is performing the action.

target.credential.type

Token type of the user that is performing the action.

target.host.address

Host and port of the target.

target.id

Identifier of the target of the action.

target.messaging.busname

Name of messaging bus.

target.messaging.callType

Identifies if call is remote or local.

target.messaging.engine

Name of the messaging engine.

target.messaing.loginType

Name of the login algorithm that is used, such as Userid+Password.

target.messaging.remote.chainName

If the operation is remote, the name of the remote chain name.

target.realm

Realm name that is associated with the target.

target.typeURI

Unique URI for the target of the event: service/jms/messaging.

The following example shows a successful SECURITY_JMS_AUTHN event:

{
    "eventName":"SECURITY_JMS_AUTHN",
    "eventSequenceNumber":"10",
    "eventTime":"2018-07-19 14:33:51.135 EDT",
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"JMSMessagingImplementation",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"JMS"
    },
    "target": {
        "credential": {
            "token":"validUser",
            "type":"BASIC"
        },
        "host": {
            "address":"127.0.0.1:53166"
        },
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "messaging": {
            "busname":"defaultBus",
            "callType":"remote",
            "engine":"defaultME",
            "loginType":"Userid+Password",
         "remote": {
                "chainName":"InboundBasicMessaging"
            }
        },
        "realm":"customRealm",
        "typeURI":"service/jms/messagingEngine"
    }
}

SECURITY_JMS_AUTHZ

You can use the SECURITY_JMS_AUTHZ event to capture the audit information from JMS authorization. The following table provides the fields for the SECURITY_JMS_AUTHZ event and a description of each field.

SECURITY_JMS_AUTHZ event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

initiator.host.address

Host address of the initiator of the event.

initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: JMSMessagingImplementation.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

reason.reasonType

A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request.

target.credential.token

Token name of the user that is performing the action.

target.credential.type

Token type of the user that is performing the action.

target.host.address

Host and port of the target.

target.id

Identifier of the target of the action.

target.messaging.busname

Name of the messaging bus.

target.messaging.callType

Identifies if the call is remote or local.

target.messaging.destination

Name of the messaging destination.

target.messaging.engine

Name of the messaging engine.

target.messaging.jmsActions

List of the actions that the credential is allowed.

target.messaging.jmsResource

Name of the JMS resource, such as QUEUE, TOPIC, or TEMPORARY DESTINATION.

target.messaging.operationType

Name of the operation that is being requested.

target.messaging.remote.chainName

If the operation is remote, the name of the remote chain name.

target.realm

Realm name that is associated with the target.

target.typeURI

Unique URI for the target of the event: service/jms/messaging.

The following example shows a successful SECURITY_JMS_AUTHZ event:

{
    "eventName":"SECURITY_JMS_AUTHZ",
    "eventSequenceNumber":"11",
    "eventTime":"2018-07-19 14:33:51.247 EDT",
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"JMSMessagingImplementation",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"JMS"
    },
    "target": {
        "credential": {
            "token":"validUser",
            "type":"BASIC"
        },
        "host": {
            "address":"127.0.0.1:53166"
        },
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "messaging": {
            "busname":"defaultBus",
            "callType":"remote",
            "destination":"BANK",
            "engine":"defaultME",
            "jmsActions":"[BROWSE, SEND, RECEIVE]",
            "jmsResource":"queue",
            "operationType":"SEND",
            "remote": {
                "chainName":"InboundBasicMessaging"
            }
        },
        "realm":"customRealm",
        "typeURI":"service/jms/messagingResource"
    }
}

SECURITY_SAF_AUTHZ

You can use the SECURITY_SAF_AUTHZ event to capture the audit information from a request to the SAF Authorization Service API. The following table provides the fields for the SECURITY_SAF_AUTHZ event and a description of each field:

SECURITY_SAF_AUTHZ event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: JMXService.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

target.access.level

Level of access that is requested.

target.applid

Identifier of the APPL class.

target.authorization.decision

A true value if the user is authorized to access the SAF resource in the SAF class, otherwise false.

target.credential.token

Token name of the user that is performing the action.

target.id

Identifier of the target of the action.

target.racf.reason.code

RACF reason code.

target.racf.return.code

RACF return code.

target.saf.class

Name of the SAF class that contains the SAF resource.

target.saf.profile

Name of the SAF resource that the user requests access to.

target.saf.return.code

SAF return code.

target.typeURI

Unique URI for the target of the event: service/application/web.

target.user.security.name

Username whose access to a SAF resource is being checked.

The following example shows a successful SECURITY_SAF_AUTHZ event:

{
   "eventName": "SECURITY_SAF_AUTHZ",
   "eventSequenceNumber": "4",
   "eventTime": "2019-04-29T19:45:16.161+0000",
   "observer": {
      "id": "websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
      "name": "SecurityService",
      "typeURI": "service/server"
   },
   "outcome": "success",
   "target": {
      "access": {
         "level": "READ"
      },
      "applid": "BBGZDFLT",
      "authorization": {
         "decision": "true"
      },
      "credential": {
         "token": "WSGUEST"
      },
      "id": "websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
      "racf": {
         "reason": {
            "code": "0"
         },
         "return": {
            "code": "0"
         }
      },
      "saf": {
         "class": "EJBROLE",
         "profile": "BBGZDFLT.AUTHSERV",
         "return": {
            "code": "0"
         }
      },
      "typeURI": "service/application/web",
      "user": {
         "security": {
            "name": "WSGUEST"
         }
      }
   }
}

SECURITY_SAF_AUTHZ_DETAILS

You can use the SECURITY_SAF_AUTHZ_DETAILS event to capture the audit information from a SAF Authorization event that is configured to throw a SAF authorization exception on failure. The following table provides the fields for the SECURITY_SAF_AUTHZ_DETAILS event and a description of each field:

SECURITY_SAF_AUTHZ_DETAILS event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: JMXService.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

target.access.level

Level of the access that is requested.

target.applid

Identifier of the APPL class.

target.authorization.decision

A true value if the user is authorized to access the SAF resource in the SAF class, otherwise false.

target.credential.token

Token name of the user that is performing the action.

target.id

Identifier of the target of the action.

target.racf.reason.code

RACF reason code.

target.racf.return.code

RACF return code.

target.saf.class

Name of the SAF class that contains the SAF resource.

target.saf.profile

Name of the SAF resource that the user requests access to.

target.saf.return.code

SAF return code.

target.typeURI

Unique URI for the target of the event: service/application/web.

target.user.security.name

Username whose access to a SAF resource is being checked.

The following example shows a successful SECURITY_SAF_AUTHZ_DETAILS event:

{
   "eventName": "SECURITY_SAF_AUTHZ_DETAILS",
   "eventSequenceNumber": "5",
   "eventTime": "2019-04-30T13:59:11.688+0000",
   "observer": {
      "id": "websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
      "name": "SecurityService",
      "typeURI": "service/server"
   },
   "outcome": "success",
   "target": {
      "applid": "BBGZDFLT",
      "authorization": {
         "decision": "true"
      },
      "credential": {
         "token": "WSGUEST"
      },
      "id": "websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
      "racf": {
         "reason": {
            "code": "0"
         },
         "return": {
            "code": "0"
         }
      },
      "saf": {
         "class": "EJBROLE",
         "profile": "BBGZDFLT.AUTHSERV",
         "return": {
            "code": "0"
         }
      },
      "user": {
         "security": {
            "name": "RSTUSR1"
         }
      }
   }
}

JMX_MBEAN_REGISTER

You can use the JMX_MBEAN_REGISTER event to capture the audit information from JMX MBean registration. The following table provides the fields for the JMX_MBEAN_REGISTER event and a description of each field.

JMX_MBEAN_REGISTER event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

initiator.host.address

Host address of the initiator of the event.

initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: JMXService.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

reason.reasonType

A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request, or the state behind the outcome.

target.id

Identifier of the target of the action.

target.jmx.mbean.action

MBean action being performed: register, unregister.

target.jmx.mbean.name

Name of the MBean being acted upon.

target.realm

Realm name that is associated with the target.

target.typeURI

Unique URI for the target of the event: server/mbean.

The following example shows a successful JMX_MBEAN_REGISTRATION event:

{
    "eventName":"JMX_MBEAN_REGISTER",
    "eventSequenceNumber":"12",
    "eventTime":"2018-07-25 14:42:40.772 EDT",
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"JMXService",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"Successful MBean registration"
    },
    "target": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "jmx": {
            "mbean": {
                "action":"registerMBean",
                "name":"web:name=ClassLoaderMBean"
            }
        },
        "realm":"QuickStartSecurityRealm",
        "typeURI":"server/mbean"
    }
}

JMX_MBEAN

You can use the JMX_MBEAN event to capture the audit information from JMX_MBEAN operations. The following table provides the fields for the JMX_MBEAN event and a description of each field.

JMX_MBEAN event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

initiator.host.address

Host address of the initiator of the event.

initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: JMXService.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

reason.reasonType

A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request, or the state behind the outcome.

target.id

Identifier of the target of the action.

target.jmx.mbean.action

MBean action being performed: query, create, invoke.

target.jmx.mbean.name

Name of the MBean being acted upon.

target.realm

Realm name that is associated with the target.

target.typeURI

Unique URI for the target of the event: server/mbean.

The following example shows a successful query of an MBean JMS_MBEAN event:

{
    "eventName":"JMX_MBEAN",
    "eventSequenceNumber":"24",
    "eventTime":"2018-07-25 14:42:44.119 EDT",
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"JMXService",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"Successful query of MBeans"
    },
    "target": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "jmx": {
            "mbean": {
                "action":"queryMBeans",
                "name":"java.lang:type=Threading"
            }
        },
        "realm":"QuickStartSecurityRealm",
        "typeURI":"server/mbean"
    }
}

JMX_MBEAN_ATTRIBUTES

You can use the JMX_MBEAN_ATTRIBUTES event to capture the audit information from JMX MBEAN attribute operations. The following table provides the fields for the JMX_MBEAN_ATTRIBUTES event and a description of each field.

JMX_MBEAN_ATTRIBUTES event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

initiator.host.address

Host address of the initiator of the event.

initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: JMXService.

observer.typeURI

Unique URI of the observer of the event: service/server.

outcome

Outcome of the event.

reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

reason.reasonType

A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB that is associated with the request, or the state behind the outcome.

target.id

Identifier of the target of the action.

target.jmx.mbean.action

MBean action that is being performed on the MBean attribute. getAttribute and setAttribute methods are supported.

target.jmx.mbean.attribute.names

Name of one or more attributes being acted upon.

target.jmx.mbean.name

Name of the MBean that is being acted upon.

target.realm

Realm name that is associated with the target.

target.typeURI

Unique URI for the target of the event: server/mbean.

The following example shows a successful JMX_MBEAN_ATTRIBUTES event:

{
    "eventName":"JMX_BEAN_ATTRIBUTES",
    "eventSequenceNumber":"43",
    "eventTime":"2018-07-25 14:42:51.070 EDT",
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"JMXService",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"Successful retrieval of MBean attributes"
    },
    "target": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "jmx": {
            "mbean": {
                "action":"getAttributes",
                "attribute": {
                    "names":"[TotalStartedThreadCount = 132][CurrentThreadCpuTimeSupported = true]"
                },
                "name":"java.lang:type=Threading"
            }
        },
        "realm":"QuickStartSecurityRealm",
        "typeURI":"server/mbean"
    }
}

JMX_NOTIFICATION

You can use the JMX_NOTIFICATION event to capture the audit information from JMX notifications. The following table provides the fields for the JMX_NOTIFICATION event and a description for each field.

JMX_NOTIFICATION event fields
FIELDSDESCRIPTION

eventName

Name of the audit event.

eventSequenceNumber

Sequence number of the audit event.

eventTime

Time that the event occurred.

observer.id

Identifier of the observer of the event.

observer.name

Name of the observer of the event: JMXService.

observer.typeURI

Unique URI of the observer of the event: service/server.

Outcome

Outcome of the event.

reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

reason.reasonType

A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request, or the state behind the outcome.

target.id

Identifier of the target of the action.

target.jmx.mbean.action

MBean action that is being performed on one or more MBean attributes.

target.jmx.notification.filter

Name of the notification filter.

target.jmx.notification.listener

Name of the notification listener.

target.jmx.notification.name

Name of the notification.

target.realm

Realm name that is associated with the target.

target.typeURI

Unique URI for the target of the event: server/mbean/notification.

The following example shows a successful JMX_NOTIFICATION:

{
    "eventName":"JMX_NOTIFICATION",
    "eventSequenceNumber":"37",
    "eventTime":"2018-07-25 14:27:24.303 CDT",
    "observer": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "name":"JMXService",
        "typeURI":"service/server"
    },
    "outcome":"success",
    "reason": {
        "reasonCode":"200",
        "reasonType":"Successful add of notification listener"
    },
    "target": {
        "id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
        "jmx": {
            "mbean": {
                "action":"addNotificationListener"
            },
            "notification": {
                "filter":"com.ibm.ws.jmx.connector.server.rest.notification.ClientNotificationFilter",
                "listener":"com.ibm.ws.jmx.connector.server.rest.notification.ClientNotificationListener",
                "name":"web:name=Notifier1"
            }
        },
        "realm":"QuickStartSecurityrealm",
        "typeURI":"server/mbean/notification"

    }
}