JSON log events reference list
Open Liberty generates JSON logging events from the server runtime and applications. You can use these events to gather and analyze data that can help to better understand the behavior of applications.
The following types of events are generated by Open Liberty:
Message events
The following table provides the fields for message events and a description for each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
message | The message from the log record, starting with the message ID. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_datetime | Time at which the event occurred. |
ibm_messageId | Message ID in the log line, which can be used to find out specific types of errors, for example, SRVE0250I. |
module | Logger name from the log record. |
loglevel | Severity indicator (F = Fatal, E = Error, W = Warning, A = Audit, I = Info, O = SystemOut, R = SystemErr). |
ibm_methodName | Method name from the log record. |
ibm_className | Class name from the log record. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ext_thread | Name of the thread that is the source of the event. |
ext_appName | Name of the application that logged the message. |
The following example shows a message event:
{
"type":"liberty_message",
"host":"9e1eceec70c1",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"defaultServer",
"message":"BADAP0004W: BadApp Angry for test",
"ibm_threadId":"0000009f",
"ibm_datetime":"2020-05-04T12:33:26.064+0000",
"ibm_messageId":"BADAP0004W",
"module":"com.ibm.ws.lumberjack.badness.Angry",
"loglevel":"WARNING",
"ibm_methodName":"doGet",
"ibm_className":"Angry",
"ibm_sequence":"1588595606064_0000000000024",
"ext_thread":"Default Executor-thread-108",
"ext_appName":"BadApp"
}
Trace events
The following table provides the fields for trace events and a description for each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
message | The message from the log record. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_datetime | Time at which the event occurred. |
ibm_messageId | Message ID in the log line, which can be used to find out specific types of errors, for example, SRVE0250I. |
module | Logger name from the log record. |
loglevel | Severity indicator (1 = Fine, 2 = Finer, 3 = Finest, > = Entry, < = Exit). |
ibm_methodName | Method name from the log record. |
ibm_className | Class name from the log record. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ext_thread | Name of the thread that is the source of the event. |
ext_appName | Name of the application that logged the message. |
The following example shows a trace event:
{
"type":"liberty_trace",
"host":"9e1eceec70c1",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"defaultServer",
"message":"BadApp Angry test",
"ibm_threadId":"0000009f",
"ibm_datetime":"2020-05-04T12:33:26.066+0000",
"ibm_messageId":"BADAP0001W",
"module":"com.ibm.ws.lumberjack.badness.Angry",
"loglevel":"FINE",
"ibm_methodName":"doGet",
"ibm_className":"Angry",
"ibm_sequence":"1588595606066_0000000000001",
"ext_thread":"Default Executor-thread-108",
"ext_appName":"BadApp"
}
FFDC events
The following table provides the fields for the first failure data capture (FFDC) events and a description for each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
message | The message from the exception that triggered the event. |
ibm_className | The class that emitted the FFDC event. |
ibm_exceptionName | The exception that is reported in the FFDC event. |
ibm_probeID | The unique identifier of the FFDC point within the class. |
ibm_threadId | The thread ID of the FFDC event. |
ibm_stackTrace | The stack trace of the FFDC event. |
ibm_objectDetails | The incident details for the FFDC event. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
The following example shows a FFDC event:
{
"type":"liberty_ffdc",
"host":"252ecfa1f755",
"ibm_userDir":"\/opt\/ibm\/wlp\/usr\/",
"ibm_serverName":"defaultServer",
"ibm_datetime":"2020-03-24T19:08:14.579+0000",
"message":"A metric named com.acmeair.web.AuthServiceRest.com.acmeair.web.AuthServiceRest.login with tags app=\"acmeair-authservice-java\" already exists",
"ibm_className":"com.ibm.ws.microprofile.metrics.impl.MetricRegistryImpl",
"ibm_exceptionName":"java.lang.IllegalArgumentException",
"ibm_probeID":"656",
"ibm_threadId":"00000275",
"ibm_stackTrace":"java.lang.IllegalArgumentException: A metric named com.acmeair.web.AuthServiceRest.com.acmeair.web.AuthServiceRest.login with tags app=\"acmeair-authservice-java\" already exists\n\tat ...",
"ibm_objectDetails":"Object type = com.ibm.ws.microprofile.metrics.impl.MetricRegistryImpl\n metrics = class java.util.concurrent.ConcurrentHashMap@f445b6cd\n...",
"ibm_sequence":"1585076894579_0000000000001"
}
HTTP access events
The following table provides the fields for HTTP access events and a description for each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_remoteHost | Remote host IP address, for example, 127.0.0.1. |
ibm_requestProtocol | Protocol type, for example, HTTP/1.1. |
ibm_userAgent | The userAgent value in the request. |
ibm_requestHeader_{headername} | Header value from the request. |
ibm_requestMethod | HTTP verb, for example, GET. |
ibm_responseHeader_{headername} | Header value from the response. |
ibm_requestPort | Port number of the request. |
ibm_requestFirstLine | First line of the request. |
ibm_responseCode | HTTP response code, for example, 200. |
ibm_requestStartTime | The start time of the request. |
ibm_remoteUserID | Remote user according to the WebSphere Application Server specific $WSRU header. |
ibm_uriPath | Path information for the requested URL. This path information does not contain the query parameters, for example, |
ibm_elapsedTime | Time that is taken to serve the request, in microseconds. |
ibm_accessLogDatetime | The time when the message to the access log is queued to be logged. |
ibm_remoteIP | Remote IP address, for example, 127.0.0.1. |
ibm_requestHost | Request host IP address, for example, 127.0.0.1. |
ibm_bytesSent | Response size in bytes excluding headers. |
ibm_bytesReceived | Bytes received in the URL, for example, 94. |
ibm_cookie_{cookiename} | Cookie value from the request. |
ibm_requestElapsedTime | The elapsed time of the request - millisecond accuracy, microsecond precision. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
The following example shows an HTTP access event:
{
"type":"liberty_accesslog",
"host":"79e8ad2347b3",
"ibm_userDir":"\/opt\/ibm\/wlp\/usr\/",
"ibm_serverName":"defaultServer",
"ibm_remoteHost":"172.27.0.10",
"ibm_requestProtocol":"HTTP\/1.1",
"ibm_userAgent":"Apache-CXF/3.3.3-SNAPSHOT",
"ibm_requestHeader_headername":"header_value",
"ibm_requestMethod":"GET",
"ibm_responseHeader_connection":"Close",
"ibm_requestPort":"9080",
"ibm_requestFirstLine":"GET \/favicon.ico HTTP\/1.1",
"ibm_responseCode":200,
"ibm_requestStartTime":"2020-07-14T13:28:19.887-0400",
"ibm_remoteUserID":"user",
"ibm_uriPath":"\/favicon.ico",
"ibm_elapsedTime":834,
"ibm_accessLogDatetime":"2020-07-14T13:28:19.887-0400",
"ibm_remoteIP":"172.27.0.9",
"ibm_requestHost":"172.27.0.9",
"ibm_bytesSent":15086,
"ibm_bytesReceived":15086,
"ibm_cookie_cookiename":"cookie_value",
"ibm_requestElapsedTime":3034,
"ibm_datetime":"2020-07-14T13:28:19.887-0400",
"ibm_sequence":"1594747699884_0000000000001"
}
Supported audit events and their audit data
The Open Liberty Audit feature captures auditable events that contain security details from the server runtime environment and applications. You can use the data that is generated from the audit events to analyze the configured environment.
Open Liberty can generate audit events in either JSON or CADF format. The audit events are captured in the following JSON format types to help identify different areas where the configured environment can be improved:
SECURITY_AUDIT_MGMT
You can use the SECURITY_AUDIT_MGMT event to capture the the audit information from the management of the audit service. The following table provides the fields for the SECURITY_AUDIT_MGMT event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time the event occurred. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
The following example shows the SECURITY_AUDIT_MGMT event capturing the start of the Audit Service and AuditFileHandler events:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"TestServer.audit",
"ibm_datetime":"2018-07-10T16:15:35.110-0400",
"ibm_sequence":"1536171863908_0000000000001",
"ibm_threadId":"00000013",
"ibm_audit_eventName":"SECURITY_AUDIT_MGMT",
"ibm_audit_eventSequenceNumber":"0",
"ibm_audit_eventTime":"2018-07-10T16:15:34.339-0400",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"ibm_audit_observer.name":"AuditService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"ibm_audit_target.typeURI":"service/audit/start"
}
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"TestServer.audit",
"ibm_datetime":"2018-07-10T16:15:35.740-0400",
"ibm_sequence":"1536171863908_0000000000002",
"ibm_threadId":"00000013",
"ibm_audit_eventName":"SECURITY_AUDIT_MGMT",
"ibm_audit_eventSequenceNumber":"1",
"ibm_audit_eventTime":"2018-07-10T16:15:34.471-0400",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"ibm_audit_observer.name":"AuditHandler:AuditFileHandler",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"ibm_audit_target.typeURI":"service/audit/start"
}
SECURITY_MEMBER_MGMT
You can use the SECURITY_MEMBER_MGMT event to capture the audit information from SCIM operations or member management. The following table provides the fields for the SECURITY_Member_MGMT event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request. |
ibm_audit_target.action | What action is being performed on the target. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.credential.token | Token name of the user that is performing the action. |
ibm_audit_target.credential.type | Token type of the user that is performing the action. |
ibm_audit_target.entityType | Generic name of the member that is acted upon: |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as |
ibm_audit_target.name | Name of the target. The name includes |
ibm_audit_target.realm | Realm name associated with the target. |
ibm_audit_target.repositoryId | Repository identifier that is associated with the target. |
ibm_audit_target.session | Session identifier that is associated with the target. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
ibm_audit_target.uniqueName | Unique name of the member that is acted upon. |
The following example shows a SECURITY_MEMBER_MGMT user record creation action:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"scim.custom.repository.audit",
"ibm_datetime":"2018-07-24T14:59:82.321-0400",
"ibm_sequence":"1536329056532_0000000000047",
"ibm_threadId":"000000a5",
"ibm_audit_eventName":"SECURITY_MEMBER_MGMT",
"ibm_audit_eventSequenceNumber":"13",
"ibm_audit_eventTime":"2018-07-24T14:58:45.284-0400",
"ibm_audit_initiator.host.address":"127.0.0.1",
"ibm_audit_initiator.host.agent":"Java/1.8.0",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"ibm_audit_observer.name":"SecurityService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"HTTPS",
"ibm_audit_target.action":"create",
"ibm_audit_target.appname":"RESTProxyServlet",
"ibm_audit_target.credential.token":"adminUser",
"ibm_audit_target.credential.type":"BASIC",
"ibm_audit_target.entityType":"PersonAccount",
"ibm_audit_target.host.address":"127.0.0.1:63571",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"ibm_audit_target.method":"POST",
"ibm_audit_target.name":"/ibm/api/scim/Users",
"ibm_audit_target.realm":"sampleCustomRepositoryRealm",
"ibm_audit_target.repositoryId":"sampleCustomRepository",
"ibm_audit_target.session":"myQz9fZu2ZUW0nEUWvEaiQC",
"ibm_audit_target.typeURI":"service/vmmservice/create",
"ibm_audit_target.uniqueName":"cn=usertemp,o=ibm,c=us"
}
The following example shows a SECURITY_MEMBER_MGMT user lookup action:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"scim.custom.repository.audit",
"ibm_datetime":"2018-07-24T14:59:82.433-0400",
"ibm_sequence":"1536329056532_0000000000048",
"ibm_threadId":"000000a5",
"ibm_audit_eventName":"SECURITY_MEMBER_MGMT",
"ibm_audit_eventSequenceNumber":"14",
"ibm_audit_eventTime":"2018-07-24T14:58:45.343-0400",
"ibm_audit_initiator.host.address":"127.0.0.1",
"ibm_audit_initiator.host.agent":"Java/1.8.0",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"ibm_audit_observer.name":"SecurityService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"HTTPS",
"ibm_audit_target.action":"get",
"ibm_audit_target.appname":"RESTProxyServlet",
"ibm_audit_target.credential.token":"adminUser",
"ibm_audit_target.credential.type":"BASIC",
"ibm_audit_target.entityType":"PersonAccount",
"ibm_audit_target.host.address":"127.0.0.1:63571",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"ibm_audit_target.method":"POST",
"ibm_audit_target.name":"/ibm/api/scim/Users",
"ibm_audit_target.realm":"sampleCustomRepositoryRealm",
"ibm_audit_target.repositoryId":"sampleCustomRepository",
"ibm_audit_target.session":"myQz9fZu2ZUW0nEUWvEaiQC",
"ibm_audit_target.typeURI":"service/vmmservice/get",
"ibm_audit_target.uniqueName":"cn=usertemp,o=ibm,c=us"
}
SECURITY_API_AUTHN
You can use the SECURITY_API_AUTHN event for servlet 3.0 and later APIs to capture audit information when a user logs in and authenticates. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.credential.token | Token name of the user that is performing the action. |
ibm_audit_target.credential.type | Token type of the user that is performing the action, such as |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as |
ibm_audit_target.name | Context root. |
ibm_audit_target.params | Names and values of any parameters that are sent to the target with the action. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.session | HTTP session ID. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
The following example shows a SECURITY_API_AUTHN event that results in a redirect:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
"ibm_datetime":"2018-07-24T17:03:25.628-0400",
"ibm_sequence":"1536329078239_0000000000020",
"ibm_threadId":"000000b7",
"ibm_audit_eventName":"SECURITY_API_AUTHN",
"ibm_audit_eventSequenceNumber":"2",
"ibm_audit_eventTime":"2018-07-24T17:03:24.142-0400",
"ibm_audit_initiator.host.address":"127.0.0.1",
"ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5)",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
"ibm_audit_observer.name":"SecurityService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"failure",
"ibm_audit_reason.reasonCode":"401",
"ibm_audit_reason.reasonType":"HTTP",
"ibm_audit_target.appname":"ProgrammaticAPIServlet",
"ibm_audit_target.credential.token":"user2",
"ibm_audit_target.credential.type":"BASIC",
"ibm_audit_target.host.address":"127.0.0.1:8010",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
"ibm_audit_target.method":"GET",
"ibm_audit_target.name":"/basicauth/ProgrammaticAPIServlet",
"ibm_audit_target.params":"testMethod=login,logout,login&user=user2&password=*******",
"ibm_audit_target.realm":"BasicRealm",
"ibm_audit_target.session":"MDqMWXO--7cmdu4Oqkt8J3i",
"ibm_audit_target.typeURI":"service/application/web"
}
SECURITY_API_AUTHN_TERMINATE
You can use the SECURITY_API_AUTHN_TERMINATE event for servlet 3.0 and later APIs to capture the audit information when a user logs out. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.credential.token | Token name of the user that is performing the action. |
ibm_audit_target.credential.type | Token type of the user that is performing the action, such as |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as |
ibm_audit_target.name | Context root. |
ibm_audit_target.params | Names and values of any parameters that are sent to the target with the action. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.session | HTTP Session ID. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
The following example shows a successful SECURITY_API_AUTHN_TERMINATE event:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
"ibm_datetime":"2018-07-24T17:03:25.845-0400",
"ibm_sequence":"1536329078239_0000000000021",
"ibm_threadId":"000000b7",
"ibm_audit_eventName":"SECURITY_API_AUTHN_TERMINATE",
"ibm_audit_eventSequenceNumber":"3",
"ibm_audit_eventTime":"2018-07-24T17:03:24.193-0400",
"ibm_audit_initiator.host.address":"127.0.0.1",
"ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5)",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr:com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
"ibm_audit_observer.name":"SecurityService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"HTTP",
"ibm_audit_target.appname":"ProgrammaticAPIServlet",
"ibm_audit_target.credential.token":"user1",
"ibm_audit_target.credential.type":"BASIC",
"ibm_audit_target.host.address":"127.0.0.1:8010",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
"ibm_audit_target.method":"GET",
"ibm_audit_target.name":"/basicauth/ProgrammaticAPIServlet",
"ibm_audit_target.params":"testMethod=login,logout,login&user=user2&password=*******",
"ibm_audit_target.realm":"BasicRealm",
"ibm_audit_target.session":"MDqMWXO--7cmdu4Oqkt8J3i",
"ibm_audit_target.typeURI":"service/application/web"
}
SECURITY_AUTHN
You can use the SECURITY_AUTHN event to capture the audit information from basic authentication, form login authentication, client certificate authentication, and JASPI authentication. The following table provides the fields for the SECURITY_AUTHN event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.credential.token | Token name of the user performing the action. |
ibm_audit_target.credential.type | Token type of the user performing the action, such as, |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as |
ibm_audit_target.name | Context root. |
ibm_audit_target.params | Names and values of any parameters that are sent to the target with the action. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.session | HTTP session ID. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
The following example shows a successful SECURITY_AUTHN event:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
"ibm_datetime":"2018-07-24T17:04:53.213-0400",
"ibm_sequence":"1536171867413_0000000000003",
"ibm_threadId":"00000050",
"ibm_audit_eventName":"SECURITY_AUTHN",
"ibm_audit_eventSequenceNumber":"6",
"ibm_audit_eventTime":"2018-07-24T17:03:28.652-0400",
"ibm_audit_initiator.host.address":"127.0.0.1",
"ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5)",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
"ibm_audit_observer.name":"SecurityService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"HTTP",
"ibm_audit_target.appname":"ProgrammaticAPIServlet",
"ibm_audit_target.credential.token":"user1",
"ibm_audit_target.credential.type":"BASIC",
"ibm_audit_target.host.address":"127.0.0.1:8010",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
"ibm_audit_target.method":"GET",
"ibm_audit_target.name":"/basicauth/ProgrammaticAPIServlet",
"ibm_audit_target.params":"testMethod=login,logout,login&user=invalidUser&password=*********",
"ibm_audit_target.realm":"BasicRealm",
"ibm_audit_target.session":"vvmysQmVNHt4OfCRNIflZBt",
"ibm_audit_target.typeURI":"service/application/web"
}
SECURITY_AUTHN_DELEGATION
You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runAs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.credential.token | Token name of the user performing the action. |
ibm_audit_target.credential.type | Token type of the user performing the action, such as, |
ibm_audit_target.delegation.users | List of users in the delegation flow, starting with the initial user invoking the action. |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as |
ibm_audit_target.name | Context root. |
ibm_audit_target.params | Names and values of any parameters that are sent to the target with the action. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.runas.role | RunAs role name that is used in the delegation. |
ibm_audit_target.session | HTTP session ID. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
The following example shows a successful SECURITY_AUTHN_DELEGATION event:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"com.ibm.ws.ejbcontainer.security.fat.audit",
"ibm_datetime":"2018-07-16T14:39:22.521-0400",
"ibm_sequence":"1536329023162_0000000000001",
"ibm_threadId":"00000080",
"ibm_audit_eventName":"SECURITY_AUTHN_DELEGATION",
"ibm_audit_eventSequenceNumber":"12",
"ibm_audit_eventTime":"2018-07-16T14:38:02.281-0400",
"ibm_audit_initiator.host.address":"127.0.0.1",
"ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5 ",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.ejbcontainer.security.fat.audit",
"ibm_audit_observer.name":"SecurityService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"EJB",
"ibm_audit_target.appname":"SecurityEJBA01Bean",
"ibm_audit_target.credential.token":"user2",
"ibm_audit_target.credential.type":"BASIC",
"ibm_audit_target.delegation.users":"user:BasicRealm/user2;user:BasicRealm/user99",
"ibm_audit_target.host.address":"127.0.0.1:8010",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.ejbcontainer.security.fat.audit",
"ibm_audit_target.method":"GET",
"ibm_audit_target.name":"/securityejb/SimpleServlet",
"ibm_audit_target.params":"testInstance=ejb01&testMethod=runAsSpecified",
"ibm_audit_target.realm":"BasicRealm",
"ibm_audit_target.runas.role":"Employee",
"ibm_audit_target.session":"b3g01JoFvsy7uKDNBqH7An-",
"ibm_audit_target.typeURI":"service/application/web"
}
SECURITY_AUTHN_FAILOVER
You can use the SECURITY_AUTHN_FAILOVER event to capture the audit information from failover to basic authentication. The following table provides the fields for the SECURITY_AUTHN_FAILOVER event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.authtype.failover | Name of the failover authentication mechanism. |
ibm_audit_target.credential.token | Token name of the user performing the action. |
ibm_audit_target.credential.type | Token type of the user performing the action, such as, |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as |
ibm_audit_target.name | Context root. |
ibm_audit_target.params | Names and values of any parameters that are sent to the target with the action. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.session | HTTP session ID. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
The following example shows a SECURITY_AUTHN_FAILOVER event:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"com.ibm.ws.webcontainer.security.fat.clientcertfailover.audit",
"ibm_datetime":"2018-07-24T17:06:42.201-0400",
"ibm_sequence":"1541329052120_0000000000001",
"ibm_threadId":"00000010",
"ibm_audit_eventName" "SECURITY_AUTHN_FAILOVER",
"ibm_audit_eventSequenceNumber":"4",
"ibm_audit_eventTime":"2018-07-24T17:05:03.777-0400",
"ibm_audit_initiator.host.address":"127.0.0.1",
"ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5)",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/",
"ibm_audit_observer.name":"SecurityService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"HTTPS",
"ibm_audit_target.appname":"ClientCertServlet",
"ibm_audit_target.authtype.failover":"BASIC",
"ibm_audit_target.authtype.original":"CLIENT_CERT",
"ibm_audit_target.credential.token":"LDAPUser1",
"ibm_audit_target.credential.type":"BASIC",
"ibm_audit_target.host.address":"127.0.0.1:8020",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/",
"ibm_audit_target.method":"GET",
"ibm_audit_target.name":"/clientcert/SimpleServlet",
"ibm_audit_target.realm":"SampleLdapIDSRealm",
"ibm_audit_target.session":"-7moVRZaL1mU2SVf0RHP28x",
"ibm_audit_target.typeURI":"service/application/web"
}
SECURITY_AUTHN_TERMINATE
You can use the SECURTIY_AUTHN_TERMINATE event to capture the audit information from a form logout. The following table provides the fields for the SECURITY_AUTHN_TERMINATE event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.authtype.failover | Name of the failover authentication mechanism. |
ibm_audit_target.authtype.original | Name of the original authentication mechanism. |
ibm_audit_target.credential.token | Token name of the user that is performing the action. |
ibm_audit_target.credential.type | Token type of the user that is performing the action, such as, |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as |
ibm_audit_target.name | Context root. |
ibm_audit_target.params | Names and values of any parameters that are sent to the target with the action. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.session | HTTP session ID. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
The following example shows a SECURITY_AUTHN_TERMINATE event:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"com.ibm.ws.webcontainer.security.fat.formlogout.audit",
"ibm_datetime":"2018-07-24T17:03:24.122-0400",
"ibm_sequence":"1521382001206_0000000000003",
"ibm_threadId":"0000000a",
"ibm_audit_eventName":"SECURITY_AUTHN_TERMINATE",
"ibm_audit_eventSequenceNumber":"13",
"ibm_audit_eventTime":"2018-07-24T17:02:50.813-0400",
"ibm_audit_initiator.host.address":"127.0.0.1",
"ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5)",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogout.audit",
"ibm_audit_observer.name":"SecurityService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"HTTP",
"ibm_audit_target.credential.token":"user1",
"ibm_audit_target.credential.type":"FORM",
"ibm_audit_target.host.address":"127.0.0.1:8010",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogout.audit",
"ibm_audit_target.method":"POST",
"ibm_audit_target.name":"/formlogin/ibm_security_logout",
"ibm_audit_target.realm":"BasicRealm",
"ibm_audit_target.session":"oNbsJSCYJrg2SPqzlL-5YxG",
"ibm_audit_target.typeURI":"service/application/web"
}
SECURITY_AUTHZ
You can use the SECURITY_AUTHZ event to capture the audit information from Java Authorization Contract for Containers (JACC) web authorization, unprotected servlet authorization, JACC EJB authorization, and EJB authorization. The following table provides the fields for the SECURITY_AUTHZ event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP and HTTPS, that is associated with the request. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.credential.token | Token name of the user performing the action. |
ibm_audit_target.credential.type | Token type of the user performing the action, such as, |
ibm_audit_target.ejb.beanname | EJB bean name for EJB authorization. |
ibm_audit_target.ejb.method.interface | EJB method interface for EJB authorization. |
ibm_audit_target.ejb.method.signature | EJB method signature for EJB authorization. |
ibm_audit_target.ejb.module.name | EJB module name for EJB authorization. |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method being invoked on the target, such as |
ibm_audit_target.name | Context root. |
ibm_audit_target.params | Names and values of any parameters that are sent to the target with the action. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.role.names | Roles that are identified as being needed. If none are listed, all EJBs are permitted. |
ibm_audit_target.session | HTTP session ID. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
The following example shows a successful WEB authorization event:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"com.ibm.ws.ejbcontainer.security.fat.audit",
"ibm_datetime":"2018-07-16T14:38:32.111-0400",
"ibm_sequence":"1502020152076_0000000000001",
"ibm_threadId":"000000a2",
"ibm_audit_eventName":"SECURITY_AUTHZ",
"ibm_audit_eventSequenceNumber":"4",
"ibm_audit_eventTime":"2018-07-16T14:37:56.259-0400",
"ibm_audit_initiator.host.address":"127.0.0.1",
"ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5)",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.ejbcontainer.security.fat.audit",
"ibm_audit_observer.name":"SecurityService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"HTTP",
"ibm_audit_target.appname":"SecurityEJBServlet",
"ibm_audit_target.credential.token":"user2",
"ibm_audit_target.credential.type":"BASIC",
"ibm_audit_target.host.address":"127.0.0.1:8010",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.ejbcontainer.security.fat.audit",
"ibm_audit_target.method":"GET",
"ibm_audit_target.name":"/securityejb/SimpleServlet",
"ibm_audit_target.params":"testInstance=ejb01&testMethod=runAsSpecified",
"ibm_audit_target.realm":"BasicRealm",
"ibm_audit_target.role.names":"[AllAuthenticated]",
"ibm_audit_target.session":"NNLU_QCIGIOPHhKLWY1BxVJ",
"ibm_audit_target.typeURI":"service/application/web"
}
The following example shows a successful EJB authorization:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"com.ibm.ws.ejbcontainer.security.fat.audit",
"ibm_datetime":"2018-07-16T14:38:45.326-0400",
"ibm_sequence":"1502020152076_0000000000002",
"ibm_threadId":"000000a2",
"ibm_audit_eventName":"SECURITY_AUTHZ",
"ibm_audit_eventSequenceNumber":"5",
"ibm_audit_eventTime":"2018-07-16T14:37:56.719-0400",
"ibm_audit_initiator.host.address":"127.0.0.1",
"ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5)",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.ejbcontainer.security.fat.audit",
"ibm_audit_observer.name":"SecurityService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"EJB Permit All",
"ibm_audit_target.appname":"securityejb",
"ibm_audit_target.credential.token":"user2",
"ibm_audit_target.credential.type":"BASIC",
"ibm_audit_target.ejb.beanname":"SecurityEJBA01Bean",
"ibm_audit_target.ejb.method.interface":"Local",
"ibm_audit_target.ejb.method.signature":"runAsSpecified:",
"ibm_audit_target.ejb.module.name":"SecurityEJB.jar",
"ibm_audit_target.host.address":"127.0.0.1:8010",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.ejbcontainer.security.fat.audit",
"ibm_audit_target.method":"runAsSpecified",
"ibm_audit_target.name":"/securityejb/SimpleServlet",
"ibm_audit_target.params":"testInstance=ejb01&testMethod=runAsSpecified",
"ibm_audit_target.realm":"BasicRealm",
"ibm_audit_target.session":"NNLU_QCIGIOPHhKLWY1BxVJ",
"ibm_audit_target.typeURI":"service/application/web"
}
SECURITY_JMS_AUTHN
You can use the SECURITY_JMS_AUTHENTICATION event to capture the audit information from JMS authentication. The following table provides the fields for the SECURITY_JMS_AUTHENTICATION event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request. |
ibm_audit_target.credential.token | Token name of the user performing the action. |
ibm_audit_target.credential.type | Token type of the user performing the action. |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.messaging.busname | Name of the messaging bus. |
ibm_audit_target.messaging.callType | Identifies if the call is remote or local. |
ibm_audit_target.messaging.engine | Name of the messaging engine. |
ibm_audit_target.messaing.loginType | Name of the login algorithm that is used, such as |
ibm_audit_target.messaging.remote.chainName | If the operation is remote, the name of the remote chain name. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
The following example shows a successful SECURITY_JMS_AUTHN event:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"TestServer.audit",
"ibm_datetime":"2018-07-19T18:34:72.599-0400",
"ibm_sequence":"1587056204736_0000000000001",
"ibm_threadId":"00000003",
"ibm_audit_eventName":"SECURITY_JMS_AUTHN",
"ibm_audit_eventSequenceNumber":"10",
"ibm_audit_eventTime":"2018-07-19T18:33:51.135-0400",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"ibm_audit_observer.name":"JMSMessagingImplementation",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"JMS",
"ibm_audit_target.credential.token":"validUser",
"ibm_audit_target.credential.type":"BASIC",
"ibm_audit_target.host.address":"127.0.0.1:53166",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"ibm_audit_target.messaging.busname":"defaultBus",
"ibm_audit_target.messaging.callType":"remote",
"ibm_audit_target.messaging.engine":"defaultME",
"ibm_audit_target.messaging.loginType":"Userid+Password",
"ibm_audit_target.messaging.remote.chainName":"InboundBasicMessaging",
"ibm_audit_target.realm":"customRealm",
"ibm_audit_target.typeURI":"service/jms/messagingEngine"
}
SECURITY_JMS_AUTHZ
You can use the SECURITY_JMS_AUTHZ event to capture the audit information from JMS authorization. The following table provides the fields for the SECURITY_JMS_AUTHZ event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request. |
ibm_audit_target.credential.token | Token name of the user performing the action. |
ibm_audit_target.credential.type | Token type of the user performing the action. |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.messaging.busname | Name of the messaging bus. |
ibm_audit_target.messaging.callType | Identifies if the call is remote or local. |
ibm_audit_target.messaging.destination | Name of the messaging destination. |
ibm_audit_target.messaging.engine | Name of the messaging engine. |
ibm_audit_target.messaging.jmsActions | List of the actions that the credential is allowed. |
ibm_audit_target.messaging.jmsResource | Name of the JMS resource, such as |
ibm_audit_target.messaging.operationType | Name of the operation that is being requested. |
ibm_audit_target.messaging.remote.chainName | If the operation is remote, the name of the remote chain name. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
The following example shows a successful SECURITY_JMS_AUTHZ event:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"TestServer.audit",
"ibm_datetime":"2018-07-19T18:34:96.324-0400",
"ibm_sequence":"1587056204736_0000000000002",
"ibm_threadId":"00000003",
"ibm_audit_eventName":"SECURITY_JMS_AUTHZ",
"ibm_audit_eventSequenceNumber":"11",
"ibm_audit_eventTime":"2018-07-19T18:33:51.247-0400",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"ibm_audit_observer.name":"JMSMessagingImplementation",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"JMS",
"ibm_audit_target.credential.token":"validUser",
"ibm_audit_target.credential.type":"BASIC",
"ibm_audit_target.host.address":"127.0.0.1:53166",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"ibm_audit_target.messaging.busname":"defaultBus",
"ibm_audit_target.messaging.callType":"remote",
"ibm_audit_target.messaging.destination":"BANK",
"ibm_audit_target.messaging.engine":"defaultME",
"ibm_audit_target.messaging.jmsActions":"[BROWSE, SEND, RECEIVE]",
"ibm_audit_target.messaging.jmsResource":"queue",
"ibm_audit_target.messaging.operationType":"SEND",
"ibm_audit_target.messaging.remote.chainName":"InboundBasicMessaging",
"ibm_audit_target.realm":"customRealm",
"ibm_audit_target.typeURI":"service/jms/messagingResource"
}
SECURITY_SAF_AUTHZ
You can use the SECURITY_SAF_AUTHZ event to capture the audit information from a request to the SAF Authorization Service API. The following table provides the fields for the SECURITY_SAF_AUTHZ event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_target.access.level | Level of access that is requested. |
ibm_audit_target.applid | Identifier of the APPL class. |
ibm_audit_target.authorization.decision | A |
ibm_audit_target.credential.token | Token name of the user that performs the action. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.racf.reason.code | RACF reason code. |
ibm_audit_target.racf.return.code | RACF return code. |
ibm_audit_target.saf.class | Name of the SAF Class that contains the SAF resource. |
ibm_audit_target.saf.profile | Name of the SAF resource that the user requests access to. |
ibm_audit_target.saf.return.code | SAF return code. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
ibm_audit_target.user.security.name | Username whose access to a SAF resource is being checked. |
The following example shows a successful SECURITY_SAF_AUTHZ event:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"TestServer.audit",
"ibm_datetime":"2018-07-19T18:34:96.324-0400",
"ibm_sequence":"1587056204736_0000000000002",
"ibm_threadId":"00000003",
"ibm_audit_eventName":"SECURITY_SAF_AUTHZ",
"ibm_audit_eventSequenceNumber":"4",
"ibm_audit_eventTime":"2019-04-29T19:45:16.161+0000",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"ibm_audit_observer.name":"SecurityService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_target.access.level":"READ",
"ibm_audit_target.applid":"BBGZDFLT",
"ibm_audit_target.authorization.decision":"true",
"ibm_audit_target.credential.token":"WSGUEST",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"ibm_audit_target.racf.reason.code":"0",
"ibm_audit_target.racf.return.code":"0",
"ibm_audit_target.saf.class":"EJBROLE",
"ibm_audit_target.saf.profile":"BBGZDFLT.AUTHSERV",
"ibm_audit_target.saf.return.code":"0",
"ibm_audit_target.typeURI":"service/application/web",
"ibm_audit_target.user.security.name":"WSGUEST"
}
SECURITY_SAF_AUTHZ_DETAILS
You can use the SECURITY_SAF_AUTHZ_DETAILS event to capture the audit information from a SAF Authorization event that is configured to throw a SAF Authorization Exception on failure. The following table provides the fields for the SECURITY_SAF_AUTHZ_DETAILS event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_target.access.level | Level of access that is requested. |
ibm_audit_target.applid | Identifier of APPL class. |
ibm_audit_target.authorization.decision | A |
ibm_audit_target.credential.token | Token name of the user that performs the action. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.racf.reason.code | RACF reason code. |
ibm_audit_target.racf.return.code | RACF return code. |
ibm_audit_target.saf.class | Name of the SAF Class that contains the SAF resource. |
ibm_audit_target.saf.profile | Name of SAF resource that the user requests access to. |
ibm_audit_target.saf.return.code | SAF return code. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
ibm_audit_target.user.security.name | Username whose access to a SAF resource is being checked. |
The following example shows a successful SECURITY_SAF_AUTHZ_DETAILS event:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"TestServer.audit",
"ibm_datetime":"2018-07-19T18:34:96.324-0400",
"ibm_sequence":"1587056204736_0000000000002",
"ibm_threadId":"00000003",
"ibm_audit_eventName":"SECURITY_SAF_AUTHZ_DETAILS",
"ibm_audit_eventSequenceNumber":"5",
"ibm_audit_eventTime":"2019-04-30T13:59:11.688+0000",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"ibm_audit_observer.name":"SecurityService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_target.access.level":"READ",
"ibm_audit_target.applid":"BBGZDFLT",
"ibm_audit_target.authorization.decision":"true",
"ibm_audit_target.credential.token":"WSGUEST",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"ibm_audit_target.racf.reason.code":"0",
"ibm_audit_target.racf.return.code":"0",
"ibm_audit_target.saf.class":"EJBROLE",
"ibm_audit_target.saf.profile":"BBGZDFLT.AUTHSERV",
"ibm_audit_target.saf.return.code":"0",
"ibm_audit_target.typeURI":"service/application/web",
"ibm_audit_target.user.security.name":"RSTUSR1"
}
JMX_MBEAN_REGISTER
You can use the JMX_MBEAN_REGISTER event to capture the audit information from JMX MBean registration. The following table provides the fields for the JMX_MBEAN_REGISTER event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request, or the state behind the outcome. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.jmx.mbean.action | MBean action that is being performed: |
ibm_audit_target.jmx.mbean.name | Name of the MBean that is being acted upon. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
The following example shows a successful JMX_MBEAN_REGISTRATION event:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"jmxConnectorAuditServer",
"ibm_datetime":"2018-07-25T18:43:28.130-0400",
"ibm_sequence":"1592033306612_0000000000003",
"ibm_threadId":"0000003f",
"ibm_audit_eventName":"JMX_MBEAN_REGISTER",
"ibm_audit_eventSequenceNumber":"12",
"ibm_audit_eventTime":"2018-07-25T18:42:40.772-0400",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
"ibm_audit_observer.name":"JMXService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"Successful MBean registration",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
"ibm_audit_target.jmx.mbean.action":"registerMBean",
"ibm_audit_target.jmx.mbean.name":"web:name=ClassLoaderMBean",
"ibm_audit_target.realm":"QuickStartSecurityRealm",
"ibm_audit_target.typeURI":"server/mbean"
}
JMX_MBEAN
You can use the JMX_MBEAN event to capture the audit information from JMX_MBEAN operations. The following table provides the fields for the JMX_MBEAN event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request, or the state behind the outcome. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.jmx.mbean.action | MBean action that is being performed: |
ibm_audit_target.jmx.mbean.name | Name of the MBean that is being acted upon. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
The following example shows a successful query of an MBean JMS_MBEAN event:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"jmxConnectorAuditServer",
"ibm_datetime":"2018-07-25T18:43:02.822-0400",
"ibm_sequence":"1592033306612_0000000000002",
"ibm_threadId":"0000003f",
"ibm_audit_eventName":"JMX_MBEAN",
"ibm_audit_eventSequenceNumber":"24",
"ibm_audit_eventTime":"2018-07-25T18:42:44.119-0400",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
"ibm_audit_observer.name":"JMXService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"Successful query of MBeans",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
"ibm_audit_target.jmx.mbean.action":"queryMBeans",
"ibm_audit_target.jmx.mbean.name":"java.lang:type=Threading",
"ibm_audit_target.realm":"QuickStartSecurityRealm",
"ibm_audit_target.typeURI":"server/mbean"
}
JMX_MBEAN_ATTRIBUTES
You can use the JMX_MBEAN_ATTRIBUTES event to capture the audit information from JMX MBEAN attribute operations. The following table provides the fields for the JMX_MBEAN_Attributes event and a description of each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request, or the state behind the outcome. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.jmx.mbean.action | MBean action that is being performed on the MBean attribute. getAttribute, and setAttribute methods are supported. |
ibm_audit_target.jmx.mbean.attribute.names | Name of the attributes that are being acted upon. |
ibm_audit_target.jmx.mbean.name | Name of the MBean that is being acted upon. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
The following example shows a successful JMX_MBEAN_ATTRIBUTES event:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"jmxConnectorAuditServer",
"ibm_datetime":"2018-07-25T18:43:92.347-0400",
"ibm_sequence":"1592033306612_0000000000008",
"ibm_threadId":"0000002c",
"ibm_audit_eventName":"JMX_BEAN_ATTRIBUTES",
"ibm_audit_eventSequenceNumber":"43",
"ibm_audit_eventTime":"2018-07-25T18:42:51.070-0400",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
"ibm_audit_observer.name":"JMXService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"Successful retrieval of MBean attributes",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
"ibm_audit_target.jmx.mbean.action":"getAttributes",
"ibm_audit_target.jmx.mbean.attribute.names":"[TotalStartedThreadCount = 132][CurrentThreadCpuTimeSupported = true]",
"ibm_audit_target.jmx.mbean.name":"java.lang:type=Threading",
"ibm_audit_target.realm":"QuickStartSecurityRealm",
"ibm_audit_target.typeURI":"server/mbean"
}
JMX_NOTIFICATION
You can use the JMX_NOTIFICATION event to capture the audit information from JMX notifications. The following table provides the fields for the JMX_NOTIFICATION event and a description for each field:
FIELD | DESCRIPTION |
---|---|
type | A string that identifies the type of event. |
host | Host name of the server that is the source of the event. |
ibm_userDir | User directory of the server that is the source of the event. |
ibm_serverName | Name of the server that is the source of the event. |
ibm_datetime | Time at which the event occurred. |
ibm_sequence | Sequence number of the event, which is useful for sorting records with the same timestamp. |
ibm_threadId | Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_Outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request, or the state behind the outcome. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.jmx.mbean.action | MBean action that is being performed on the MBean attributes. |
ibm_audit_target.jmx.notification.filter | Name of the notification filter. |
ibm_audit_target.jmx.notification.listener | Name of the notification listener. |
ibm_audit_target.jmx.notification.name | Name of the notification. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
The following example shows a successful JMX_NOTIFICATION:
{
"type":"liberty_audit",
"host":"sage.xyz.com",
"ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
"ibm_serverName":"jmxConnectorAuditServer",
"ibm_datetime":"2018-07-25T19:28:34.664-0500",
"ibm_sequence":"1503082313712_0000000000003",
"ibm_threadId":"000000a8",
"ibm_audit_eventName":"JMX_NOTIFICATION",
"ibm_audit_eventSequenceNumber":"37",
"ibm_audit_eventTime":"2018-07-25T19:27:24.303-0500",
"ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
"ibm_audit_observer.name":"JMXService",
"ibm_audit_observer.typeURI":"service/server",
"ibm_audit_outcome":"success",
"ibm_audit_reason.reasonCode":"200",
"ibm_audit_reason.reasonType":"Successful add of notification listener",
"ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
"ibm_audit_target.jmx.mbean.action":"addNotificationListener",
"ibm_audit_target.jmx.notification.filter":"com.ibm.ws.jmx.connector.server.rest.notification.ClientNotificationFilter",
"ibm_audit_target.jmx.notification.listener":"com.ibm.ws.jmx.connector.server.rest.notification.ClientNotificationListener",
"ibm_audit_target.jmx.notification.name":"web:name=Notifier1",
"ibm_audit_target.realm":"QuickStartSecurityRealm",
"ibm_audit_target.typeURI":"server/mbean/notification"
}