Logstash collector events reference list
You can use the Logstash collector feature to send log events to a remote Logstash server so that you can manage and visualize them with products such as Elasticsearch and Kibana. Each type of log event has its own set of fields that you can use to customize your Kibana dashboard.
The Logstash collector feature captures log events at run time, breaks them into fields, and securely forwards them to the configured Logstash log collection server. For more information, see Forwarding logs and events to Logstash with Logstash collector.
Event types
The Logstash collector feature generates the following event types:
In addition to the default log and trace framework, the Logstash collector feature forwards message events and trace events when binary logging is enabled. For more information about log event types, see Log management.
Message events
The following table provides the fields for message log events and a description for each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
message | The message from the log record, starting with the message ID. |
threadId | The thread ID in the log line, for example, |
messageId | The message ID in the log line, which can be used to find specific types of errors, for example, |
loggerName | The logger name from the log record. |
severity | Indicates the severity of the event by using one of the following codes: F = Fatal, E = Error, W = Warning, A = Audit, I = Info, O = SystemOut, R = SystemErr. |
methodName | The method name from the log record. |
className | The class name from the log record. |
ext_thread | The thread name of the thread that is the source of the event. |
Trace events
The following table provides the fields for trace log events and a description for each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
message | The message from the log record, starting with the message ID. |
threadId | The thread ID in the log line, for example, |
messageId | The message ID in the log line, which can be used to find out specific types of errors, for example, |
loggerName | The logger name from the log record. |
severity | Indicates the severity of the event by using one of the following codes: 1 = Fine, 2 = Finer, 3 = Finest, > = Entry, < = Exit |
methodName | The method name from the log record. |
className | The class name from the log record. |
FFDC events
The following table provides the fields for FFDC log events and a description for each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
message | The message from the exception that triggered the event. |
threadId | The thread ID of the FFDC event. |
className | The class that emitted the FFDC event. |
exceptionName | The exception that was reported in the FFDC event. |
probeID | The unique identifier of the FFDC point within the class. |
stackTrace | The stack trace of the FFDC event. |
objectDetails | The incident details for the FFDC event. |
HTTP access events
The following table provides the fields for HTTP access log events and a description for each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
remoteHost | The remote host IP address, for example, |
requestProtocol | The protocol type, for example, |
userAgent | The |
requestHeader_{headername} | The header value from the request. |
requestMethod | The HTTP verb, for example, |
responseHeader_{headername} | The header value from the response. |
requestPort | The port number of the request. |
requestFirstLine | The first line of the request. |
responseCode | The HTTP response code, for example, |
requestStartTime | The start time of the request. |
remoteUserID | The remote user according to the WebSphere Application Server specific |
uriPath | The path information for the requested URL. This path information does not contain the query parameters, for example, |
elapsedTime | The time that is taken to serve the request, in microseconds. |
accessLogDatetime | The time when the message to the access log is queued to be logged. |
remoteIP | The remote IP address, for example, |
requestHost | The request host IP address, for example, |
bytesSent | The response size in bytes, excluding headers. |
bytesReceived | The bytes received in the URL, for example, |
cookie_{cookiename} | The cookie value from the request. |
requestElapsedTime | The elapsed time of the request - millisecond accuracy, microsecond precision. |
queryString | The string that represents the query string from the HTTP request, for example, |
Garbage collection events
The garbage collection event type is available only for IBM JDKs. The following table provides the fields for garbage collection log events and a description for each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
heap | The total heap that is currently available. |
usedHeap | The amount of heap that is being used. |
maxHeap | The maximum heap that the JVM allows. |
duration | The duration for which garbage collection was run, in microseconds. |
gcType | The type of garbage collection event, for example, Nursery, Global. |
reason | The reason for the garbage collection. |
Supported audit events and their audit data
The Open Liberty Audit feature captures auditable events from the server runtime environment and applications. You can use the data that is generated from the audit events to analyze the configured environment. For audit event examples, see JSON log events reference list: Audit events.
Open Liberty can generate audit events in either JSON or CADF format. The audit events are captured in the following JSON format types to help identify different areas where the configured environment can be improved:
SECURITY_AUDIT_MGMT
The SECURITY_AUDIT_MGMT event captures the start and stop of the Audit Service and implemented handlers, such as the default AuditFileHandler.
The following table provides the fields for the SECURITY_AUDIT_MGMT event to capture the audit information from the management of the audit service:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
SECURITY_MEMBER_MGMT
You can use the SECURITY_MEMBER_MGMT event to capture the audit information from SCIM operations or member management. The following table provides the fields for the SECURITY_Member_MGMT event and a description of each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request. |
ibm_audit_target.action | The action that is being performed on the target. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.credential.token | Token name of the user that is performing the action. |
ibm_audit_target.credential.type | Token type of the user that is performing the action. |
ibm_audit_target.entityType | Generic name of the member being acted upon: |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as GET or POST. |
ibm_audit_target.name | Name of the target. Note that the name includes |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.repositoryId | Repository identifier associated with the target. |
ibm_audit_target.session | Session identifier associated with the target. |
ibm_audit_target.uniqueName | Unique name of the member that is being acted upon. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
SECURITY_API_AUTHN
You can use the SECURITY_API_AUTHN event to capture the audit information from the login and authentication for servlet 3.0 APIs. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.credential.token | Token name of the user that is performing the action. |
ibm_audit_target.credential.type | Token type of the user that is performing the action: |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as |
ibm_audit_target.name | Context root. |
ibm_audit_target.params | Names and values of any parameters that are sent to the target with the action. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.session | HTTP session ID. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
SECURITY_API_AUTHN_TERMINATE
You can use the SECURITY_API_AUTHN_TERMINATE event to capture the audit information from the log out for servlet 3.0 APIs. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.credential.token | Token name of the user that is performing the action. |
ibm_audit_target.credential.type | Token type of the user that is performing the action: |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as |
ibm_audit_target.name | Context root. |
ibm_audit_target.params | Names and values of any parameters that are sent to the target with the action. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.session | HTTP Session ID |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
SECURITY_AUTHN
You can use the SECURITY_AUTHN event to capture the audit information from basic authentication, form login authentication, client certificate authentication, and JASPI authentication. The following table provides the fields for the SECURITY_AUTHN event and a description of each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.credential.token | Token name of the user that is performing the action. |
ibm_audit_target.credential.type | Token type of the user that is performing the action: |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as |
ibm_audit_target.name | Context root. |
ibm_audit_target.params | Names and values of any parameters that are sent to the target with the action. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.session | HTTP session ID. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
SECURITY_AUTHN_DELEGATION
You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runAs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.credential.token | Token name of the user that is performing the action. |
ibm_audit_target.credential.type | Token type of the user that is performing the action: |
ibm_audit_target.delegation.users | List of users in the delegation flow, starting with the initial user invoking the action. |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as |
ibm_audit_target.name | Context root. |
ibm_audit_target.params | Names and values of any parameters that are sent to the target with the action. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.runas.role | RunAs role name used in the delegation. |
ibm_audit_target.session | HTTP session ID. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
SECURITY_AUTHN_FAILOVER
You can use the SECURITY_AUTHN_FAILOVER event to capture the audit information from failover to basic authentication. The following table provides the fields for the SECURITY_AUTHN_FAILOVER event and a description of each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.authtype.failover | Name of failover authentication mechanism. |
ibm_audit_target.credential.token | Token name of the user that is performing the action. |
ibm_audit_target.credential.type | Token type of the user that is performing the action.. |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as |
ibm_audit_target.name | Context root. |
ibm_audit_target.params | Names and values of any parameters that are sent to the target with the action. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.session | HTTP session ID. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
SECURITY_AUTHN_TERMINATE
You can use the SECURTIY_AUTHN_TERMINATE event to capture the audit information from a form logout. The following table provides the fields for the SECURITY_AUTHN_TERMINATE event and a description of each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request. |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.authtype.failover | Name of failover authentication mechanism. |
ibm_audit_target.authtype.original | Name of original authentication mechanism. |
ibm_audit_target.credential.token | Token name of the user that is performing the action. |
ibm_audit_target.credential.type | Token type of the user that is performing the action: |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as |
ibm_audit_target.name | Context root. |
ibm_audit_target.params | Names and values of any parameters that are sent to the target with the action. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.session | HTTP session ID. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
SECURITY_AUTHZ
You can use the SECURITY_AUTHZ event to capture the audit information from JACC web authorization, unprotected servlet authorization, JACC EJB authorization, and EJB authorization. The following table provides the fields for the SECURITY_AUTHZ event and a description of each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, HTTP and HTTPS, that is associated with the request |
ibm_audit_target.appname | Name of the application to be accessed or run on the target. |
ibm_audit_target.credential.token | Token name of the user that is performing the action. |
ibm_audit_target.credential.type | Token type of the user that is performing the action: |
ibm_audit_target.ejb.beanname | EJB bean name for EJB authorization |
ibm_audit_target.ejb.method.interface | EJB method interface for EJB authorization |
ibm_audit_target.ejb.method.signature | EJB method signature for EJB authorization |
ibm_audit_target.ejb.module.name | EJB module name for EJB authorization |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.method | Method that is being invoked on the target, such as |
ibm_audit_target.name | Context root. |
ibm_audit_target.params | Names and values of any parameters that are sent to the target with the action. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.role.names | Roles that are identified as being needed, if not permit all, for EJBs. |
ibm_audit_target.session | HTTP session ID. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
SECURITY_JMS_AUTHN
You can use the SECURITY_JMS_AUTHENTICATION event to capture the audit information from JMS authentication. The following table provides the fields for the SECURITY_JMS_AUTHENTICATION event and a description of each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB. |
ibm_audit_target.credential.token | Token name of the user that is performing the action. |
ibm_audit_target.credential.type | Token type of the user that is performing the action. |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.messaging.busname | Name of messaging bus. |
ibm_audit_target.messaging.callType | Identifies whether the call is remote or local. |
ibm_audit_target.messaging.engine | Name of messaging engine. |
ibm_audit_target.messaing.loginType | Name of the login algorithm that is used, for example, |
ibm_audit_target.messaging.remote.chainName | If the operation is remote, the name of the remote chain name. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
SECURITY_JMS_AUTHZ
You can use the SECURITY_JMS_AUTHZ event to capture the audit information from JMS authorization. The following table provides the fields for the SECURITY_JMS_AUTHZ event and a description of each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB. |
ibm_audit_target.credential.token | Token name of the user that is performing the action. |
ibm_audit_target.credential.type | Token type of the user that is performing the action. |
ibm_audit_target.host.address | Host and port of the target. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.messaging.busname | Name of messaging bus. |
ibm_audit_target.messaging.callType | Identifies whether the call is remote or local. |
ibm_audit_target.messaging.destination | Name of messaging destination. |
ibm_audit_target.messaging.engine | Name of messaging engine. |
ibm_audit_target.messaging.jmsActions | List of actions that the credential is allowed to perform. |
ibm_audit_target.messaging.jmsResource | Name of the JMS resource, such as |
ibm_audit_target.messaging.operationType | Name of the operation that is being requested. |
ibm_audit_target.messaging.remote.chainName | If the operation is remote, the name of the remote chain name. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
SECURITY_SAF_AUTHZ_DETAILS
You can use the SECURITY_SAF_AUTHZ_DETAILS event to capture the audit information from a SAF Authorization event that is configured to throw a SAF Authorization Exception on failure. The following table provides the fields for the SECURITY_SAF_AUTHZ_DETAILS event and a description of each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_target.access.level | Level of access requested. |
ibm_audit_target.applid | Identifier of APPL class. |
| True if user is authorized to access SAF resource in SAF Class, otherwise false. |
ibm_audit_target.credential.token | Token name of the user that performs the action. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.racf.reason.code | RACF reason code. |
ibm_audit_target.racf.return.code | RACF return code. |
ibm_audit_target.saf.class | Name of SAF Class that contains SAF resource. |
ibm_audit_target.saf.profile | Name of SAF resource user requests access to. |
ibm_audit_target.saf.return.code | SAF return code. |
ibm_audit_target.typeURI | Unique URI of the target of the event: service/application/web. |
ibm_audit_target.user.security.name | Username whose access to a SAF resource is being checked. |
JMX_MBEAN_REGISTER
You can use the JMX_MBEAN_REGISTER event to capture the audit information from JMX MBean registration. The following table provides the fields for the JMX_MBEAN_REGISTER event and a description of each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB, or the state behind the outcome. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.jmx.mbean.action | MBean action being performed: register, unregister. |
ibm_audit_target.jmx.mbean.name | Name of the MBean that is being acted upon. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
JMX_MBEAN
You can use the JMX_MBEAN event to capture the audit information from JMX_MBEAN operations. The following table provides the fields for the JMX_MBEAN event and a description of each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB., or the state behind the outcome |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.jmx.mbean.action | MBean action being performed: query, create, invoke |
ibm_audit_target.jmx.mbean.name | Name of the MBean that is being acted upon. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
JMX_MBEAN_ATTRIBUTES
You can use the JMX_MBEAN_ATTRIBUTES event to capture the audit information from JMX MBEAN attribute operations. The following table provides the fields for the JMX_MBEAN_Attributes event and a description of each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_initiator.host.address | Host address of the initiator of the event. |
ibm_audit_initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB, or the state behind the outcome. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.jmx.mbean.action | MBean action being performed on the MBean attributes, getAttributes and setAttributes are supported. |
ibm_audit_target.jmx.mbean.attribute.names | Name of the attributes(s) being acted upon. |
ibm_audit_target.jmx.mbean.name | Name of the MBean that is being acted upon. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
JMX_NOTIFICATION
You can use the JMX_NOTIFICATION event to capture the audit information from JMX notifications. The following table provides the fields for the JMX_NOTIFICATION event and a description for each field:
Field | Description |
---|---|
type | A string that identifies the type of event. |
datetime | Time at which the event occurred. |
hostName | The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
wlpUserDir | The user directory of the server that was the source of the event, for example, |
serverName | The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments. |
sequence | The sequence number of the event, which is useful for sorting records with the same time stamp. |
tags | The tags that are associated with the server from which the event originated. |
threadId | The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number. |
ibm_audit_eventName | Name of the audit event. |
ibm_audit_eventSequenceNumber | Sequence number of the audit event. |
ibm_audit_eventTime | Time that the event occurred. |
ibm_audit_observer.id | Identifier of the observer of the event. |
ibm_audit_observer.name | Name of the observer of the event: |
ibm_audit_observer.typeURI | Unique URI of the observer of the event: |
ibm_audit_outcome | Outcome of the event. |
ibm_audit_reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success. |
ibm_audit_reason.reasonType | A value that indicates the underlying mechanism, such as HTTP(S), JMS, EJB, that is associated with the request, or the state behind the outcome. |
ibm_audit_target.id | Identifier of the target of the action. |
ibm_audit_target.jmx.mbean.action | MBean action being performed on the MBean attribute(s). |
ibm_audit_target.jmx.notification.filter | Name of the notification filter. |
ibm_audit_target.jmx.notification.listener | Name of the notification listener. |
ibm_audit_target.jmx.notification.name | Name of the notification. |
ibm_audit_target.realm | Realm name that is associated with the target. |
ibm_audit_target.typeURI | Unique URI of the target of the event: |
Server and host names in virtualized environments
When Open Liberty servers run in containers or other virtualized environments, the hostName
and serverName
event fields are automatically set according to certain variables in the configuration.
The hostName
field is automatically set to the first of the following values that is available in the configuration:
The value of the
CONTAINER_HOST
environment variableThe value of the
${defaultHostName}
Open Liberty configuration variableThe canonical hostname as reported by the JDK
The serverName
field is automatically set to the first of the following values that is available in the configuration:
The value of the
CONTAINER_NAME
environment variableThe value of the
${wlp.server.name}
Open Liberty configuration variable
When you use the Logstash collector feature in a container, you can set the CONTAINER_HOST
and CONTAINER_NAME
environment variables when you start the container. Setting these environment variables ensures that the Logstash collector feature tags the records that it sends with the appropriate host and container name, which aids in problem determination. If you do not set these environment variables, you might not be able to determine which container an event originated from when you use a dashboard that shows events from multiple containers.
When you start a container, you can use a command similar to the following example to set these environment variables:
docker run -d -e LICENSE=accept -e CONTAINER_NAME=yourContainerName -e CONTAINER_HOST=yourContainerHost --name=yourContainerName yourImageName
If you use Podman to manage your containers, run the following command:
podman run -d -e LICENSE=accept -e CONTAINER_NAME=yourContainerName -e CONTAINER_HOST=yourContainerHost --name=yourContainerName yourImageName
When Open Liberty servers run in the IBM Cloud® Kubernetes Service, the CONTAINER_HOST
and CONTAINER_NAME
environment variables are already set for you.