Logstash collector events reference list

You can use the Logstash collector feature to send log events to a remote Logstash server so that you can manage and visualize them with products such as Elasticsearch and Kibana. Each type of log event has its own set of fields that you can use to customize your Kibana dashboard.

The Logstash collector feature captures log events at run time, breaks them into fields, and securely forwards them to the configured Logstash log collection server. For more information, see Forwarding logs and events to Logstash with Logstash collector.

Event types

The Logstash collector feature generates the following event types:

Message events
Trace events
HTTP access events
First failure data capture (FFDC) events
Garbage collection events for IBM JDKs
Audit events

In addition to the default log and trace framework, the Logstash collector feature forwards message events and trace events when binary logging is enabled. For more information about log event types, see Log management.

Message events

The following table provides the fields for message log events and a description for each field:

Message event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
message	The message from the log record, starting with the message ID.
threadId	The thread ID in the log line, for example, `00000015`. The thread ID is a string and not a number.
messageId	The message ID in the log line, which can be used to find specific types of errors, for example, `SRVE0250I`.
loggerName	The logger name from the log record.
severity	Indicates the severity of the event by using one of the following codes: F = Fatal, E = Error, W = Warning, A = Audit, I = Info, O = SystemOut, R = SystemErr.
methodName	The method name from the log record.
className	The class name from the log record.
ext_thread	The thread name of the thread that is the source of the event.

Trace events

The following table provides the fields for trace log events and a description for each field:

Trace event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
message	The message from the log record, starting with the message ID.
threadId	The thread ID in the log line, for example, `00000015`. The thread ID is a string and not a number.
messageId	The message ID in the log line, which can be used to find out specific types of errors, for example, `SRVE0250I`.
loggerName	The logger name from the log record.
severity	Indicates the severity of the event by using one of the following codes: 1 = Fine, 2 = Finer, 3 = Finest, > = Entry, < = Exit
methodName	The method name from the log record.
className	The class name from the log record.

FFDC events

The following table provides the fields for FFDC log events and a description for each field:

FFDC event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
message	The message from the exception that triggered the event.
threadId	The thread ID of the FFDC event.
className	The class that emitted the FFDC event.
exceptionName	The exception that was reported in the FFDC event.
probeID	The unique identifier of the FFDC point within the class.
stackTrace	The stack trace of the FFDC event.
objectDetails	The incident details for the FFDC event.

HTTP access events

The following table provides the fields for HTTP access log events and a description for each field:

HTTP access event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
remoteHost	The remote host IP address, for example, `127.0.0.1`.
requestProtocol	The protocol type, for example, `HTTP/1.1`.
userAgent	The `userAgent` value in the request.
requestHeader_{headername}	The header value from the request.
requestMethod	The HTTP verb, for example, `GET`.
responseHeader_{headername}	The header value from the response.
requestPort	The port number of the request.
requestFirstLine	The first line of the request.
responseCode	The HTTP response code, for example, `200`.
requestStartTime	The start time of the request.
remoteUserID	The remote user according to the WebSphere Application Server specific `$WSRU` header.
uriPath	The path information for the requested URL. This path information does not contain the query parameters, for example, `/pushworksserver/push/apps/tags`.
elapsedTime	The time that is taken to serve the request, in microseconds.
accessLogDatetime	The time when the message to the access log is queued to be logged.
remoteIP	The remote IP address, for example, `127.0.0.1`.
requestHost	The request host IP address, for example, `127.0.0.1`.
bytesSent	The response size in bytes, excluding headers.
bytesReceived	The bytes received in the URL, for example, `94`.
cookie_{cookiename}	The cookie value from the request.
requestElapsedTime	The elapsed time of the request - millisecond accuracy, microsecond precision.
queryString	The string that represents the query string from the HTTP request, for example, `color=blue&size=large`.

Garbage collection events

The garbage collection event type is available only for IBM JDKs. The following table provides the fields for garbage collection log events and a description for each field:

Garbage collection event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
heap	The total heap that is currently available.
usedHeap	The amount of heap that is being used.
maxHeap	The maximum heap that the JVM allows.
duration	The duration for which garbage collection was run, in microseconds.
gcType	The type of garbage collection event, for example, Nursery, Global.
reason	The reason for the garbage collection.

Supported audit events and their audit data

The Open Liberty Audit feature captures auditable events from the server runtime environment and applications. You can use the data that is generated from the audit events to analyze the configured environment. For audit event examples, see JSON log events reference list: Audit events.

Open Liberty can generate audit events in either JSON or CADF format. The audit events are captured in the following JSON format types to help identify different areas where the configured environment can be improved:

Management of the audit service (SECURITY_AUDIT_MGMT)
SCIM operations/member management (SECURITY_MEMBER_MGMT)
Servlet 3.0 APIs: login/authenticate (SECURITY_API_AUTHN)
Servlet 3.0 APIs: logout (SECURITY_API_AUTHN_TERMINATE)
Form Logout (SECURITY_AUTHN_TERMINATE)
Basic Authentication (SECURITY_AUTHN)
Client certificate authentication (SECURITY_AUTHN)
Form Login Authenication (SECURITY_AUTHN)
Servlet runAs delegation (SECURITY_AUTHN_DELEGATION)
EJB delegation (SECURITY_AUTHN_DELEGATION)
Failover to basic authentication (SECURITY_AUTHN_FAILOVER)
Unprotected servlet authorization (SECURITY_AUTHZ)
JACC web authorization (SECURITY_AUTHZ)
JACC EJB authorization (SECURITY_AUTHZ)
EJB authorization (SECURITY_AUTHZ)
JMS Authentication (SECURITY_JMS_AUTHN)
JMS Authorization (SECURITY_JMS_AUTHZ)
SAF Authorization Service API request (SECURITY_SAF_AUTHZ)
SAF Authorization Exception (SECURITY_SAF_AUTHZ_DETAILS)
JMX MBean registration (JMX_MBEAN_REGISTER)
JMX MBean Operations (JMX_MBEAN)
JMX MBean attribute operations (JMX_MBEAN_ATTRIBUTES)
JMX Notifications (JMX_NOTIFICATION)

SECURITY_AUDIT_MGMT

The SECURITY_AUDIT_MGMT event captures the start and stop of the Audit Service and implemented handlers, such as the default AuditFileHandler.

The following table provides the fields for the SECURITY_AUDIT_MGMT event to capture the audit information from the management of the audit service:

SECURITY_AUDIT_MGMT event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `AuditService` in the case of the audit service; `AuditHandler: <name of handler implementation>` in the case of a handler start.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.typeURI	Unique URI of the target of the event: `server/audit/start` in the case of an AuditService or handler start; `server/audit/stop` in the case of an AuditService or handler stop.

SECURITY_MEMBER_MGMT

You can use the SECURITY_MEMBER_MGMT event to capture the audit information from SCIM operations or member management. The following table provides the fields for the SECURITY_Member_MGMT event and a description of each field:

SECURITY_MEMBER_MGMT event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_initiator.host.address	Host address of the initiator of the event.
ibm_audit_initiator.host.agent	Name of the monitoring agent that is associated with the initiator.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `SecurityService`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_reason.reasonCode	A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.
ibm_audit_reason.reasonType	A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request.
ibm_audit_target.action	The action that is being performed on the target.
ibm_audit_target.appname	Name of the application to be accessed or run on the target.
ibm_audit_target.credential.token	Token name of the user that is performing the action.
ibm_audit_target.credential.type	Token type of the user that is performing the action.
ibm_audit_target.entityType	Generic name of the member being acted upon: `PersonAccount`, `Group`.
ibm_audit_target.host.address	Host and port of the target.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.method	Method that is being invoked on the target, such as GET or POST.
ibm_audit_target.name	Name of the target. Note that the name includes `urbridge`, `scim` or `vmmservice`, depending on the flow of the request, for example, whether is it a call coming through scim.
ibm_audit_target.realm	Realm name that is associated with the target.
ibm_audit_target.repositoryId	Repository identifier associated with the target.
ibm_audit_target.session	Session identifier associated with the target.
ibm_audit_target.uniqueName	Unique name of the member that is being acted upon.
ibm_audit_target.typeURI	Unique URI of the target of the event: `server/vmmservice/<action>`.

SECURITY_API_AUTHN

You can use the SECURITY_API_AUTHN event to capture the audit information from the login and authentication for servlet 3.0 APIs. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field:

SECURITY_API_AUTHN event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_initiator.host.address	Host address of the initiator of the event.
ibm_audit_initiator.host.agent	Name of the monitoring agent that is associated with the initiator.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `SecurityService`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_reason.reasonCode	A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.
ibm_audit_reason.reasonType	A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request.
ibm_audit_target.appname	Name of the application to be accessed or run on the target.
ibm_audit_target.credential.token	Token name of the user that is performing the action.
ibm_audit_target.credential.type	Token type of the user that is performing the action: `BASIC`, `FORM`, or `CLIENTCERT`.
ibm_audit_target.host.address	Host and port of the target.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.method	Method that is being invoked on the target, such as `GET` or `POST`.
ibm_audit_target.name	Context root.
ibm_audit_target.params	Names and values of any parameters that are sent to the target with the action.
ibm_audit_target.realm	Realm name that is associated with the target.
ibm_audit_target.session	HTTP session ID.
ibm_audit_target.typeURI	Unique URI of the target of the event: `service/application/web`.

SECURITY_API_AUTHN_TERMINATE

You can use the SECURITY_API_AUTHN_TERMINATE event to capture the audit information from the log out for servlet 3.0 APIs. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field:

SECURITY_API_AUTHN_TERMINATE event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_initiator.host.address	Host address of the initiator of the event.
ibm_audit_initiator.host.agent	Name of the monitoring agent that is associated with the initiator.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `SecurityService`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_reason.reasonCode	A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.
ibm_audit_reason.reasonType	A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request.
ibm_audit_target.appname	Name of the application to be accessed or run on the target.
ibm_audit_target.credential.token	Token name of the user that is performing the action.
ibm_audit_target.credential.type	Token type of the user that is performing the action: `BASIC`, `FORM`, or `CLIENTCERT`.
ibm_audit_target.host.address	Host and port of the target.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.method	Method that is being invoked on the target, such as `GET` or `POST`.
ibm_audit_target.name	Context root.
ibm_audit_target.params	Names and values of any parameters that are sent to the target with the action.
ibm_audit_target.realm	Realm name that is associated with the target.
ibm_audit_target.session	HTTP Session ID
ibm_audit_target.typeURI	Unique URI of the target of the event: `service/application/web`.

SECURITY_AUTHN

You can use the SECURITY_AUTHN event to capture the audit information from basic authentication, form login authentication, client certificate authentication, and JASPI authentication. The following table provides the fields for the SECURITY_AUTHN event and a description of each field:

SECURITY_AUTHN event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_initiator.host.address	Host address of the initiator of the event.
ibm_audit_initiator.host.agent	Name of the monitoring agent that is associated with the initiator.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `SecurityService`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_reason.reasonCode	A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.
ibm_audit_reason.reasonType	A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request.
ibm_audit_target.appname	Name of the application to be accessed or run on the target.
ibm_audit_target.credential.token	Token name of the user that is performing the action.
ibm_audit_target.credential.type	Token type of the user that is performing the action: `BASIC`, `FORM`, or `CLIENTCERT`.
ibm_audit_target.host.address	Host and port of the target.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.method	Method that is being invoked on the target, such as `GET` or `POST`.
ibm_audit_target.name	Context root.
ibm_audit_target.params	Names and values of any parameters that are sent to the target with the action.
ibm_audit_target.realm	Realm name that is associated with the target.
ibm_audit_target.session	HTTP session ID.
ibm_audit_target.typeURI	Unique URI of the target of the event: `service/application/web`.

SECURITY_AUTHN_DELEGATION

You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runAs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field:

SECURITY_AUTHN_DELEGATION event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_initiator.host.address	Host address of the initiator of the event.
ibm_audit_initiator.host.agent	Name of the monitoring agent that is associated with the initiator.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `SecurityService`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_reason.reasonCode	A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.
ibm_audit_reason.reasonType	A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request.
ibm_audit_target.appname	Name of the application to be accessed or run on the target.
ibm_audit_target.credential.token	Token name of the user that is performing the action.
ibm_audit_target.credential.type	Token type of the user that is performing the action: `BASIC`, `FORM`, or `CLIENTCERT`.
ibm_audit_target.delegation.users	List of users in the delegation flow, starting with the initial user invoking the action.
ibm_audit_target.host.address	Host and port of the target.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.method	Method that is being invoked on the target, such as `GET` or `POST`.
ibm_audit_target.name	Context root.
ibm_audit_target.params	Names and values of any parameters that are sent to the target with the action.
ibm_audit_target.realm	Realm name that is associated with the target.
ibm_audit_target.runas.role	RunAs role name used in the delegation.
ibm_audit_target.session	HTTP session ID.
ibm_audit_target.typeURI	Unique URI of the target of the event: `service/application/web`.

SECURITY_AUTHN_FAILOVER

You can use the SECURITY_AUTHN_FAILOVER event to capture the audit information from failover to basic authentication. The following table provides the fields for the SECURITY_AUTHN_FAILOVER event and a description of each field:

SECURITY_AUTHN_FAILOVER event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_initiator.host.address	Host address of the initiator of the event.
ibm_audit_initiator.host.agent	Name of the monitoring agent that is associated with the initiator.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `SecurityService`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_reason.reasonCode	A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.
ibm_audit_reason.reasonType	A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request.
ibm_audit_target.appname	Name of the application to be accessed or run on the target.
ibm_audit_target.authtype.failover	Name of failover authentication mechanism.
ibm_audit_target.credential.token	Token name of the user that is performing the action.
ibm_audit_target.credential.type	Token type of the user that is performing the action.. `BASIC`, `FORM`, or `CLIENTCERT`
ibm_audit_target.host.address	Host and port of the target.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.method	Method that is being invoked on the target, such as `GET` or `POST`.
ibm_audit_target.name	Context root.
ibm_audit_target.params	Names and values of any parameters that are sent to the target with the action.
ibm_audit_target.realm	Realm name that is associated with the target.
ibm_audit_target.session	HTTP session ID.
ibm_audit_target.typeURI	Unique URI of the target of the event: `service/application/web`.

SECURITY_AUTHN_TERMINATE

You can use the SECURTIY_AUTHN_TERMINATE event to capture the audit information from a form logout. The following table provides the fields for the SECURITY_AUTHN_TERMINATE event and a description of each field:

SECURITY_AUTHN_TERMINATE event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_initiator.host.address	Host address of the initiator of the event.
ibm_audit_initiator.host.agent	Name of the monitoring agent that is associated with the initiator.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `SecurityService`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_reason.reasonCode	A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.
ibm_audit_reason.reasonType	A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request.
ibm_audit_target.appname	Name of the application to be accessed or run on the target.
ibm_audit_target.authtype.failover	Name of failover authentication mechanism.
ibm_audit_target.authtype.original	Name of original authentication mechanism.
ibm_audit_target.credential.token	Token name of the user that is performing the action.
ibm_audit_target.credential.type	Token type of the user that is performing the action: `BASIC`, `FORM`, or `CLIENTCERT`.
ibm_audit_target.host.address	Host and port of the target.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.method	Method that is being invoked on the target, such as `GET` or `POST`.
ibm_audit_target.name	Context root.
ibm_audit_target.params	Names and values of any parameters that are sent to the target with the action.
ibm_audit_target.realm	Realm name that is associated with the target.
ibm_audit_target.session	HTTP session ID.
ibm_audit_target.typeURI	Unique URI of the target of the event: `service/application/web`.

SECURITY_AUTHZ

You can use the SECURITY_AUTHZ event to capture the audit information from JACC web authorization, unprotected servlet authorization, JACC EJB authorization, and EJB authorization. The following table provides the fields for the SECURITY_AUTHZ event and a description of each field:

SECURITY_AUTHZ event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_initiator.host.address	Host address of the initiator of the event.
ibm_audit_initiator.host.agent	Name of the monitoring agent that is associated with the initiator.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `SecurityService`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_reason.reasonCode	A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.
ibm_audit_reason.reasonType	A value that indicates the underlying mechanism, HTTP and HTTPS, that is associated with the request
ibm_audit_target.appname	Name of the application to be accessed or run on the target.
ibm_audit_target.credential.token	Token name of the user that is performing the action.
ibm_audit_target.credential.type	Token type of the user that is performing the action: `BASIC`, `FORM`, or `CLIENTCERT`.
ibm_audit_target.ejb.beanname	EJB bean name for EJB authorization
ibm_audit_target.ejb.method.interface	EJB method interface for EJB authorization
ibm_audit_target.ejb.method.signature	EJB method signature for EJB authorization
ibm_audit_target.ejb.module.name	EJB module name for EJB authorization
ibm_audit_target.host.address	Host and port of the target.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.method	Method that is being invoked on the target, such as `GET` or `POST`.
ibm_audit_target.name	Context root.
ibm_audit_target.params	Names and values of any parameters that are sent to the target with the action.
ibm_audit_target.realm	Realm name that is associated with the target.
ibm_audit_target.role.names	Roles that are identified as being needed, if not permit all, for EJBs.
ibm_audit_target.session	HTTP session ID.
ibm_audit_target.typeURI	Unique URI of the target of the event: `service/application/web`.

SECURITY_JMS_AUTHN

You can use the SECURITY_JMS_AUTHENTICATION event to capture the audit information from JMS authentication. The following table provides the fields for the SECURITY_JMS_AUTHENTICATION event and a description of each field:

SECURITY_JMS_AUTHN event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_initiator.host.address	Host address of the initiator of the event.
ibm_audit_initiator.host.agent	Name of the monitoring agent that is associated with the initiator.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `JMSMessagingImplementation`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_reason.reasonCode	A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.
ibm_audit_reason.reasonType	A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB.
ibm_audit_target.credential.token	Token name of the user that is performing the action.
ibm_audit_target.credential.type	Token type of the user that is performing the action.
ibm_audit_target.host.address	Host and port of the target.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.messaging.busname	Name of messaging bus.
ibm_audit_target.messaging.callType	Identifies whether the call is remote or local.
ibm_audit_target.messaging.engine	Name of messaging engine.
ibm_audit_target.messaing.loginType	Name of the login algorithm that is used, for example, `Userid+Password`.
ibm_audit_target.messaging.remote.chainName	If the operation is remote, the name of the remote chain name.
ibm_audit_target.realm	Realm name that is associated with the target.
ibm_audit_target.typeURI	Unique URI of the target of the event: `service/jms/messaging`.

SECURITY_JMS_AUTHZ

You can use the SECURITY_JMS_AUTHZ event to capture the audit information from JMS authorization. The following table provides the fields for the SECURITY_JMS_AUTHZ event and a description of each field:

SECURITY_JMS_AUTHZ event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_initiator.host.address	Host address of the initiator of the event.
ibm_audit_initiator.host.agent	Name of the monitoring agent that is associated with the initiator.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `JMSMessagingImplementation`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_reason.reasonCode	A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.
ibm_audit_reason.reasonType	A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB.
ibm_audit_target.credential.token	Token name of the user that is performing the action.
ibm_audit_target.credential.type	Token type of the user that is performing the action.
ibm_audit_target.host.address	Host and port of the target.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.messaging.busname	Name of messaging bus.
ibm_audit_target.messaging.callType	Identifies whether the call is remote or local.
ibm_audit_target.messaging.destination	Name of messaging destination.
ibm_audit_target.messaging.engine	Name of messaging engine.
ibm_audit_target.messaging.jmsActions	List of actions that the credential is allowed to perform.
ibm_audit_target.messaging.jmsResource	Name of the JMS resource, such as `QUEUE`, `TOPIC`, and `TEMPORARY DESTINATION`.
ibm_audit_target.messaging.operationType	Name of the operation that is being requested.
ibm_audit_target.messaging.remote.chainName	If the operation is remote, the name of the remote chain name.
ibm_audit_target.realm	Realm name that is associated with the target.
ibm_audit_target.typeURI	Unique URI of the target of the event: `service/jms/messaging`.

SECURITY_SAF_AUTHZ_DETAILS

You can use the SECURITY_SAF_AUTHZ_DETAILS event to capture the audit information from a SAF Authorization event that is configured to throw a SAF Authorization Exception on failure. The following table provides the fields for the SECURITY_SAF_AUTHZ_DETAILS event and a description of each field:

SECURITY_SAF_AUTHZ_DETAILS event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `JMXService`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_target.access.level	Level of access requested.
ibm_audit_target.applid	Identifier of APPL class.
`ibm_audit_target.authorization.decision`	True if user is authorized to access SAF resource in SAF Class, otherwise false.
ibm_audit_target.credential.token	Token name of the user that performs the action.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.racf.reason.code	RACF reason code.
ibm_audit_target.racf.return.code	RACF return code.
ibm_audit_target.saf.class	Name of SAF Class that contains SAF resource.
ibm_audit_target.saf.profile	Name of SAF resource user requests access to.
ibm_audit_target.saf.return.code	SAF return code.
ibm_audit_target.typeURI	Unique URI of the target of the event: service/application/web.
ibm_audit_target.user.security.name	Username whose access to a SAF resource is being checked.

JMX_MBEAN_REGISTER

You can use the JMX_MBEAN_REGISTER event to capture the audit information from JMX MBean registration. The following table provides the fields for the JMX_MBEAN_REGISTER event and a description of each field:

JMX_MBEAN_REGISTER event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_initiator.host.address	Host address of the initiator of the event.
ibm_audit_initiator.host.agent	Name of the monitoring agent that is associated with the initiator.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `JMXService`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_reason.reasonCode	A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.
ibm_audit_reason.reasonType	A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB, or the state behind the outcome.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.jmx.mbean.action	MBean action being performed: register, unregister.
ibm_audit_target.jmx.mbean.name	Name of the MBean that is being acted upon.
ibm_audit_target.realm	Realm name that is associated with the target.
ibm_audit_target.typeURI	Unique URI of the target of the event: `server/mbean`.

JMX_MBEAN

You can use the JMX_MBEAN event to capture the audit information from JMX_MBEAN operations. The following table provides the fields for the JMX_MBEAN event and a description of each field:

JMX_MBEAN event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_initiator.host.address	Host address of the initiator of the event.
ibm_audit_initiator.host.agent	Name of the monitoring agent that is associated with the initiator.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `JMXService`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_reason.reasonCode	A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.
ibm_audit_reason.reasonType	A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB., or the state behind the outcome
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.jmx.mbean.action	MBean action being performed: query, create, invoke
ibm_audit_target.jmx.mbean.name	Name of the MBean that is being acted upon.
ibm_audit_target.realm	Realm name that is associated with the target.
ibm_audit_target.typeURI	Unique URI of the target of the event: `server/mbean`.

JMX_MBEAN_ATTRIBUTES

You can use the JMX_MBEAN_ATTRIBUTES event to capture the audit information from JMX MBEAN attribute operations. The following table provides the fields for the JMX_MBEAN_Attributes event and a description of each field:

JMX_MBEAN_ATTRIBUTES event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_initiator.host.address	Host address of the initiator of the event.
ibm_audit_initiator.host.agent	Name of the monitoring agent that is associated with the initiator.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `JMXService`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_reason.reasonCode	A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.
ibm_audit_reason.reasonType	A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB, or the state behind the outcome.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.jmx.mbean.action	MBean action being performed on the MBean attributes, getAttributes and setAttributes are supported.
ibm_audit_target.jmx.mbean.attribute.names	Name of the attributes(s) being acted upon.
ibm_audit_target.jmx.mbean.name	Name of the MBean that is being acted upon.
ibm_audit_target.realm	Realm name that is associated with the target.
ibm_audit_target.typeURI	Unique URI of the target of the event: `server/mbean`.

JMX_NOTIFICATION

You can use the JMX_NOTIFICATION event to capture the audit information from JMX notifications. The following table provides the fields for the JMX_NOTIFICATION event and a description for each field:

JMX_NOTIFICATION event fields
Field	Description
type	A string that identifies the type of event.
datetime	Time at which the event occurred.
hostName	The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
wlpUserDir	The user directory of the server that was the source of the event, for example, `D:\wlp\usr`.
serverName	The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.
sequence	The sequence number of the event, which is useful for sorting records with the same time stamp.
tags	The tags that are associated with the server from which the event originated.
threadId	The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.
ibm_audit_eventName	Name of the audit event.
ibm_audit_eventSequenceNumber	Sequence number of the audit event.
ibm_audit_eventTime	Time that the event occurred.
ibm_audit_observer.id	Identifier of the observer of the event.
ibm_audit_observer.name	Name of the observer of the event: `JMXService`.
ibm_audit_observer.typeURI	Unique URI of the observer of the event: `service/server`.
ibm_audit_outcome	Outcome of the event.
ibm_audit_reason.reasonCode	A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.
ibm_audit_reason.reasonType	A value that indicates the underlying mechanism, such as HTTP(S), JMS, EJB, that is associated with the request, or the state behind the outcome.
ibm_audit_target.id	Identifier of the target of the action.
ibm_audit_target.jmx.mbean.action	MBean action being performed on the MBean attribute(s).
ibm_audit_target.jmx.notification.filter	Name of the notification filter.
ibm_audit_target.jmx.notification.listener	Name of the notification listener.
ibm_audit_target.jmx.notification.name	Name of the notification.
ibm_audit_target.realm	Realm name that is associated with the target.
ibm_audit_target.typeURI	Unique URI of the target of the event: `server/mbean/notification`.

Server and host names in virtualized environments

When Open Liberty servers run in containers or other virtualized environments, the hostName and serverName event fields are automatically set according to certain variables in the configuration.

The hostName field is automatically set to the first of the following values that is available in the configuration:

The value of the CONTAINER_HOST environment variable
The value of the ${defaultHostName} Open Liberty configuration variable
The canonical hostname as reported by the JDK

The serverName field is automatically set to the first of the following values that is available in the configuration:

The value of the CONTAINER_NAME environment variable
The value of the ${wlp.server.name} Open Liberty configuration variable

When you use the Logstash collector feature in a container, you can set the CONTAINER_HOST and CONTAINER_NAME environment variables when you start the container. Setting these environment variables ensures that the Logstash collector feature tags the records that it sends with the appropriate host and container name, which aids in problem determination. If you do not set these environment variables, you might not be able to determine which container an event originated from when you use a dashboard that shows events from multiple containers.

When you start a container, you can use a command similar to the following example to set these environment variables:

docker run -d -e LICENSE=accept -e CONTAINER_NAME=yourContainerName -e CONTAINER_HOST=yourContainerHost --name=yourContainerName yourImageName

If you use Podman to manage your containers, run the following command:

podman run -d -e LICENSE=accept -e CONTAINER_NAME=yourContainerName -e CONTAINER_HOST=yourContainerHost --name=yourContainerName yourImageName

When Open Liberty servers run in the IBM Cloud® Kubernetes Service, the CONTAINER_HOST and CONTAINER_NAME environment variables are already set for you.