Logstash collector events reference list

You can use the Logstash collector feature to send log events to a remote Logstash server so that you can manage and visualize them with products such as Elasticsearch and Kibana. Each type of log event has its own set of fields that you can use to customize your Kibana dashboard.

The Logstash collector feature captures log events at run time, breaks them into fields, and securely forwards them to the configured Logstash log collection server. For more information, see Forwarding logs and events to Logstash with Logstash collector.

Event types

The Logstash collector feature generates the following event types:

In addition to the default log and trace framework, the Logstash collector feature forwards message events and trace events when binary logging is enabled. For more information about log event types, see Log management.

Message events

The following table provides the fields for message log events and a description for each field:

Message event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

message

The message from the log record, starting with the message ID.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

messageId

The message ID in the log line, which can be used to find specific types of errors, for example, SRVE0250I.

loggerName

The logger name from the log record.

severity

Indicates the severity of the event by using one of the following codes: F = Fatal, E = Error, W = Warning, A = Audit, I = Info, O = SystemOut, R = SystemErr.

methodName

The method name from the log record.

className

The class name from the log record.

ext_thread

The thread name of the thread that is the source of the event.

Trace events

The following table provides the fields for trace log events and a description for each field:

Trace event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

message

The message from the log record, starting with the message ID.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

messageId

The message ID in the log line, which can be used to find out specific types of errors, for example, SRVE0250I.

loggerName

The logger name from the log record.

severity

Indicates the severity of the event by using one of the following codes: 1 = Fine, 2 = Finer, 3 = Finest, > = Entry, < = Exit

methodName

The method name from the log record.

className

The class name from the log record.

FFDC events

The following table provides the fields for FFDC log events and a description for each field:

FFDC event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

message

The message from the exception that triggered the event.

threadId

The thread ID of the FFDC event.

className

The class that emitted the FFDC event.

exceptionName

The exception that was reported in the FFDC event.

probeID

The unique identifier of the FFDC point within the class.

stackTrace

The stack trace of the FFDC event.

objectDetails

The incident details for the FFDC event.

HTTP access events

The following table provides the fields for HTTP access log events and a description for each field:

HTTP access event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

remoteHost

The remote host IP address, for example, 127.0.0.1.

requestProtocol

The protocol type, for example, HTTP/1.1.

userAgent

The userAgent value in the request.

requestHeader_{headername}

The header value from the request.

requestMethod

The HTTP verb, for example, GET.

responseHeader_{headername}

The header value from the response.

requestPort

The port number of the request.

requestFirstLine

The first line of the request.

responseCode

The HTTP response code, for example, 200.

requestStartTime

The start time of the request.

remoteUserID

The remote user according to the WebSphere Application Server specific $WSRU header.

uriPath

The path information for the requested URL. This path information does not contain the query parameters, for example, /pushworksserver/push/apps/tags.

elapsedTime

The time that is taken to serve the request, in microseconds.

accessLogDatetime

The time when the message to the access log is queued to be logged.

remoteIP

The remote IP address, for example, 127.0.0.1.

requestHost

The request host IP address, for example, 127.0.0.1.

bytesSent

The response size in bytes, excluding headers.

bytesReceived

The bytes received in the URL, for example, 94.

cookie_{cookiename}

The cookie value from the request.

requestElapsedTime

The elapsed time of the request - millisecond accuracy, microsecond precision.

queryString

The string that represents the query string from the HTTP request, for example, color=blue&size=large.

Garbage collection events

The garbage collection event type is available only for IBM JDKs. The following table provides the fields for garbage collection log events and a description for each field:

Garbage collection event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

heap

The total heap that is currently available.

usedHeap

The amount of heap that is being used.

maxHeap

The maximum heap that the JVM allows.

duration

The duration for which garbage collection was run, in microseconds.

gcType

The type of garbage collection event, for example, Nursery, Global.

reason

The reason for the garbage collection.

Supported audit events and their audit data

The Open Liberty Audit feature captures auditable events from the server runtime environment and applications. You can use the data that is generated from the audit events to analyze the configured environment. For audit event examples, see JSON log events reference list: Audit events.

Open Liberty can generate audit events in either JSON or CADF format. The audit events are captured in the following JSON format types to help identify different areas where the configured environment can be improved:

SECURITY_AUDIT_MGMT

The SECURITY_AUDIT_MGMT event captures the start and stop of the Audit Service and implemented handlers, such as the default AuditFileHandler.

The following table provides the fields for the SECURITY_AUDIT_MGMT event to capture the audit information from the management of the audit service:

SECURITY_AUDIT_MGMT event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: AuditService in the case of the audit service; AuditHandler: <name of handler implementation> in the case of a handler start.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.typeURI

Unique URI of the target of the event: server/audit/start in the case of an AuditService or handler start; server/audit/stop in the case of an AuditService or handler stop.

SECURITY_MEMBER_MGMT

You can use the SECURITY_MEMBER_MGMT event to capture the audit information from SCIM operations or member management. The following table provides the fields for the SECURITY_Member_MGMT event and a description of each field:

SECURITY_MEMBER_MGMT event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request.

ibm_audit_target.action

The action that is being performed on the target.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.credential.token

Token name of the user that is performing the action.

ibm_audit_target.credential.type

Token type of the user that is performing the action.

ibm_audit_target.entityType

Generic name of the member being acted upon: PersonAccount, Group.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Name of the target. Note that the name includes urbridge, scim or vmmservice, depending on the flow of the request, for example, whether is it a call coming through scim.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.repositoryId

Repository identifier associated with the target.

ibm_audit_target.session

Session identifier associated with the target.

ibm_audit_target.uniqueName

Unique name of the member that is being acted upon.

ibm_audit_target.typeURI

Unique URI of the target of the event: server/vmmservice/<action>.

SECURITY_API_AUTHN

You can use the SECURITY_API_AUTHN event to capture the audit information from the login and authentication for servlet 3.0 APIs. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field:

SECURITY_API_AUTHN event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.credential.token

Token name of the user that is performing the action.

ibm_audit_target.credential.type

Token type of the user that is performing the action: BASIC, FORM, or CLIENTCERT.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Context root.

ibm_audit_target.params

Names and values of any parameters that are sent to the target with the action.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.session

HTTP session ID.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

SECURITY_API_AUTHN_TERMINATE

You can use the SECURITY_API_AUTHN_TERMINATE event to capture the audit information from the log out for servlet 3.0 APIs. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field:

SECURITY_API_AUTHN_TERMINATE event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.credential.token

Token name of the user that is performing the action.

ibm_audit_target.credential.type

Token type of the user that is performing the action: BASIC, FORM, or CLIENTCERT.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Context root.

ibm_audit_target.params

Names and values of any parameters that are sent to the target with the action.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.session

HTTP Session ID

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

SECURITY_AUTHN

You can use the SECURITY_AUTHN event to capture the audit information from basic authentication, form login authentication, client certificate authentication, and JASPI authentication. The following table provides the fields for the SECURITY_AUTHN event and a description of each field:

SECURITY_AUTHN event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.credential.token

Token name of the user that is performing the action.

ibm_audit_target.credential.type

Token type of the user that is performing the action: BASIC, FORM, or CLIENTCERT.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Context root.

ibm_audit_target.params

Names and values of any parameters that are sent to the target with the action.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.session

HTTP session ID.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

SECURITY_AUTHN_DELEGATION

You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runAs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field:

SECURITY_AUTHN_DELEGATION event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.credential.token

Token name of the user that is performing the action.

ibm_audit_target.credential.type

Token type of the user that is performing the action: BASIC, FORM, or CLIENTCERT.

ibm_audit_target.delegation.users

List of users in the delegation flow, starting with the initial user invoking the action.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Context root.

ibm_audit_target.params

Names and values of any parameters that are sent to the target with the action.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.runas.role

RunAs role name used in the delegation.

ibm_audit_target.session

HTTP session ID.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

SECURITY_AUTHN_FAILOVER

You can use the SECURITY_AUTHN_FAILOVER event to capture the audit information from failover to basic authentication. The following table provides the fields for the SECURITY_AUTHN_FAILOVER event and a description of each field:

SECURITY_AUTHN_FAILOVER event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.authtype.failover

Name of failover authentication mechanism.

ibm_audit_target.credential.token

Token name of the user that is performing the action.

ibm_audit_target.credential.type

Token type of the user that is performing the action.. BASIC, FORM, or CLIENTCERT

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Context root.

ibm_audit_target.params

Names and values of any parameters that are sent to the target with the action.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.session

HTTP session ID.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

SECURITY_AUTHN_TERMINATE

You can use the SECURTIY_AUTHN_TERMINATE event to capture the audit information from a form logout. The following table provides the fields for the SECURITY_AUTHN_TERMINATE event and a description of each field:

SECURITY_AUTHN_TERMINATE event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, HTTP or HTTPS, that is associated with the request.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.authtype.failover

Name of failover authentication mechanism.

ibm_audit_target.authtype.original

Name of original authentication mechanism.

ibm_audit_target.credential.token

Token name of the user that is performing the action.

ibm_audit_target.credential.type

Token type of the user that is performing the action: BASIC, FORM, or CLIENTCERT.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Context root.

ibm_audit_target.params

Names and values of any parameters that are sent to the target with the action.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.session

HTTP session ID.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

SECURITY_AUTHZ

You can use the SECURITY_AUTHZ event to capture the audit information from JACC web authorization, unprotected servlet authorization, JACC EJB authorization, and EJB authorization. The following table provides the fields for the SECURITY_AUTHZ event and a description of each field:

SECURITY_AUTHZ event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, HTTP and HTTPS, that is associated with the request

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.credential.token

Token name of the user that is performing the action.

ibm_audit_target.credential.type

Token type of the user that is performing the action: BASIC, FORM, or CLIENTCERT.

ibm_audit_target.ejb.beanname

EJB bean name for EJB authorization

ibm_audit_target.ejb.method.interface

EJB method interface for EJB authorization

ibm_audit_target.ejb.method.signature

EJB method signature for EJB authorization

ibm_audit_target.ejb.module.name

EJB module name for EJB authorization

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Context root.

ibm_audit_target.params

Names and values of any parameters that are sent to the target with the action.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.role.names

Roles that are identified as being needed, if not permit all, for EJBs.

ibm_audit_target.session

HTTP session ID.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

SECURITY_JMS_AUTHN

You can use the SECURITY_JMS_AUTHENTICATION event to capture the audit information from JMS authentication. The following table provides the fields for the SECURITY_JMS_AUTHENTICATION event and a description of each field:

SECURITY_JMS_AUTHN event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMSMessagingImplementation.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB.

ibm_audit_target.credential.token

Token name of the user that is performing the action.

ibm_audit_target.credential.type

Token type of the user that is performing the action.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.messaging.busname

Name of messaging bus.

ibm_audit_target.messaging.callType

Identifies whether the call is remote or local.

ibm_audit_target.messaging.engine

Name of messaging engine.

ibm_audit_target.messaing.loginType

Name of the login algorithm that is used, for example, Userid+Password.

ibm_audit_target.messaging.remote.chainName

If the operation is remote, the name of the remote chain name.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/jms/messaging.

SECURITY_JMS_AUTHZ

You can use the SECURITY_JMS_AUTHZ event to capture the audit information from JMS authorization. The following table provides the fields for the SECURITY_JMS_AUTHZ event and a description of each field:

SECURITY_JMS_AUTHZ event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMSMessagingImplementation.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB.

ibm_audit_target.credential.token

Token name of the user that is performing the action.

ibm_audit_target.credential.type

Token type of the user that is performing the action.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.messaging.busname

Name of messaging bus.

ibm_audit_target.messaging.callType

Identifies whether the call is remote or local.

ibm_audit_target.messaging.destination

Name of messaging destination.

ibm_audit_target.messaging.engine

Name of messaging engine.

ibm_audit_target.messaging.jmsActions

List of actions that the credential is allowed to perform.

ibm_audit_target.messaging.jmsResource

Name of the JMS resource, such as QUEUE, TOPIC, and TEMPORARY DESTINATION.

ibm_audit_target.messaging.operationType

Name of the operation that is being requested.

ibm_audit_target.messaging.remote.chainName

If the operation is remote, the name of the remote chain name.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/jms/messaging.

SECURITY_SAF_AUTHZ_DETAILS

You can use the SECURITY_SAF_AUTHZ_DETAILS event to capture the audit information from a SAF Authorization event that is configured to throw a SAF Authorization Exception on failure. The following table provides the fields for the SECURITY_SAF_AUTHZ_DETAILS event and a description of each field:

SECURITY_SAF_AUTHZ_DETAILS event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMXService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_target.access.level

Level of access requested.

ibm_audit_target.applid

Identifier of APPL class.

ibm_audit_target.authorization.decision

True if user is authorized to access SAF resource in SAF Class, otherwise false.

ibm_audit_target.credential.token

Token name of the user that performs the action.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.racf.reason.code

RACF reason code.

ibm_audit_target.racf.return.code

RACF return code.

ibm_audit_target.saf.class

Name of SAF Class that contains SAF resource.

ibm_audit_target.saf.profile

Name of SAF resource user requests access to.

ibm_audit_target.saf.return.code

SAF return code.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

ibm_audit_target.user.security.name

Username whose access to a SAF resource is being checked.

JMX_MBEAN_REGISTER

You can use the JMX_MBEAN_REGISTER event to capture the audit information from JMX MBean registration. The following table provides the fields for the JMX_MBEAN_REGISTER event and a description of each field:

JMX_MBEAN_REGISTER event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMXService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB, or the state behind the outcome.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.jmx.mbean.action

MBean action being performed: register, unregister.

ibm_audit_target.jmx.mbean.name

Name of the MBean that is being acted upon.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.typeURI

Unique URI of the target of the event: server/mbean.

JMX_MBEAN

You can use the JMX_MBEAN event to capture the audit information from JMX_MBEAN operations. The following table provides the fields for the JMX_MBEAN event and a description of each field:

JMX_MBEAN event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMXService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB., or the state behind the outcome

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.jmx.mbean.action

MBean action being performed: query, create, invoke

ibm_audit_target.jmx.mbean.name

Name of the MBean that is being acted upon.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.typeURI

Unique URI of the target of the event: server/mbean.

JMX_MBEAN_ATTRIBUTES

You can use the JMX_MBEAN_ATTRIBUTES event to capture the audit information from JMX MBEAN attribute operations. The following table provides the fields for the JMX_MBEAN_Attributes event and a description of each field:

JMX_MBEAN_ATTRIBUTES event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMXService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism that is associated with the request, such as HTTP(S), JMS, or EJB, or the state behind the outcome.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.jmx.mbean.action

MBean action being performed on the MBean attributes, getAttributes and setAttributes are supported.

ibm_audit_target.jmx.mbean.attribute.names

Name of the attributes(s) being acted upon.

ibm_audit_target.jmx.mbean.name

Name of the MBean that is being acted upon.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.typeURI

Unique URI of the target of the event: server/mbean.

JMX_NOTIFICATION

You can use the JMX_NOTIFICATION event to capture the audit information from JMX notifications. The following table provides the fields for the JMX_NOTIFICATION event and a description for each field:

JMX_NOTIFICATION event fields
FieldDescription

type

A string that identifies the type of event.

datetime

Time at which the event occurred.

hostName

The hostname of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

wlpUserDir

The user directory of the server that was the source of the event, for example, D:\wlp\usr.

serverName

The name of the server that was the source of the event. For more information, see Server and host names in virtualized environments.

sequence

The sequence number of the event, which is useful for sorting records with the same time stamp.

tags

The tags that are associated with the server from which the event originated.

threadId

The thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMXService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP(S), JMS, EJB, that is associated with the request, or the state behind the outcome.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.jmx.mbean.action

MBean action being performed on the MBean attribute(s).

ibm_audit_target.jmx.notification.filter

Name of the notification filter.

ibm_audit_target.jmx.notification.listener

Name of the notification listener.

ibm_audit_target.jmx.notification.name

Name of the notification.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.typeURI

Unique URI of the target of the event: server/mbean/notification.

Server and host names in virtualized environments

When Open Liberty servers run in containers or other virtualized environments, the hostName and serverName event fields are automatically set according to certain variables in the configuration.

The hostName field is automatically set to the first of the following values that is available in the configuration:

  • The value of the CONTAINER_HOST environment variable

  • The value of the ${defaultHostName} Open Liberty configuration variable

  • The canonical hostname as reported by the JDK

The serverName field is automatically set to the first of the following values that is available in the configuration:

  • The value of the CONTAINER_NAME environment variable

  • The value of the ${wlp.server.name} Open Liberty configuration variable

When you use the Logstash collector feature in a container, you can set the CONTAINER_HOST and CONTAINER_NAME environment variables when you start the container. Setting these environment variables ensures that the Logstash collector feature tags the records that it sends with the appropriate host and container name, which aids in problem determination. If you do not set these environment variables, you might not be able to determine which container an event originated from when you use a dashboard that shows events from multiple containers.

When you start a container, you can use a command similar to the following example to set these environment variables:

docker run -d -e LICENSE=accept -e CONTAINER_NAME=yourContainerName -e CONTAINER_HOST=yourContainerHost --name=yourContainerName yourImageName

If you use Podman to manage your containers, run the following command:

podman run -d -e LICENSE=accept -e CONTAINER_NAME=yourContainerName -e CONTAINER_HOST=yourContainerHost --name=yourContainerName yourImageName

When Open Liberty servers run in the IBM Cloud® Kubernetes Service, the CONTAINER_HOST and CONTAINER_NAME environment variables are already set for you.