Audit2.01.0
The Audit feature is used to report and track auditable events to ensure the integrity of your system.
The Audit feature introduces an infrastructure that serves two purposes:
Confirming the effectiveness and integrity of the existing configuration
Identifying areas where improvement to the configuration might be needed
The Audit feature can capture a range of auditable events that include events related to authentication, authorization, and logout. The feature provides a default audit file handler implementation that emits human-readable audit records to a file-based log. Each audit record is emitted in JSON format.
The Audit 2.0 feature (audit-2.0) provides the same audit records as the Audit 1.0 feature (audit-1.0) except it does not generate records for REST Handler applications. If you need to keep audit records for REST Handler applications, use audit-1.0.
Enabling this feature
To enable the Audit 2.0 feature, add the following element declaration into your server.xml file, inside the featureManager element:
<feature>audit-2.0</feature>
Examples
Manage audit log files
The following example shows how to set the maximum file size to 100 MB and set the maximum number of archived audit log files to 50. You can also set the compact attribute to true to print the entire audit record on one line within the audit log:
<auditFileHandler maxFiles="50" maxFileSize="100" compact=”true”>
</auditFileHandler>Configure the audit events to log
To specify only the audit events and outcomes that might be relevant in an environment, the events element can be defined with the audit event name and outcome. The following example specifies audit events and outcomes in the auditFileHandler element:
<auditFileHandler maxFiles="5" maxFileSize="20" compact="true">
<events name="AuditEvent_1" eventName="SECURITY_AUTHN" outcome="SUCCESS"/>
<events name="AuditEvent_2" eventName="SECURITY_AUTHN" outcome="REDIRECT"/>
<events name="AuditEvent_3" eventName="SECURITY_AUTHN" outcome="FAILURE"/>
<events name="AuditEvent_4" eventName="SECURITY_AUTHZ"/>
</auditFileHandler>Encrypt and sign audit data
The following example shows the audit file handler with encryption and signing enabled. The encrypt and sign attributes must be specified in the auditFileHandler element along with the alias names of the certificates and the keystores that contain the certificates. The keystore element contains the private or public key that is used to encrypt and sign the data:
<keyStore id="auditEncKeyStore” password="Liberty" location="server1/resources/security/AuditEncryptionKeyStore.jks" type="JKS" />
<keyStore id="auditSignKeyStore" password="{aes}EzY9Oi0rJg==" location="server1/resources/security/AuditSigningKeyStore2.jks" type="JKS" />
<auditFileHandler encrypt="true" encryptAlias="#auditencryption#" encryptKeyStoreRef="auditEncKeyStore" sign="true" signingAlias="auditsigning2" signingKeyStoreRef="auditSignKeyStore"
</auditFileHandler>Set the audit log format
The JSON logging format makes it easier to manage log data by providing more structure to generated data. The following example shows how to configure the Audit feature to generate audit logs in the JSON logging format:
<logging messageFormat="json" messageSource="audit,message"/>
