Audit logs

Audit logs record events that help to analyze the server runtime environment and applications. You can use audit logs to confirm the effectiveness of the existing environment configuration and identify areas where improvement to the configuration might be needed.

A runtime environment provides a state that contains the resources that are needed to support the processes that help to run an application. The data that applications generate in the server runtime environment is transmitted by the audit file handler and stored in audit logs. Audit logs provide a record of what action was conducted on the environment, when the action was conducted, why the action was conducted, and who is responsible for the action. All relevant data that is associated with the action is included in the audit event. You can report and track the audit events to ensure the integrity of your configured environment. The audit outcome helps to determine the status of the audit event after the associated actions are completed.

Audit events

An audit event is any action that occurs within the environment that can be represented by components. The following table shows the components that represent the audit event, the fields within the audit event that are associated with the components, and descriptions of the actions that occur within the audit event:

Audit event components
Component Field Description

What

eventName

outcome

What activity occurred and what was the result of the activity

When

eventTime

When did this happen

Who

initiator.host.address initiator.host.agent

Who (person or service) initiated the action

OnWhat

target.id target.typeURI

What resource was targeted by the activity

Where

observer.id observer.name

Where did the activity get observed

FromWhere

observer.typeURI

Where did the action initiate

ToWhere

target.host.address

Where was the target of the action

Audit outcomes

An audit outcome is the final result of an audit event. The final result of audit events is specified as one of the following outcome types: SUCCESS, FAILURE, ERROR, REDIRECT, DENIED, INFO, and WARNING.

Audit handler

An audit file handler is provided by default to emit audit data to an on-premises audit.log file. When the maximum number of archived audit logs is reached, after the audit.log file that is being written to reaches its maximum size, then the oldest archived audit log is overwritten. By default, the audit file handler writes audit records to an audit log file until the file reaches 20 MB. The audit log file is then archived and a new audit log file is started. The maximum number of archived audit log files, by default, is 100 after which the oldest archived log file is overwritten. To configure the audit file handler, you can configure the auditFileHandler element in the server.xml file. For more information, see Audit 1.0. The audit file handler can be customized by specifying any of the config attributes, along with the auditFileHandler element. For more information, see Default Audit File Handler.

Audit logs can help provide important details regarding the success or failure of user authentication. The following examples show a successful form login flow to access a servlet application and a failed form login authentication.

Successful form login flow to access a servlet application example

The following example demonstrates audit events that are logged for a successful form login with security authentication that is followed by role-based authorization to a web servlet application.

Security authentication redirects the user to a login form for entering an ID and password. The session field in the audit event records the HTTP session for this user interaction:

{
   "eventName": "SECURITY_AUTHN",
   "eventSequenceNumber": 2,
   "eventTime": "2020-07-31 11:52:38.091 CDT",
   "initiator": {
      "host": {
         "address": "127.0.0.1",
         "agent": "Apache-HttpClient/4.1.2 (java 1.8)"
      }
   },
   "observer": {
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "name": "SecurityService",
      "typeURI": "service/server"
   },
   "outcome": "redirect",
   "reason": {
      "reasonCode": "302",
      "reasonType": "HTTP"
   },
   "target": {
      "appname": "FormLoginServlet",
      "credential": {
         "type": "FORM"
      },
      "host": {
         "address": "127.0.0.1:8010"
      },
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "method": "GET",
      "name": "/formlogin/SimpleServlet",
      "realm": "BasicRealm",
      "session": "hYhd2wzjGOdn6_oyokUTBdb",
      "typeURI": "service/application/web"
   }
}

The login form is successfully displayed and prompts the user to enter the user ID and password:

{
   "eventName": "SECURITY_AUTHN",
   "eventSequenceNumber": 3,
   "eventTime": "2020-07-31 11:52:38.572 CDT",
   "initiator": {
      "host": {
         "address": "127.0.0.1",
         "agent": "Apache-HttpClient/4.1.2 (java 1.8)"
      }
   },
   "observer": {
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "name": "SecurityService",
      "typeURI": "service/server"
   },
   "outcome": "success",
   "reason": {
      "reasonCode": "200",
      "reasonType": "HTTP"
   },
   "target": {
      "appname": "/login.jsp",
      "credential": {
         "token": "BasicRealm",
         "type": "BASIC"
      },
      "host": {
         "address": "127.0.0.1:8010"
      },
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "method": "GET",
      "name": "/formlogin/login.jsp",
      "realm": "BasicRealm",
      "session": "hYhd2wzjGOdn6_oyokUTBdb",
      "typeURI": "service/application/web"
   }
}

{
   "eventName": "SECURITY_AUTHZ",
   "eventSequenceNumber": 4,
   "eventTime": "2020-07-31 11:52:38.622 CDT",
   "initiator": {
      "host": {
         "address": "127.0.0.1",
         "agent": "Apache-HttpClient/4.1.2 (java 1.8)"
      }
   },
   "observer": {
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "name": "SecurityService",
      "typeURI": "service/server"
   },
   "outcome": "success",
   "reason": {
      "reasonCode": "200",
      "reasonType": "HTTP"
   },
   "target": {
      "appname": "/login.jsp",
      "credential": {
         "type": "BASIC"
      },
      "host": {
         "address": "127.0.0.1:8010"
      },
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "method": "GET",
      "name": "/formlogin/login.jsp",
      "realm": "BasicRealm",
      "session": "hYhd2wzjGOdn6_oyokUTBdb",
      "typeURI": "service/application/web"
   }
}

The user1 user ID is successfully authorized to access the FormLoginServlet application because the user is in the required Employee or Manager role:

\{
   "eventName": "SECURITY_AUTHZ",
   "eventSequenceNumber": 6,
   "eventTime": "2020-07-31 11:52:39.410 CDT",
   "initiator": {
      "host": {
         "address": "127.0.0.1",
         "agent": "Apache-HttpClient/4.1.2 (java 1.8)"
      }
   },
   "observer": {
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "name": "SecurityService",
      "typeURI": "service/server"
   },
   "outcome": "success",
   "reason": {
      "reasonCode": "200",
      "reasonType": "HTTP"
   },
   "target": {
      "appname": "FormLoginServlet",
      "credential": {
         "token": "user1",
         "type": "LtpaToken2"
      },
      "host": {
         "address": "127.0.0.1:8010"
      },
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "method": "GET",
      "name": "/formlogin/SimpleServlet",
      "realm": "BasicRealm",
      "role": {
         "names": "[Employee, Manager]"
      },
      "session": "hYhd2wzjGOdn6_oyokUTBdb",
      "typeURI": "service/application/web"
   }
}

Failed form login authentication example

The following example demonstrates the audit events that are logged for a failed form login by a user who cannot be authenticated against the user registry.

Security authentication redirects the user to a login form for entering a user ID and password. The session field in the audit event records the HTTP session for this user interaction.

After the login form prompts the user to enter the user ID and password, the baduser user ID fails authentication against the user registry and the user login is denied:

{
   "eventName": "SECURITY_AUTHN",
   "eventSequenceNumber": 5,
   "eventTime": "2020-07-31 13:46:55.205 CDT",
   "initiator": {
      "host": {
         "address": "127.0.0.1",
         "agent": "Apache-HttpClient/4.1.2 (java 1.8)"
      }
   },
   "observer": {
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "name": "SecurityService",
      "typeURI": "service/server"
   },
   "outcome": "denied",
   "reason": {
      "reasonCode": "403",
      "reasonType": "HTTP"
   },
   "target": {
      "appname": "null",
      "credential": {
         "token": "baduser",
         "type": "FORM"
      },
      "host": {
         "address": "127.0.0.1:8010"
      },
      "id": "websphere: sample.xyz.com:/Users/sample/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogin.audit",
      "method": "POST",
      "name": "/formlogin/j_security_check",
      "realm": "BasicRealm",
      "session": "0EREOocFtP9s4VvptJ4DHhi",
      "typeURI": "service/application/web"
   }
}