JSON log events reference list

Open Liberty generates JSON logging events from the server runtime and applications. You can use these events to gather and analyze data that can help to better understand the behavior of applications.

The following types of events are generated by Open Liberty:

Message events

The following table provides the fields for message events and a description for each field:

Message event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

message

The message from the log record, starting with the message ID.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_datetime

Time at which the event occurred.

ibm_messageId

Message ID in the log line, which can be used to find out specific types of errors, for example, SRVE0250I.

module

Logger name from the log record.

loglevel

Severity indicator (F = Fatal, E = Error, W = Warning, A = Audit, I = Info, O = SystemOut, R = SystemErr).

ibm_methodName

Method name from the log record.

ibm_className

Class name from the log record.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ext_thread

Name of the thread that is the source of the event.

ext_appName

Name of the application that logged the message.

The following example shows a message event:

{
    "type":"liberty_message",
    "host":"9e1eceec70c1",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"defaultServer",
    "message":"BADAP0004W: BadApp Angry for test",
    "ibm_threadId":"0000009f",
    "ibm_datetime":"2020-05-04T12:33:26.064+0000",
    "ibm_messageId":"BADAP0004W",
    "module":"com.ibm.ws.lumberjack.badness.Angry",
    "loglevel":"WARNING",
    "ibm_methodName":"doGet",
    "ibm_className":"Angry",
    "ibm_sequence":"1588595606064_0000000000024",
    "ext_thread":"Default Executor-thread-108",
    "ext_appName":"BadApp"
}

Trace events

The following table provides the fields for trace events and a description for each field:

Trace event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

message

The message from the log record.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_datetime

Time at which the event occurred.

ibm_messageId

Message ID in the log line, which can be used to find out specific types of errors, for example, SRVE0250I.

module

Logger name from the log record.

loglevel

Severity indicator (1 = Fine, 2 = Finer, 3 = Finest, > = Entry, < = Exit).

ibm_methodName

Method name from the log record.

ibm_className

Class name from the log record.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ext_thread

Name of the thread that is the source of the event.

ext_appName

Name of the application that logged the message.

The following example shows a trace event:

{
    "type":"liberty_trace",
    "host":"9e1eceec70c1",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"defaultServer",
    "message":"BadApp Angry test",
    "ibm_threadId":"0000009f",
    "ibm_datetime":"2020-05-04T12:33:26.066+0000",
    "ibm_messageId":"BADAP0001W",
    "module":"com.ibm.ws.lumberjack.badness.Angry",
    "loglevel":"FINE",
    "ibm_methodName":"doGet",
    "ibm_className":"Angry",
    "ibm_sequence":"1588595606066_0000000000001",
    "ext_thread":"Default Executor-thread-108",
    "ext_appName":"BadApp"
}

FFDC events

The following table provides the fields for the first failure data capture (FFDC) events and a description for each field:

FFDC event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

message

The message from the exception that triggered the event.

ibm_className

The class that emitted the FFDC event.

ibm_exceptionName

The exception that is reported in the FFDC event.

ibm_probeID

The unique identifier of the FFDC point within the class.

ibm_threadId

The thread ID of the FFDC event.

ibm_stackTrace

The stack trace of the FFDC event.

ibm_objectDetails

The incident details for the FFDC event.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

The following example shows a FFDC event:

{
    "type":"liberty_ffdc",
    "host":"252ecfa1f755",
    "ibm_userDir":"\/opt\/ibm\/wlp\/usr\/",
    "ibm_serverName":"defaultServer",
    "ibm_datetime":"2020-03-24T19:08:14.579+0000",
    "message":"A metric named   com.acmeair.web.AuthServiceRest.com.acmeair.web.AuthServiceRest.login with tags app=\"acmeair-authservice-java\" already exists",
    "ibm_className":"com.ibm.ws.microprofile.metrics.impl.MetricRegistryImpl",
    "ibm_exceptionName":"java.lang.IllegalArgumentException",
    "ibm_probeID":"656",
    "ibm_threadId":"00000275",
    "ibm_stackTrace":"java.lang.IllegalArgumentException: A metric named com.acmeair.web.AuthServiceRest.com.acmeair.web.AuthServiceRest.login with tags app=\"acmeair-authservice-java\" already exists\n\tat ...",
    "ibm_objectDetails":"Object type = com.ibm.ws.microprofile.metrics.impl.MetricRegistryImpl\n  metrics = class java.util.concurrent.ConcurrentHashMap@f445b6cd\n...",
    "ibm_sequence":"1585076894579_0000000000001"
}

HTTP access events

The following table provides the fields for HTTP access events and a description for each field:

HTTP access event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_remoteHost

Remote host IP address, for example, 127.0.0.1.

ibm_requestProtocol

Protocol type, for example, HTTP/1.1.

ibm_userAgent

The userAgent value in the request.

ibm_requestHeader_{headername}

Header value from the request.

ibm_requestMethod

HTTP verb, for example, GET.

ibm_responseHeader_{headername}

Header value from the response.

ibm_requestPort

Port number of the request.

ibm_requestFirstLine

First line of the request.

ibm_responseCode

HTTP response code, for example, 200.

ibm_requestStartTime

The start time of the request.

ibm_remoteUserID

Remote user according to the WebSphere Application Server specific $WSRU header.

ibm_uriPath

Path information for the requested URL. This path information does not contain the query parameters, for example, /pushworksserver/push/apps/tags.

ibm_elapsedTime

Time that is taken to serve the request, in microseconds.

ibm_accessLogDatetime

The time when the message to the access log is queued to be logged.

ibm_remoteIP

Remote IP address, for example, 127.0.0.1.

ibm_requestHost

Request host IP address, for example, 127.0.0.1.

ibm_bytesSent

Response size in bytes excluding headers.

ibm_bytesReceived

Bytes received in the URL, for example, 94.

ibm_cookie_{cookiename}

Cookie value from the request.

ibm_requestElapsedTime

The elapsed time of the request - millisecond accuracy, microsecond precision.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

The following example shows an HTTP access event:

{
    "type":"liberty_accesslog",
    "host":"79e8ad2347b3",
    "ibm_userDir":"\/opt\/ibm\/wlp\/usr\/",
    "ibm_serverName":"defaultServer",
    "ibm_remoteHost":"172.27.0.10",
    "ibm_requestProtocol":"HTTP\/1.1",
    "ibm_userAgent":"Apache-CXF/3.3.3-SNAPSHOT",
    "ibm_requestHeader_headername":"header_value",
    "ibm_requestMethod":"GET",
    "ibm_responseHeader_connection":"Close",
    "ibm_requestPort":"9080",
    "ibm_requestFirstLine":"GET \/favicon.ico HTTP\/1.1",
    "ibm_responseCode":200,
    "ibm_requestStartTime":"2020-07-14T13:28:19.887-0400",
    "ibm_remoteUserID":"user",
    "ibm_uriPath":"\/favicon.ico",
    "ibm_elapsedTime":834,
    "ibm_accessLogDatetime":"2020-07-14T13:28:19.887-0400",
    "ibm_remoteIP":"172.27.0.9",
    "ibm_requestHost":"172.27.0.9",
    "ibm_bytesSent":15086,
    "ibm_bytesReceived":15086,
    "ibm_cookie_cookiename":"cookie_value",
    "ibm_requestElapsedTime":3034,
    "ibm_datetime":"2020-07-14T13:28:19.887-0400",
    "ibm_sequence":"1594747699884_0000000000001"
}

Supported audit events and their audit data

The Open Liberty Audit feature captures auditable events that contain security details from the server runtime environment and applications. You can use the data that is generated from the audit events to analyze the configured environment.

Open Liberty can generate audit events in either JSON or CADF format. The audit events are captured in the following JSON format types to help identify different areas where the configured environment can be improved:

SECURITY_AUDIT_MGMT

You can use the SECURITY_AUDIT_MGMT event to capture the the audit information from the management of the audit service. The following table provides the fields for the SECURITY_AUDIT_MGMT event and a description of each field:

SECURITY_AUDIT_MGMT event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time the event occurred.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: AuditService in the case of the audit service; AuditHandler: name of handler implementation in the case of a handler start.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.typeURI

Unique URI of the target of the event: server/audit/start in the case of an AuditService or handler start; server/audit/stop in the case of an AuditService or handler stop.

The following example shows the SECURITY_AUDIT_MGMT event capturing the start of the Audit Service and AuditFileHandler events:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"TestServer.audit",
    "ibm_datetime":"2018-07-10T16:15:35.110-0400",
    "ibm_sequence":"1536171863908_0000000000001",
    "ibm_threadId":"00000013",
    "ibm_audit_eventName":"SECURITY_AUDIT_MGMT",
    "ibm_audit_eventSequenceNumber":"0",
    "ibm_audit_eventTime":"2018-07-10T16:15:34.339-0400",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
    "ibm_audit_observer.name":"AuditService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
    "ibm_audit_target.typeURI":"service/audit/start"
}

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"TestServer.audit",
    "ibm_datetime":"2018-07-10T16:15:35.740-0400",
    "ibm_sequence":"1536171863908_0000000000002",
    "ibm_threadId":"00000013",
    "ibm_audit_eventName":"SECURITY_AUDIT_MGMT",
    "ibm_audit_eventSequenceNumber":"1",
    "ibm_audit_eventTime":"2018-07-10T16:15:34.471-0400",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
    "ibm_audit_observer.name":"AuditHandler:AuditFileHandler",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
    "ibm_audit_target.typeURI":"service/audit/start"
}

SECURITY_MEMBER_MGMT

You can use the SECURITY_MEMBER_MGMT event to capture the audit information from SCIM operations or member management. The following table provides the fields for the SECURITY_Member_MGMT event and a description of each field:

SECURITY_MEMBER_MGMT event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request.

ibm_audit_target.action

What action is being performed on the target.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.credential.token

Token name of the user that is performing the action.

ibm_audit_target.credential.type

Token type of the user that is performing the action.

ibm_audit_target.entityType

Generic name of the member that is acted upon: PersonAccount, Group.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Name of the target. The name includes urbridge, scim, or vmmservice, depending on the flow of the request. For example, if the call comes through a SCIM operation, the target name is scim.

ibm_audit_target.realm

Realm name associated with the target.

ibm_audit_target.repositoryId

Repository identifier that is associated with the target.

ibm_audit_target.session

Session identifier that is associated with the target.

ibm_audit_target.typeURI

Unique URI of the target of the event: server/vmmservice/create.

ibm_audit_target.uniqueName

Unique name of the member that is acted upon.

The following example shows a SECURITY_MEMBER_MGMT user record creation action:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"scim.custom.repository.audit",
    "ibm_datetime":"2018-07-24T14:59:82.321-0400",
    "ibm_sequence":"1536329056532_0000000000047",
    "ibm_threadId":"000000a5",
    "ibm_audit_eventName":"SECURITY_MEMBER_MGMT",
    "ibm_audit_eventSequenceNumber":"13",
    "ibm_audit_eventTime":"2018-07-24T14:58:45.284-0400",
    "ibm_audit_initiator.host.address":"127.0.0.1",
    "ibm_audit_initiator.host.agent":"Java/1.8.0",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
    "ibm_audit_observer.name":"SecurityService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"HTTPS",
    "ibm_audit_target.action":"create",
    "ibm_audit_target.appname":"RESTProxyServlet",
    "ibm_audit_target.credential.token":"adminUser",
    "ibm_audit_target.credential.type":"BASIC",
    "ibm_audit_target.entityType":"PersonAccount",
    "ibm_audit_target.host.address":"127.0.0.1:63571",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
    "ibm_audit_target.method":"POST",
    "ibm_audit_target.name":"/ibm/api/scim/Users",
    "ibm_audit_target.realm":"sampleCustomRepositoryRealm",
    "ibm_audit_target.repositoryId":"sampleCustomRepository",
    "ibm_audit_target.session":"myQz9fZu2ZUW0nEUWvEaiQC",
    "ibm_audit_target.typeURI":"service/vmmservice/create",
    "ibm_audit_target.uniqueName":"cn=usertemp,o=ibm,c=us"
}

The following example shows a SECURITY_MEMBER_MGMT user lookup action:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"scim.custom.repository.audit",
    "ibm_datetime":"2018-07-24T14:59:82.433-0400",
    "ibm_sequence":"1536329056532_0000000000048",
    "ibm_threadId":"000000a5",
    "ibm_audit_eventName":"SECURITY_MEMBER_MGMT",
    "ibm_audit_eventSequenceNumber":"14",
    "ibm_audit_eventTime":"2018-07-24T14:58:45.343-0400",
    "ibm_audit_initiator.host.address":"127.0.0.1",
    "ibm_audit_initiator.host.agent":"Java/1.8.0",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
    "ibm_audit_observer.name":"SecurityService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"HTTPS",
    "ibm_audit_target.action":"get",
    "ibm_audit_target.appname":"RESTProxyServlet",
    "ibm_audit_target.credential.token":"adminUser",
    "ibm_audit_target.credential.type":"BASIC",
    "ibm_audit_target.entityType":"PersonAccount",
    "ibm_audit_target.host.address":"127.0.0.1:63571",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
    "ibm_audit_target.method":"POST",
    "ibm_audit_target.name":"/ibm/api/scim/Users",
    "ibm_audit_target.realm":"sampleCustomRepositoryRealm",
    "ibm_audit_target.repositoryId":"sampleCustomRepository",
    "ibm_audit_target.session":"myQz9fZu2ZUW0nEUWvEaiQC",
    "ibm_audit_target.typeURI":"service/vmmservice/get",
    "ibm_audit_target.uniqueName":"cn=usertemp,o=ibm,c=us"
}

SECURITY_API_AUTHN

You can use the SECURITY_API_AUTHN event for servlet 3.0 and later APIs to capture audit information when a user logs in and authenticates. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field:

SECURITY_API_AUTHN event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.credential.token

Token name of the user that is performing the action.

ibm_audit_target.credential.type

Token type of the user that is performing the action, such as BASIC, FORM or CLIENTCERT.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Context root.

ibm_audit_target.params

Names and values of any parameters that are sent to the target with the action.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.session

HTTP session ID.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

The following example shows a SECURITY_API_AUTHN event that results in a redirect:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
    "ibm_datetime":"2018-07-24T17:03:25.628-0400",
    "ibm_sequence":"1536329078239_0000000000020",
    "ibm_threadId":"000000b7",
    "ibm_audit_eventName":"SECURITY_API_AUTHN",
    "ibm_audit_eventSequenceNumber":"2",
    "ibm_audit_eventTime":"2018-07-24T17:03:24.142-0400",
    "ibm_audit_initiator.host.address":"127.0.0.1",
    "ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5)",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
    "ibm_audit_observer.name":"SecurityService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"failure",
    "ibm_audit_reason.reasonCode":"401",
    "ibm_audit_reason.reasonType":"HTTP",
    "ibm_audit_target.appname":"ProgrammaticAPIServlet",
    "ibm_audit_target.credential.token":"user2",
    "ibm_audit_target.credential.type":"BASIC",
    "ibm_audit_target.host.address":"127.0.0.1:8010",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
    "ibm_audit_target.method":"GET",
    "ibm_audit_target.name":"/basicauth/ProgrammaticAPIServlet",
    "ibm_audit_target.params":"testMethod=login,logout,login&user=user2&password=*******",
    "ibm_audit_target.realm":"BasicRealm",
    "ibm_audit_target.session":"MDqMWXO--7cmdu4Oqkt8J3i",
    "ibm_audit_target.typeURI":"service/application/web"
}

SECURITY_API_AUTHN_TERMINATE

You can use the SECURITY_API_AUTHN_TERMINATE event for servlet 3.0 and later APIs to capture the audit information when a user logs out. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field:

SECURITY_API_AUTHN_TERMINATE event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.credential.token

Token name of the user that is performing the action.

ibm_audit_target.credential.type

Token type of the user that is performing the action, such as BASIC, FORM or CLIENTCERT.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Context root.

ibm_audit_target.params

Names and values of any parameters that are sent to the target with the action.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.session

HTTP Session ID.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

The following example shows a successful SECURITY_API_AUTHN_TERMINATE event:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
    "ibm_datetime":"2018-07-24T17:03:25.845-0400",
    "ibm_sequence":"1536329078239_0000000000021",
    "ibm_threadId":"000000b7",
    "ibm_audit_eventName":"SECURITY_API_AUTHN_TERMINATE",
    "ibm_audit_eventSequenceNumber":"3",
    "ibm_audit_eventTime":"2018-07-24T17:03:24.193-0400",
    "ibm_audit_initiator.host.address":"127.0.0.1",
    "ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5)",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr:com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
    "ibm_audit_observer.name":"SecurityService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"HTTP",
    "ibm_audit_target.appname":"ProgrammaticAPIServlet",
    "ibm_audit_target.credential.token":"user1",
    "ibm_audit_target.credential.type":"BASIC",
    "ibm_audit_target.host.address":"127.0.0.1:8010",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
    "ibm_audit_target.method":"GET",
    "ibm_audit_target.name":"/basicauth/ProgrammaticAPIServlet",
    "ibm_audit_target.params":"testMethod=login,logout,login&user=user2&password=*******",
    "ibm_audit_target.realm":"BasicRealm",
    "ibm_audit_target.session":"MDqMWXO--7cmdu4Oqkt8J3i",
    "ibm_audit_target.typeURI":"service/application/web"
}

SECURITY_AUTHN

You can use the SECURITY_AUTHN event to capture the audit information from basic authentication, form login authentication, client certificate authentication, and JASPI authentication. The following table provides the fields for the SECURITY_AUTHN event and a description of each field:

SECURITY_AUTHN event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.credential.token

Token name of the user performing the action.

ibm_audit_target.credential.type

Token type of the user performing the action, such as, BASIC, FORM or CLIENTCERT.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Context root.

ibm_audit_target.params

Names and values of any parameters that are sent to the target with the action.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.session

HTTP session ID.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

The following example shows a successful SECURITY_AUTHN event:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
    "ibm_datetime":"2018-07-24T17:04:53.213-0400",
    "ibm_sequence":"1536171867413_0000000000003",
    "ibm_threadId":"00000050",
    "ibm_audit_eventName":"SECURITY_AUTHN",
    "ibm_audit_eventSequenceNumber":"6",
    "ibm_audit_eventTime":"2018-07-24T17:03:28.652-0400",
    "ibm_audit_initiator.host.address":"127.0.0.1",
    "ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5)",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
    "ibm_audit_observer.name":"SecurityService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"HTTP",
    "ibm_audit_target.appname":"ProgrammaticAPIServlet",
    "ibm_audit_target.credential.token":"user1",
    "ibm_audit_target.credential.type":"BASIC",
    "ibm_audit_target.host.address":"127.0.0.1:8010",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.webcontainer.security.fat.loginmethod.audit",
    "ibm_audit_target.method":"GET",
    "ibm_audit_target.name":"/basicauth/ProgrammaticAPIServlet",
    "ibm_audit_target.params":"testMethod=login,logout,login&user=invalidUser&password=*********",
    "ibm_audit_target.realm":"BasicRealm",
    "ibm_audit_target.session":"vvmysQmVNHt4OfCRNIflZBt",
    "ibm_audit_target.typeURI":"service/application/web"
}

SECURITY_AUTHN_DELEGATION

You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runAs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field:

SECURITY_AUTHN_DELEGATION event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.credential.token

Token name of the user performing the action.

ibm_audit_target.credential.type

Token type of the user performing the action, such as, BASIC, FORM or CLIENTCERT.

ibm_audit_target.delegation.users

List of users in the delegation flow, starting with the initial user invoking the action.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Context root.

ibm_audit_target.params

Names and values of any parameters that are sent to the target with the action.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.runas.role

RunAs role name that is used in the delegation.

ibm_audit_target.session

HTTP session ID.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

The following example shows a successful SECURITY_AUTHN_DELEGATION event:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"com.ibm.ws.ejbcontainer.security.fat.audit",
    "ibm_datetime":"2018-07-16T14:39:22.521-0400",
    "ibm_sequence":"1536329023162_0000000000001",
    "ibm_threadId":"00000080",
    "ibm_audit_eventName":"SECURITY_AUTHN_DELEGATION",
    "ibm_audit_eventSequenceNumber":"12",
    "ibm_audit_eventTime":"2018-07-16T14:38:02.281-0400",
    "ibm_audit_initiator.host.address":"127.0.0.1",
    "ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5 ",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.ejbcontainer.security.fat.audit",
    "ibm_audit_observer.name":"SecurityService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"EJB",
    "ibm_audit_target.appname":"SecurityEJBA01Bean",
    "ibm_audit_target.credential.token":"user2",
    "ibm_audit_target.credential.type":"BASIC",
    "ibm_audit_target.delegation.users":"user:BasicRealm/user2;user:BasicRealm/user99",
    "ibm_audit_target.host.address":"127.0.0.1:8010",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.ejbcontainer.security.fat.audit",
    "ibm_audit_target.method":"GET",
    "ibm_audit_target.name":"/securityejb/SimpleServlet",
    "ibm_audit_target.params":"testInstance=ejb01&testMethod=runAsSpecified",
    "ibm_audit_target.realm":"BasicRealm",
    "ibm_audit_target.runas.role":"Employee",
    "ibm_audit_target.session":"b3g01JoFvsy7uKDNBqH7An-",
    "ibm_audit_target.typeURI":"service/application/web"
}

SECURITY_AUTHN_FAILOVER

You can use the SECURITY_AUTHN_FAILOVER event to capture the audit information from failover to basic authentication. The following table provides the fields for the SECURITY_AUTHN_FAILOVER event and a description of each field:

SECURITY_AUTHN_FAILOVER event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.authtype.failover

Name of the failover authentication mechanism.

ibm_audit_target.credential.token

Token name of the user performing the action.

ibm_audit_target.credential.type

Token type of the user performing the action, such as, BASIC, FORM, or CLIENTCERT.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Context root.

ibm_audit_target.params

Names and values of any parameters that are sent to the target with the action.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.session

HTTP session ID.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

The following example shows a SECURITY_AUTHN_FAILOVER event:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"com.ibm.ws.webcontainer.security.fat.clientcertfailover.audit",
    "ibm_datetime":"2018-07-24T17:06:42.201-0400",
    "ibm_sequence":"1541329052120_0000000000001",
    "ibm_threadId":"00000010",
    "ibm_audit_eventName" "SECURITY_AUTHN_FAILOVER",
    "ibm_audit_eventSequenceNumber":"4",
    "ibm_audit_eventTime":"2018-07-24T17:05:03.777-0400",
    "ibm_audit_initiator.host.address":"127.0.0.1",
    "ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5)",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/",
    "ibm_audit_observer.name":"SecurityService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"HTTPS",
    "ibm_audit_target.appname":"ClientCertServlet",
    "ibm_audit_target.authtype.failover":"BASIC",
    "ibm_audit_target.authtype.original":"CLIENT_CERT",
    "ibm_audit_target.credential.token":"LDAPUser1",
    "ibm_audit_target.credential.type":"BASIC",
    "ibm_audit_target.host.address":"127.0.0.1:8020",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/",
    "ibm_audit_target.method":"GET",
    "ibm_audit_target.name":"/clientcert/SimpleServlet",
    "ibm_audit_target.realm":"SampleLdapIDSRealm",
    "ibm_audit_target.session":"-7moVRZaL1mU2SVf0RHP28x",
    "ibm_audit_target.typeURI":"service/application/web"
}

SECURITY_AUTHN_TERMINATE

You can use the SECURTIY_AUTHN_TERMINATE event to capture the audit information from a form logout. The following table provides the fields for the SECURITY_AUTHN_TERMINATE event and a description of each field:

SECURITY_AUTHN_TERMINATE event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.authtype.failover

Name of the failover authentication mechanism.

ibm_audit_target.authtype.original

Name of the original authentication mechanism.

ibm_audit_target.credential.token

Token name of the user that is performing the action.

ibm_audit_target.credential.type

Token type of the user that is performing the action, such as, BASIC, FORM or CLIENTCERT.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method that is being invoked on the target, such as GET or POST.

ibm_audit_target.name

Context root.

ibm_audit_target.params

Names and values of any parameters that are sent to the target with the action.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.session

HTTP session ID.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

The following example shows a SECURITY_AUTHN_TERMINATE event:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"com.ibm.ws.webcontainer.security.fat.formlogout.audit",
    "ibm_datetime":"2018-07-24T17:03:24.122-0400",
    "ibm_sequence":"1521382001206_0000000000003",
    "ibm_threadId":"0000000a",
    "ibm_audit_eventName":"SECURITY_AUTHN_TERMINATE",
    "ibm_audit_eventSequenceNumber":"13",
    "ibm_audit_eventTime":"2018-07-24T17:02:50.813-0400",
    "ibm_audit_initiator.host.address":"127.0.0.1",
    "ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5)",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogout.audit",
    "ibm_audit_observer.name":"SecurityService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"HTTP",
    "ibm_audit_target.credential.token":"user1",
    "ibm_audit_target.credential.type":"FORM",
    "ibm_audit_target.host.address":"127.0.0.1:8010",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.webcontainer.security.fat.formlogout.audit",
    "ibm_audit_target.method":"POST",
    "ibm_audit_target.name":"/formlogin/ibm_security_logout",
    "ibm_audit_target.realm":"BasicRealm",
    "ibm_audit_target.session":"oNbsJSCYJrg2SPqzlL-5YxG",
    "ibm_audit_target.typeURI":"service/application/web"
}

SECURITY_AUTHZ

You can use the SECURITY_AUTHZ event to capture the audit information from Java Authorization Contract for Containers (JACC) web authorization, unprotected servlet authorization, JACC EJB authorization, and EJB authorization. The following table provides the fields for the SECURITY_AUTHZ event and a description of each field:

SECURITY_AUTHZ event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: SecurityService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP and HTTPS, that is associated with the request.

ibm_audit_target.appname

Name of the application to be accessed or run on the target.

ibm_audit_target.credential.token

Token name of the user performing the action.

ibm_audit_target.credential.type

Token type of the user performing the action, such as, BASIC, FORM or CLIENTCERT.

ibm_audit_target.ejb.beanname

EJB bean name for EJB authorization.

ibm_audit_target.ejb.method.interface

EJB method interface for EJB authorization.

ibm_audit_target.ejb.method.signature

EJB method signature for EJB authorization.

ibm_audit_target.ejb.module.name

EJB module name for EJB authorization.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.method

Method being invoked on the target, such as GET or POST.

ibm_audit_target.name

Context root.

ibm_audit_target.params

Names and values of any parameters that are sent to the target with the action.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.role.names

Roles that are identified as being needed. If none are listed, all EJBs are permitted.

ibm_audit_target.session

HTTP session ID.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

The following example shows a successful WEB authorization event:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"com.ibm.ws.ejbcontainer.security.fat.audit",
    "ibm_datetime":"2018-07-16T14:38:32.111-0400",
    "ibm_sequence":"1502020152076_0000000000001",
    "ibm_threadId":"000000a2",
    "ibm_audit_eventName":"SECURITY_AUTHZ",
    "ibm_audit_eventSequenceNumber":"4",
    "ibm_audit_eventTime":"2018-07-16T14:37:56.259-0400",
    "ibm_audit_initiator.host.address":"127.0.0.1",
    "ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5)",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.ejbcontainer.security.fat.audit",
    "ibm_audit_observer.name":"SecurityService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"HTTP",
    "ibm_audit_target.appname":"SecurityEJBServlet",
    "ibm_audit_target.credential.token":"user2",
    "ibm_audit_target.credential.type":"BASIC",
    "ibm_audit_target.host.address":"127.0.0.1:8010",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.ejbcontainer.security.fat.audit",
    "ibm_audit_target.method":"GET",
    "ibm_audit_target.name":"/securityejb/SimpleServlet",
    "ibm_audit_target.params":"testInstance=ejb01&testMethod=runAsSpecified",
    "ibm_audit_target.realm":"BasicRealm",
    "ibm_audit_target.role.names":"[AllAuthenticated]",
    "ibm_audit_target.session":"NNLU_QCIGIOPHhKLWY1BxVJ",
    "ibm_audit_target.typeURI":"service/application/web"
}

The following example shows a successful EJB authorization:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"com.ibm.ws.ejbcontainer.security.fat.audit",
    "ibm_datetime":"2018-07-16T14:38:45.326-0400",
    "ibm_sequence":"1502020152076_0000000000002",
    "ibm_threadId":"000000a2",
    "ibm_audit_eventName":"SECURITY_AUTHZ",
    "ibm_audit_eventSequenceNumber":"5",
    "ibm_audit_eventTime":"2018-07-16T14:37:56.719-0400",
    "ibm_audit_initiator.host.address":"127.0.0.1",
    "ibm_audit_initiator.host.agent":"Apache-HttpClient/4.1.2 (java 1.5)",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.ejbcontainer.security.fat.audit",
    "ibm_audit_observer.name":"SecurityService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"EJB Permit All",
    "ibm_audit_target.appname":"securityejb",
    "ibm_audit_target.credential.token":"user2",
    "ibm_audit_target.credential.type":"BASIC",
    "ibm_audit_target.ejb.beanname":"SecurityEJBA01Bean",
    "ibm_audit_target.ejb.method.interface":"Local",
    "ibm_audit_target.ejb.method.signature":"runAsSpecified:",
    "ibm_audit_target.ejb.module.name":"SecurityEJB.jar",
    "ibm_audit_target.host.address":"127.0.0.1:8010",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:com.ibm.ws.ejbcontainer.security.fat.audit",
    "ibm_audit_target.method":"runAsSpecified",
    "ibm_audit_target.name":"/securityejb/SimpleServlet",
    "ibm_audit_target.params":"testInstance=ejb01&testMethod=runAsSpecified",
    "ibm_audit_target.realm":"BasicRealm",
    "ibm_audit_target.session":"NNLU_QCIGIOPHhKLWY1BxVJ",
    "ibm_audit_target.typeURI":"service/application/web"
}

SECURITY_JMS_AUTHN

You can use the SECURITY_JMS_AUTHENTICATION event to capture the audit information from JMS authentication. The following table provides the fields for the SECURITY_JMS_AUTHENTICATION event and a description of each field:

SECURITY_JMS_AUTHN event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMSMessagingImplementation.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request.

ibm_audit_target.credential.token

Token name of the user performing the action.

ibm_audit_target.credential.type

Token type of the user performing the action.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.messaging.busname

Name of the messaging bus.

ibm_audit_target.messaging.callType

Identifies if the call is remote or local.

ibm_audit_target.messaging.engine

Name of the messaging engine.

ibm_audit_target.messaing.loginType

Name of the login algorithm that is used, such as Userid+Password.

ibm_audit_target.messaging.remote.chainName

If the operation is remote, the name of the remote chain name.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/jms/messaging.

The following example shows a successful SECURITY_JMS_AUTHN event:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"TestServer.audit",
    "ibm_datetime":"2018-07-19T18:34:72.599-0400",
    "ibm_sequence":"1587056204736_0000000000001",
    "ibm_threadId":"00000003",
    "ibm_audit_eventName":"SECURITY_JMS_AUTHN",
    "ibm_audit_eventSequenceNumber":"10",
    "ibm_audit_eventTime":"2018-07-19T18:33:51.135-0400",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
    "ibm_audit_observer.name":"JMSMessagingImplementation",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"JMS",
    "ibm_audit_target.credential.token":"validUser",
    "ibm_audit_target.credential.type":"BASIC",
    "ibm_audit_target.host.address":"127.0.0.1:53166",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
    "ibm_audit_target.messaging.busname":"defaultBus",
    "ibm_audit_target.messaging.callType":"remote",
    "ibm_audit_target.messaging.engine":"defaultME",
    "ibm_audit_target.messaging.loginType":"Userid+Password",
    "ibm_audit_target.messaging.remote.chainName":"InboundBasicMessaging",
    "ibm_audit_target.realm":"customRealm",
    "ibm_audit_target.typeURI":"service/jms/messagingEngine"
}

SECURITY_JMS_AUTHZ

You can use the SECURITY_JMS_AUTHZ event to capture the audit information from JMS authorization. The following table provides the fields for the SECURITY_JMS_AUTHZ event and a description of each field:

SECURITY_JMS_AUTHZ event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMSMessagingImplementation.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request.

ibm_audit_target.credential.token

Token name of the user performing the action.

ibm_audit_target.credential.type

Token type of the user performing the action.

ibm_audit_target.host.address

Host and port of the target.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.messaging.busname

Name of the messaging bus.

ibm_audit_target.messaging.callType

Identifies if the call is remote or local.

ibm_audit_target.messaging.destination

Name of the messaging destination.

ibm_audit_target.messaging.engine

Name of the messaging engine.

ibm_audit_target.messaging.jmsActions

List of the actions that the credential is allowed.

ibm_audit_target.messaging.jmsResource

Name of the JMS resource, such as QUEUE, TOPIC, and TEMPORARY DESTINATION.

ibm_audit_target.messaging.operationType

Name of the operation that is being requested.

ibm_audit_target.messaging.remote.chainName

If the operation is remote, the name of the remote chain name.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/jms/messaging.

The following example shows a successful SECURITY_JMS_AUTHZ event:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"TestServer.audit",
    "ibm_datetime":"2018-07-19T18:34:96.324-0400",
    "ibm_sequence":"1587056204736_0000000000002",
    "ibm_threadId":"00000003",
    "ibm_audit_eventName":"SECURITY_JMS_AUTHZ",
    "ibm_audit_eventSequenceNumber":"11",
    "ibm_audit_eventTime":"2018-07-19T18:33:51.247-0400",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
    "ibm_audit_observer.name":"JMSMessagingImplementation",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"JMS",
    "ibm_audit_target.credential.token":"validUser",
    "ibm_audit_target.credential.type":"BASIC",
    "ibm_audit_target.host.address":"127.0.0.1:53166",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
    "ibm_audit_target.messaging.busname":"defaultBus",
    "ibm_audit_target.messaging.callType":"remote",
    "ibm_audit_target.messaging.destination":"BANK",
    "ibm_audit_target.messaging.engine":"defaultME",
    "ibm_audit_target.messaging.jmsActions":"[BROWSE, SEND, RECEIVE]",
    "ibm_audit_target.messaging.jmsResource":"queue",
    "ibm_audit_target.messaging.operationType":"SEND",
    "ibm_audit_target.messaging.remote.chainName":"InboundBasicMessaging",
    "ibm_audit_target.realm":"customRealm",
    "ibm_audit_target.typeURI":"service/jms/messagingResource"
}

SECURITY_SAF_AUTHZ

You can use the SECURITY_SAF_AUTHZ event to capture the audit information from a request to the SAF Authorization Service API. The following table provides the fields for the SECURITY_SAF_AUTHZ event and a description of each field:

SECURITY_SAF_AUTHZ event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMXService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_target.access.level

Level of access that is requested.

ibm_audit_target.applid

Identifier of the APPL class.

ibm_audit_target.authorization.decision

A true value if the user is authorized to access the SAF resource in the SAF Class, otherwise a false value.

ibm_audit_target.credential.token

Token name of the user that performs the action.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.racf.reason.code

RACF reason code.

ibm_audit_target.racf.return.code

RACF return code.

ibm_audit_target.saf.class

Name of the SAF Class that contains the SAF resource.

ibm_audit_target.saf.profile

Name of the SAF resource that the user requests access to.

ibm_audit_target.saf.return.code

SAF return code.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

ibm_audit_target.user.security.name

Username whose access to a SAF resource is being checked.

The following example shows a successful SECURITY_SAF_AUTHZ event:

{
   "type":"liberty_audit",
   "host":"sage.xyz.com",
   "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
   "ibm_serverName":"TestServer.audit",
   "ibm_datetime":"2018-07-19T18:34:96.324-0400",
   "ibm_sequence":"1587056204736_0000000000002",
   "ibm_threadId":"00000003",
   "ibm_audit_eventName":"SECURITY_SAF_AUTHZ",
   "ibm_audit_eventSequenceNumber":"4",
   "ibm_audit_eventTime":"2019-04-29T19:45:16.161+0000",
   "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
   "ibm_audit_observer.name":"SecurityService",
   "ibm_audit_observer.typeURI":"service/server",
   "ibm_audit_outcome":"success",
   "ibm_audit_target.access.level":"READ",
   "ibm_audit_target.applid":"BBGZDFLT",
   "ibm_audit_target.authorization.decision":"true",
   "ibm_audit_target.credential.token":"WSGUEST",
   "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
   "ibm_audit_target.racf.reason.code":"0",
   "ibm_audit_target.racf.return.code":"0",
   "ibm_audit_target.saf.class":"EJBROLE",
   "ibm_audit_target.saf.profile":"BBGZDFLT.AUTHSERV",
   "ibm_audit_target.saf.return.code":"0",
   "ibm_audit_target.typeURI":"service/application/web",
   "ibm_audit_target.user.security.name":"WSGUEST"
}

SECURITY_SAF_AUTHZ_DETAILS

You can use the SECURITY_SAF_AUTHZ_DETAILS event to capture the audit information from a SAF Authorization event that is configured to throw a SAF Authorization Exception on failure. The following table provides the fields for the SECURITY_SAF_AUTHZ_DETAILS event and a description of each field:

SECURITY_SAF_AUTHZ_DETAILS event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMXService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_target.access.level

Level of access that is requested.

ibm_audit_target.applid

Identifier of APPL class.

ibm_audit_target.authorization.decision

A true value if the user is authorized to access the SAF resource in the SAF Class, otherwise a false value.

ibm_audit_target.credential.token

Token name of the user that performs the action.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.racf.reason.code

RACF reason code.

ibm_audit_target.racf.return.code

RACF return code.

ibm_audit_target.saf.class

Name of the SAF Class that contains the SAF resource.

ibm_audit_target.saf.profile

Name of SAF resource that the user requests access to.

ibm_audit_target.saf.return.code

SAF return code.

ibm_audit_target.typeURI

Unique URI of the target of the event: service/application/web.

ibm_audit_target.user.security.name

Username whose access to a SAF resource is being checked.

The following example shows a successful SECURITY_SAF_AUTHZ_DETAILS event:

{
   "type":"liberty_audit",
   "host":"sage.xyz.com",
   "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
   "ibm_serverName":"TestServer.audit",
   "ibm_datetime":"2018-07-19T18:34:96.324-0400",
   "ibm_sequence":"1587056204736_0000000000002",
   "ibm_threadId":"00000003",
   "ibm_audit_eventName":"SECURITY_SAF_AUTHZ_DETAILS",
   "ibm_audit_eventSequenceNumber":"5",
   "ibm_audit_eventTime":"2019-04-30T13:59:11.688+0000",
   "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
   "ibm_audit_observer.name":"SecurityService",
   "ibm_audit_observer.typeURI":"service/server",
   "ibm_audit_outcome":"success",
   "ibm_audit_target.access.level":"READ",
   "ibm_audit_target.applid":"BBGZDFLT",
   "ibm_audit_target.authorization.decision":"true",
   "ibm_audit_target.credential.token":"WSGUEST",
   "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
   "ibm_audit_target.racf.reason.code":"0",
   "ibm_audit_target.racf.return.code":"0",
   "ibm_audit_target.saf.class":"EJBROLE",
   "ibm_audit_target.saf.profile":"BBGZDFLT.AUTHSERV",
   "ibm_audit_target.saf.return.code":"0",
   "ibm_audit_target.typeURI":"service/application/web",
   "ibm_audit_target.user.security.name":"RSTUSR1"
}

JMX_MBEAN_REGISTER

You can use the JMX_MBEAN_REGISTER event to capture the audit information from JMX MBean registration. The following table provides the fields for the JMX_MBEAN_REGISTER event and a description of each field:

JMX_MBEAN_REGISTER event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMXService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request, or the state behind the outcome.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.jmx.mbean.action

MBean action that is being performed: register, unregister.

ibm_audit_target.jmx.mbean.name

Name of the MBean that is being acted upon.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.typeURI

Unique URI of the target of the event: server/mbean.

The following example shows a successful JMX_MBEAN_REGISTRATION event:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"jmxConnectorAuditServer",
    "ibm_datetime":"2018-07-25T18:43:28.130-0400",
    "ibm_sequence":"1592033306612_0000000000003",
    "ibm_threadId":"0000003f",
    "ibm_audit_eventName":"JMX_MBEAN_REGISTER",
    "ibm_audit_eventSequenceNumber":"12",
    "ibm_audit_eventTime":"2018-07-25T18:42:40.772-0400",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
    "ibm_audit_observer.name":"JMXService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"Successful MBean registration",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
    "ibm_audit_target.jmx.mbean.action":"registerMBean",
    "ibm_audit_target.jmx.mbean.name":"web:name=ClassLoaderMBean",
    "ibm_audit_target.realm":"QuickStartSecurityRealm",
    "ibm_audit_target.typeURI":"server/mbean"
}

JMX_MBEAN

You can use the JMX_MBEAN event to capture the audit information from JMX_MBEAN operations. The following table provides the fields for the JMX_MBEAN event and a description of each field:

JMX_MBEAN event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMXService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request, or the state behind the outcome.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.jmx.mbean.action

MBean action that is being performed: query, create, invoke.

ibm_audit_target.jmx.mbean.name

Name of the MBean that is being acted upon.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.typeURI

Unique URI of the target of the event: server/mbean.

The following example shows a successful query of an MBean JMS_MBEAN event:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"jmxConnectorAuditServer",
    "ibm_datetime":"2018-07-25T18:43:02.822-0400",
    "ibm_sequence":"1592033306612_0000000000002",
    "ibm_threadId":"0000003f",
    "ibm_audit_eventName":"JMX_MBEAN",
    "ibm_audit_eventSequenceNumber":"24",
    "ibm_audit_eventTime":"2018-07-25T18:42:44.119-0400",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
    "ibm_audit_observer.name":"JMXService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"Successful query of MBeans",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
    "ibm_audit_target.jmx.mbean.action":"queryMBeans",
    "ibm_audit_target.jmx.mbean.name":"java.lang:type=Threading",
    "ibm_audit_target.realm":"QuickStartSecurityRealm",
    "ibm_audit_target.typeURI":"server/mbean"
}

JMX_MBEAN_ATTRIBUTES

You can use the JMX_MBEAN_ATTRIBUTES event to capture the audit information from JMX MBEAN attribute operations. The following table provides the fields for the JMX_MBEAN_Attributes event and a description of each field:

JMX_MBEAN_ATTRIBUTES event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_initiator.host.address

Host address of the initiator of the event.

ibm_audit_initiator.host.agent

Name of the monitoring agent that is associated with the initiator.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMXService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request, or the state behind the outcome.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.jmx.mbean.action

MBean action that is being performed on the MBean attribute. getAttribute, and setAttribute methods are supported.

ibm_audit_target.jmx.mbean.attribute.names

Name of the attributes that are being acted upon.

ibm_audit_target.jmx.mbean.name

Name of the MBean that is being acted upon.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.typeURI

Unique URI of the target of the event: server/mbean.

The following example shows a successful JMX_MBEAN_ATTRIBUTES event:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"jmxConnectorAuditServer",
    "ibm_datetime":"2018-07-25T18:43:92.347-0400",
    "ibm_sequence":"1592033306612_0000000000008",
    "ibm_threadId":"0000002c",
    "ibm_audit_eventName":"JMX_BEAN_ATTRIBUTES",
    "ibm_audit_eventSequenceNumber":"43",
    "ibm_audit_eventTime":"2018-07-25T18:42:51.070-0400",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
    "ibm_audit_observer.name":"JMXService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"Successful retrieval of MBean attributes",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
    "ibm_audit_target.jmx.mbean.action":"getAttributes",
    "ibm_audit_target.jmx.mbean.attribute.names":"[TotalStartedThreadCount = 132][CurrentThreadCpuTimeSupported = true]",
    "ibm_audit_target.jmx.mbean.name":"java.lang:type=Threading",
    "ibm_audit_target.realm":"QuickStartSecurityRealm",
    "ibm_audit_target.typeURI":"server/mbean"
}

JMX_NOTIFICATION

You can use the JMX_NOTIFICATION event to capture the audit information from JMX notifications. The following table provides the fields for the JMX_NOTIFICATION event and a description for each field:

JMX_NOTIFICATION event fields
FIELDDESCRIPTION

type

A string that identifies the type of event.

host

Host name of the server that is the source of the event.

ibm_userDir

User directory of the server that is the source of the event.

ibm_serverName

Name of the server that is the source of the event.

ibm_datetime

Time at which the event occurred.

ibm_sequence

Sequence number of the event, which is useful for sorting records with the same timestamp.

ibm_threadId

Thread ID in the log line, for example, 00000015. The thread ID is a string and not a number.

ibm_audit_eventName

Name of the audit event.

ibm_audit_eventSequenceNumber

Sequence number of the audit event.

ibm_audit_eventTime

Time that the event occurred.

ibm_audit_observer.id

Identifier of the observer of the event.

ibm_audit_observer.name

Name of the observer of the event: JMXService.

ibm_audit_observer.typeURI

Unique URI of the observer of the event: service/server.

ibm_audit_Outcome

Outcome of the event.

ibm_audit_reason.reasonCode

A value that indicates the underlying success or error code for the outcome. In general, a value of 200 means success.

ibm_audit_reason.reasonType

A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request, or the state behind the outcome.

ibm_audit_target.id

Identifier of the target of the action.

ibm_audit_target.jmx.mbean.action

MBean action that is being performed on the MBean attributes.

ibm_audit_target.jmx.notification.filter

Name of the notification filter.

ibm_audit_target.jmx.notification.listener

Name of the notification listener.

ibm_audit_target.jmx.notification.name

Name of the notification.

ibm_audit_target.realm

Realm name that is associated with the target.

ibm_audit_target.typeURI

Unique URI of the target of the event: server/mbean/notification.

The following example shows a successful JMX_NOTIFICATION:

{
    "type":"liberty_audit",
    "host":"sage.xyz.com",
    "ibm_userDir":"\/opt\/ol\/wlp\/usr\/",
    "ibm_serverName":"jmxConnectorAuditServer",
    "ibm_datetime":"2018-07-25T19:28:34.664-0500",
    "ibm_sequence":"1503082313712_0000000000003",
    "ibm_threadId":"000000a8",
    "ibm_audit_eventName":"JMX_NOTIFICATION",
    "ibm_audit_eventSequenceNumber":"37",
    "ibm_audit_eventTime":"2018-07-25T19:27:24.303-0500",
    "ibm_audit_observer.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
    "ibm_audit_observer.name":"JMXService",
    "ibm_audit_observer.typeURI":"service/server",
    "ibm_audit_outcome":"success",
    "ibm_audit_reason.reasonCode":"200",
    "ibm_audit_reason.reasonType":"Successful add of notification listener",
    "ibm_audit_target.id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:jmxConnectorAuditServer",
    "ibm_audit_target.jmx.mbean.action":"addNotificationListener",
    "ibm_audit_target.jmx.notification.filter":"com.ibm.ws.jmx.connector.server.rest.notification.ClientNotificationFilter",
    "ibm_audit_target.jmx.notification.listener":"com.ibm.ws.jmx.connector.server.rest.notification.ClientNotificationListener",
    "ibm_audit_target.jmx.notification.name":"web:name=Notifier1",
    "ibm_audit_target.realm":"QuickStartSecurityRealm",
    "ibm_audit_target.typeURI":"server/mbean/notification"
}