Enabling and Viewing User Audit Logs

The UserAudit Log Package listens for user-related events such as login attempts and user administration-related events such as modifications to users, groups, and roles. UserAudit is Off by default but can be enabled to monitor and log the following types of events:

• The inactivity timeout is changed.
• There are failed login attempts.
• A user successfully logs in or out.
• A user password is changed.
• A user account is created or deleted.
• A user or group is synchronized with the directory server.
• A user is added to or removed from a role or group.
• A permission is added to or removed from a role.
• A role is created or deleted.

Enabling the UserAudit Log Package

Follow the steps below to enable the UserAudit package.

1. In the Administration application, expand the Monitoring & Diagnostics menu and select Logging. The Log Levels tab is displayed on the Logging screen. For example:

   

2. Click the Edit button to open the Edit Log Packages dialog box.

   

3. Click Add Package at the bottom of the screen. The Select field is displayed:

   

4. Click the Select field and type UserAudit. Then press Enter to add UserAudit to the list of Log Packages. The package is added to the list with the default Log Level of Off.
5. Click the Log Level drop-down list and select Info. Then click Save to save the change.

   

The UserAudit Log Package is now enabled and will start to log the events described above. The log messages are captured in anzo_full.log as well as a new file called anzo_audit_info.log. All Anzo log files are generated in the <install_path>/Server/logs directory on the server. Files in that directory can be viewed and downloaded from the Administration application.

Viewing the Audit Log

Follow the steps below to view the Audit log file in the application. For information about viewing logs on the server, see Viewing Logs on the Server.

1. In the Administration application, expand the Monitoring & Diagnostics menu and select Logging. The Log Levels tab is displayed on the Logging screen. For example:

   

2. Click the Log Files tab to view the list of files. For example:

   

   Log Packages that have the Log Level set to Error log events to files with the suffix _error. Operational information that is logged by packages that are set to Info is captured in files with the suffix _info. The current versions of the log files are shown at the top of the list. Earlier versions of the logs are prefixed with the name of the <date>_<part> subdirectory they are saved in.

3. Select the anzo_audit_info.log file. The contents of the file are displayed in the Logging Details section of the screen. For example:

   

   You can expand the details view by clicking the Expand icon () in the top right corner.

The elements included in each message vary by message type. In general, UserAudit Info messages contain the following information:

• Date and time the event was logged. For example, 2021-04-28 01:06:48.
• The type of message, i.e., the Log Level, such as INFO.
• The type of log. For example, [audit].
• The area of the system or service that processed the event. For example, [UniformSaveService].
• The Log Package that was listening for the event, i.e., UserAudit.
• The message text, such as User Connected or Authentication Failed.
• The unique Operation ID assigned for the operation. For example, [OpId=518ombnsruyvu8k6pf0a76y4fc-1414].
• The name of the service that performed the operation. For example, [OpName=executeService].
• The user who performed the operation. For example, [OpUser=http://openanzo.org/system/internal/sysadmin] .

Below are examples of the types of messages that are logged (line breaks added for readability):

Successful User Login

2021-04-27 16:12:28,754 INFO [audit] [persistent=false#1-1] - UserAudit- 
User Connected:sysadmin:<http://openanzo.org/system/internal/sysadmin>, 
ConnectionId:ID:anzo-36673-1619539948446-4:1, 
RemoteAddress:vm://localhost?broker.persistent=false#0

Failed User Login

2021-04-28 01:06:48,341 INFO  [audit] [erverThreadPool-3323] - 
[OpName=ServerRealm.Authenticate]
[OpId=a876f781-5ddf-424d-8d54-c2ea07c87561] 
UserAudit- 
Authentication Failed:test,   
Message:ErrorCode[3844] User test not found.

Inactivity Timeout Value Changed

2021-04-27 19:50:17,316 INFO  [audit] [Service Update Queue] - 
[OpName=executeService]
[OpId=518ombnsruyvu8k6pf0a76y4fc-1802]
[OpUser=http://openanzo.org/system/internal/sysadmin] 
UserAudit- Inactivity Logout Timeout Changed: Old=-1 New=900000

New Role Created

2021-04-27 18:58:38,276 INFO  [audit] [r/UniformSaveService] - 
[OpName=executeService]
[OpId=518ombnsruyvu8k6pf0a76y4fc-1414]
[OpUser=http://openanzo.org/system/internal/sysadmin]
UserAudit- 
Role Created: <http://cambridgesemantics.com/Role/952810ffb74a42f8b502adc422608e64>

Permission Added to a Role

2021-04-28 20:41:10,926 INFO  [audit] [r/UniformSaveService] - 
[OpName=executeService]
[OpId=5q6p7zmp9xn2xujksz4l7pzzl-1808]
[OpUser=http://openanzo.org/system/internal/sysadmin]
UserAudit- 
Permission <http://cambridgesemantics.com/permissions/feature/e5c11e5b-afb2-4af0-b1d7-0e4b620a0378> 
added to Role <http://cambridgesemantics.com/Role/952810ffb74a42f8b502adc422608e64>

Related Topics

• Introduction to Anzo Logging
• Limiting the Age (and Size) of Audit Logs
• Separating Audit Logs by Type of Event
• Configuring a User Inactivity Timeout
• Enabling and Viewing AnzoGraph Query Logs