Enabling and Viewing Audit Logs
The Audit Log Packages listen for user- or security-related events such as access attempts and user administration-related events such as modifications to users, groups, and roles. The Audit Log packages are disabled by default but can be enabled to monitor and log the following types of events:
- The inactivity timeout is changed.
- A bundle's properties are changed or a bundle is restarted.
- A user successfully logs in or out or there are failed login attempts.
- A user account is created or deleted or a user's password is changed.
- A user or group is synchronized with the directory server.
- A role is created or deleted.
- A user is added to or removed from a role or group.
- A permission is added to or removed from a role.
- Data access permissions are changed on artifacts.
Enabling the Audit Log Packages
By default, the Audit Log packages (UserAudit, AccessAudit, QueryAudit, ActivityAudit, and SystemAudit) are set to the Log Level Info, which means they are configured to capture all audit events. However, logging the audit events are disabled by default in the Anzo Audit Logging Framework service. Follow the instructions below to configure the service to enable audit logging:
- In the Administration application, expand the Servers menu and click Advanced Configuration. Click I understand and accept the risk.
- Search for the Anzo Audit Logging Framework bundle and view its details.
- Click the Services tab and expand com.cambridgesemantics.anzo.AuditLog.
- Find the com.cambridgesemantics.anzo.auditlog.standardLog property towards the bottom of the list (shown below).
- Click the property to make it editable, and then select the checkbox to enable it.
- Click the checkmark icon () to save the change.
- Restart Anzo to apply the configuration change.
The Audit Log Packages are now enabled and will start to log the events described above. The log messages are captured in anzo_full.log as well as a new file called anzo_audit_info.log. All Anzo log files are generated in the <install_path>/Server/logs
directory on the server. Files in that directory can be viewed and downloaded from the Administration application.
Viewing the Audit Log
Follow the steps below to view the Audit log file in the application. For information about viewing logs on the server, see Viewing Logs on the Server.
You have the option to split the Audit log into separate files based on the type of event that is being logged, such a user event or a query event. See Separating Audit Logs by Type of Event for information. The steps below refer to the default Audit Log where all types of audit events are recorded in a single file.
- In the Administration application, expand the Monitoring & Diagnostics menu and select Logging. The Log Files tab is displayed on the Logging screen. For example:
Log Packages that have the Log Level set to Error log events to files with the suffix _error. Operational information that is logged by packages that are set to Info is captured in files with the suffix _info. The current versions of the log files are shown at the top of the list. Earlier versions of the logs are prefixed with the name of the
<date>_<part>
subdirectory they are saved in. - Select the anzo_audit_info.log file. The contents of the file are displayed in the Logging Details section of the screen. For example:
You can expand the details view by clicking the Expand icon () in the top right corner.
The elements included in each message vary by message type. In general, UserAudit Info messages contain the following information:
- Date and time the event was logged. For example,
2021-04-28 01:06:48
. - The type of message, i.e., the Log Level, such as
INFO
. - The type of log. For example,
[audit]
. - The area of the system or service that processed the event. For example,
[UniformSaveService]
. - The Log Package that was listening for the event, i.e.,
UserAudit
. - The message text, such as
User Connected
orAuthentication Failed
. - The unique Operation ID assigned for the operation. For example,
[OpId=518ombnsruyvu8k6pf0a76y4fc-1414]
. - The name of the service that performed the operation. For example,
[OpName=executeService]
. - The user who performed the operation. For example,
[OpUser=http://openanzo.org/system/internal/sysadmin]
.
Below are examples of the types of messages that are logged (line breaks added for readability):
Successful User Login
2021-04-27 16:12:28,754 INFO [audit] [persistent=false#1-1] - UserAudit- User Connected:sysadmin:<http://openanzo.org/system/internal/sysadmin>, ConnectionId:ID:anzo-36673-1619539948446-4:1, RemoteAddress:vm://localhost?broker.persistent=false#0
Failed User Login
2021-04-28 01:06:48,341 INFO [audit] [erverThreadPool-3323] - [OpName=ServerRealm.Authenticate] [OpId=a876f781-5ddf-424d-8d54-c2ea07c87561] UserAudit- Authentication Failed:test, Message:ErrorCode[3844] User test not found.
Inactivity Timeout Value Changed
2021-04-27 19:50:17,316 INFO [audit] [Service Update Queue] - [OpName=executeService] [OpId=518ombnsruyvu8k6pf0a76y4fc-1802] [OpUser=http://openanzo.org/system/internal/sysadmin] UserAudit- Inactivity Logout Timeout Changed: Old=-1 New=900000
New Role Created
2021-04-27 18:58:38,276 INFO [audit] [r/UniformSaveService] - [OpName=executeService] [OpId=518ombnsruyvu8k6pf0a76y4fc-1414] [OpUser=http://openanzo.org/system/internal/sysadmin] UserAudit- Role Created: <http://cambridgesemantics.com/Role/952810ffb74a42f8b502adc422608e64>
Permission Added to a Role
2021-04-28 20:41:10,926 INFO [audit] [r/UniformSaveService] - [OpName=executeService] [OpId=5q6p7zmp9xn2xujksz4l7pzzl-1808] [OpUser=http://openanzo.org/system/internal/sysadmin] UserAudit- Permission <http://cambridgesemantics.com/permissions/feature/e5c11e5b-afb2-4af0-b1d7-0e4b620a0378> added to Role <http://cambridgesemantics.com/Role/952810ffb74a42f8b502adc422608e64>