Enabling the Audit Logs

The Audit Log Packages listen for user- or security-related events such as access attempts and user administration-related events such as modifications to users, groups, and roles. The Audit Log packages are disabled by default but can be enabled to monitor and log the following types of events:

  • The inactivity timeout is changed.
  • A bundle's properties are changed or a bundle is restarted.
  • A user successfully logs in or out or there are failed login attempts.
  • A user account is created or deleted or a user's password is changed.
  • A user or group is synchronized with the directory server.
  • A role is created or deleted.
  • A user is added to or removed from a role or group.
  • A permission is added to or removed from a role.
  • Data access permissions are changed on artifacts.

Enabling the Audit Log Packages

By default, the Audit Log packages (UserAudit, AccessAudit, QueryAudit, ActivityAudit, and SystemAudit) are set to the Log Level Info, which means they are configured to capture all audit events. However, logging the audit events are disabled by default in the Anzo Audit Logging Framework service. Follow the instructions below to configure the service to enable audit logging.

Before enabling logging, consider the file storage implications. Depending on the number and activity of Anzo users, the logs can grow to several GB in size. Make sure that you have the disk space to retain the logs, and consider limiting the size of the logs. See Limiting the Age/Size of Audit Logs for information.

  1. In the Administration application, expand the Servers menu and click Advanced Configuration. Click I understand and accept the risk.
  2. Search for the Anzo Audit Logging Framework bundle and view its details.
  3. Click the Services tab and expand com.cambridgesemantics.anzo.AuditLog.
  4. Find the com.cambridgesemantics.anzo.auditlog.standardLog and com.cambridgesemantics.anzo.auditlog.rdfLog properties (shown below).

  5. Click the standardLog property to make it editable, and then select the checkbox to enable it.

  6. Click the checkmark icon () to save the change.
  7. If you would also like Anzo to generate RDF files for the audit logs so that the logs can be loaded to a graphmart for analysis, click the rdfLog property to make it editable, and then select the checkbox to enable it. Then click the checkmark icon () to save the change.
  8. Restart Anzo to apply the configuration changes.

The Audit Log Packages are now enabled and will start to log the events described above. The log messages are captured in anzo_full.log as well as a new file called anzo_audit_info.log. All Anzo log files are generated in the <install_path>/Server/logs directory on the server. Files in that directory can be viewed and downloaded from the Administration application.

Viewing the Audit Log

Follow the steps below to view the Audit log file in the application. For information about viewing logs on the server, see Viewing Logs on the Server.

You have the option to split the Audit log into separate files based on the type of event that is being logged, such a user event or a query event. See Separating Audit Logs by Event Type for information. The steps below refer to the default Audit Log where all types of audit events are recorded in a single file.

  1. In the Administration application, expand the Monitoring & Diagnostics menu and select Logging. The Log Files tab is displayed on the Logging screen. Log Packages that have the Log Level set to Error log events to files with the suffix _error. Operational information that is logged by packages that are set to Info is captured in files with the suffix _info. The current versions of the log files are shown at the top of the list. Earlier versions of the logs are prefixed with the name of the <date>_<part> subdirectory they are saved in. For example:

  2. Select the anzo_audit_info.log file. The contents of the file are displayed in the Logging Details section of the screen. For example:

    You can expand the details view by clicking the Expand icon () in the top right corner.

The elements included in each message vary by message type. In general, UserAudit Info messages contain the following information:

  • Date and time the event was logged. For example, 2021-04-28 01:06:48.
  • The type of message, i.e., the Log Level, such as INFO.
  • The type of log. For example, [audit].
  • The area of the system or service that processed the event. For example, [UniformSaveService].
  • The Log Package that was listening for the event, i.e., UserAudit.
  • The message text, such as User Connected or Authentication Failed.
  • The unique Operation ID assigned for the operation. For example, [OpId=518ombnsruyvu8k6pf0a76y4fc-1414].
  • The name of the service that performed the operation. For example, [OpName=executeService].
  • The user who performed the operation. For example, [OpUser=http://openanzo.org/system/internal/sysadmin] .

Below are examples of the types of messages that are logged (line breaks added for readability):

Successful User Login

2021-04-27 16:12:28,754 INFO [audit] [persistent=false#1-1] - UserAudit- 
User Connected:sysadmin:<http://openanzo.org/system/internal/sysadmin>, 
ConnectionId:ID:anzo-36673-1619539948446-4:1, 
RemoteAddress:vm://localhost?broker.persistent=false#0

Failed User Login

2021-04-28 01:06:48,341 INFO  [audit] [erverThreadPool-3323] - 
[OpName=ServerRealm.Authenticate]
[OpId=a876f781-5ddf-424d-8d54-c2ea07c87561] 
UserAudit- 
Authentication Failed:test,   
Message:ErrorCode[3844] User test not found.

Inactivity Timeout Value Changed

2021-04-27 19:50:17,316 INFO  [audit] [Service Update Queue] - 
[OpName=executeService]
[OpId=518ombnsruyvu8k6pf0a76y4fc-1802]
[OpUser=http://openanzo.org/system/internal/sysadmin] 
UserAudit- Inactivity Logout Timeout Changed: Old=-1 New=900000

New Role Created

2021-04-27 18:58:38,276 INFO  [audit] [r/UniformSaveService] - 
[OpName=executeService]
[OpId=518ombnsruyvu8k6pf0a76y4fc-1414]
[OpUser=http://openanzo.org/system/internal/sysadmin]
UserAudit- 
Role Created: <http://cambridgesemantics.com/Role/952810ffb74a42f8b502adc422608e64>

Permission Added to a Role

2021-04-28 20:41:10,926 INFO  [audit] [r/UniformSaveService] - 
[OpName=executeService]
[OpId=5q6p7zmp9xn2xujksz4l7pzzl-1808]
[OpUser=http://openanzo.org/system/internal/sysadmin]
UserAudit- 
Permission <http://cambridgesemantics.com/permissions/feature/e5c11e5b-afb2-4af0-b1d7-0e4b620a0378> 
added to Role <http://cambridgesemantics.com/Role/952810ffb74a42f8b502adc422608e64>