Auditing Service in WPS 7.0

IBM WebSphere Portal ships an auditing function that allows users to log certain events and their originators into a separate log file. This file can then be used to track administrative activities. For each event the timestamp, an optional transaction ID, the user performing the action, and individual event details are logged. If the user performing the action (for example, Bob) is being impersonated by another user (for example, Alice), the user is shown as [Bob[Alice]] in the log file.

You can use the auditing function on the following events:

  • Creating, modifying and deleting users and groups

  • Creating, modifying and deleting portlet applications by using the portal user interface

  • Assigning and revoking roles to and from users

  • Modifying role blocks

  • Modifying resource ownership

  • Creating, modifying and deleting protected resources

  • Externalizing and internalizing resources

  • Installing and uninstalling Web modules

  • Creating and deleting application roles

  • Assigning and revoking application roles to and from users

  • Adding and deleting roles to application roles

  • Initializing a database domain

  • Creating, modifying and deleting portlet applications by using IBM Lotus Component Designer.

  • Starting and ending impersonating a user or impersonating a user without the appropriate permission



The Audit Service is disabled by default, But you can enable the Audit Service using WebSphere Application Server Administration Console. In the Admin console go to Resource Environment Provider -< WP_AuditService -< Custom Properties page. You will see list of properties like this



On this page set value of audit.service.enable to true, that should turn audit service to on. Then you can select list of audit events that you want to enable and set there value to true. You can get description of meaning of each value

Take a look at this default auditservice.properties for details on what values you can change


# Licensed Materials - Property of IBM, 5724-E76, (C) Copyright IBM Corp. 2004 - All Rights reserved.

# ------------------------------- #
# Properties of the Audit Service #
# ------------------------------- #

# INIT_PUBLIC_DESCRIPTION_BUFFER
# Description=Global switch to enable/disable the audit service. All other event type switches only work if this is active (true).
# Default: false
#audit.service.enable = false

# These two properties control which Implementation class for writing
# audit logs to the log file will be used and which filename will
# be used.
#
# Defaults:
# audit.logging.class = com.ibm.wps.audit.logging.impl.AuditLoggingImpl
# audit.logFileName = log/audit_$CREATE_TIME.log

#audit.logging.class = com.ibm.wps.services.audit.logging.impl.AuditLoggingImpl
#audit.logFileName = log/audit_$CREATE_TIME.log


# This property controls whether the TransactionID
# is printed in the audit log or not.
#
# Default: true

#audit.showTransactionID.enable = true


# ------------------------------------------------ #
# Use the following event listener related #
# properties to enable/disable audit events of a #
# specific type. #
# ------------------------------------------------ #


# Switch for group events
# INIT_PUBLIC_DESCRIPTION_BUFFER
# Description=Controls audit of group change events.
# Default: false
#audit.groupEvents.enable = false

###
# ( Note: for the remaining properties below, since they are all public,
# the INIT_PUBLIC_DESCRIPTION_BUFFER is not needed, because the
# description buffer is cleared by each public property. However,
# if a non-public property is inserted in between any of these public
# ones, then the next public property will need the INIT_PUBLIC_DESCRIPTION_BUFFER
# control again.)
###

# Switch for user events
# Description=Controls audit of user events
# Default: false

#audit.userEvents.enable = false

# Switch for portlet events
# Description=Controls audit of portlet changes.
# Default: false
#audit.portletEvents.enable = false

# Switch for role events
# Description=Controls audit of role definition (security) changes.
# Default: false
#audit.roleEvents.enable = false

# Switch for role block events
# Description=Controls audit of role block creation or deletion (security).
# Default: false
#audit.roleBlockEvents.enable = false

# Switch for resource owner events
# Description=Controls audit of changes of a resource's owner.
# Default: false
#audit.ownerEvents.enable = false

# Switch for resource events

#audit.resourceEvents.enable = false

# Switch for resource externalization events
# Description=Controls audit of movement of resources to external access control, or back.
# Default: false
#audit.externalizationEvents.enable = false

# Switch for users in group events
# Description=Controls audit of changes in a user's group memberships
# Default: false
#audit.userInGroupEvents.enable = false

# Switch for web module events

#audit.webModuleEvents.enable = false

# Switch for application role events

#audit.applicationRoleEvents.enable = false

# Switch for principal to application role mapping events
# Description=Controls audit of changes of assignments of users or groups to application roles.
# Default: false
#audit.principalToApplicationRoleMappingEvents.enable = false

# Switch for application role to application role mapping events

#audit.applicationRoleToApplicationRoleMappingEvents.enable = false

# Switch for role to application role mapping events
# Description=Controls audit for changes in mappings between fine-grained Portal roles and application roles.
# Default: false
#audit.roleToApplicationRoleMappingEvents.enable = false

# Switch for domain admin data events

#audit.domainAdminDataEvents.enable = false

# Switch for designer deploy service events

#audit.designerDeployServiceEvents.enable = false

# Switch for impersonation service events
# Description=Controls audit for users impersonating other users.
# Default: false
#audit.impersonationEvents.enable = false

# Switch for tagging and rating service events
# Description=Controls audit for tagging operations.
# Default: false
#audit.taggingEvents.enable = false

# Description=Controls audit for rating operations.
# Default: false
#audit.ratingEvents.enable = false


Important Note: Default value of audit.logFileName is log/audit_$CREATE_TIME.log, so the logs go to log directory instead of logs directory where you can find SystemOut.log, SystemErr.log,..

Once the audit service is configured, save your changes and restart the server, try adding couple of users or impersonating a user and you should see those events being audited in the audit service.

This is the sample output of auditservice from my local machine

[09/03/10 07:02:09:985 PDT] I Audit EJPSN0004I: User [UNAUTHENTICATED] has created a User with ID = uid=jiya,o=defaultWIMFileBasedRealm, Name = jiya and ObjectID = Z9eAe23EE3O47M9O2MM86L9CEJMG62JP6JM4C6BE6MM07LHD66QGCJPOEJR47M1
[09/03/10 07:03:16:292 PDT] I Audit EJPSN0004I: User [UNAUTHENTICATED] has created a User with ID = uid=sunil,o=defaultWIMFileBasedRealm, Name = sunil and ObjectID = Z9eAe1BD86J9623E6JMGC13D2JMG623C2MM4CPHO4MMG64BE6JQ4COPC6JG56J1
[09/03/10 07:10:35:490 PDT] I Audit 0000012ad7ef411e00000001000002710148af0b903d6c101e2bdf38fc549652d3754cd10000012ad7ef411e00000001000002710148af0b903d6c101e2bdf38fc549652d3754cd100000001 EJPSN0010I: User [uid=wasadmin,o=defaultWIMFileBasedRealm] has assigned the Role with Name = Can Run As User, Alias = (null) and ObjectID = Z0_Ao000000000000G3RCDT7BG0G100, affecting ActionSet [Can Run As User], to the following principals: (uid=wasadmin,o=defaultWIMFileBasedRealm)
[09/03/10 07:15:14:726 PDT] I Audit EJPSN0033I: User [uid=sunil,o=defaultWIMFileBasedRealm[uid=wasadmin,o=defaultWIMFileBasedRealm]] started impersonation with user [uid=sunil,o=defaultWIMFileBasedRealm].

No comments: