3.7. Management Interface Audit Logging

3.7.1. About Management Interface Audit Logging

When audit logging is enabled, all operations performed using the Management Console, Management CLI interface, or a custom-written management application, are subject to audit logging.
The audit log entries are stored in JSON format and, based on your configuration, can be stored in files, sent to a syslog server or both. Audit logging can only be configured using the Management CLI and is disabled by default.
Login and logout events cannot be audited as there is no 'authenticated session' in EAP. Instead. audit messages are logged when an operation is received from the user.

Note

By default, audit logging is not active. Audit logging can only be configured using the Management CLI.
To list all available management interface audit logging configuration options and their current values, enter the following Management CLI command.

Note

Add the prefix /host=HOST_NAME to the command for a managed domain.
[... /] /core-service=management/access=audit:read-resource(recursive=true)

3.7.2. Enable Management Interface Audit Logging to a File

To enable audit logging output to a file, enter the following Management CLI command.

Note

If the change is to be applied to a managed domain, add the prefix /host=HOST_NAME to the following command.
/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
Management operations are now logged to a file:
  • Standalone mode: EAP_HOME/standalone/data/audit-log.log
  • Domain mode: EAP_HOME/domain/data/audit-log.log
For details of all file handler attributes, see Section A.3, “Management Interface Audit Logging Reference”.

3.7.3. Enable Management Interface Audit Logging to a Syslog Server

By default, audit logging is preconfigured to output to a file when enabled. This procedure configures output to a syslog server and enables audit logging to a file. For details of all syslog handler attributes see Section A.3, “Management Interface Audit Logging Reference”.

Note

If the change is to be applied to a managed domain, add the prefix /host=HOST_NAME to the /core-service commands.

Procedure 3.24. Enable Audit Logging to a Syslog Server

  1. Enable Audit Logging

    Execute the following command:
    [.. /]/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
  2. Create a syslog Handler

    In this example the syslog server is running on the same server as the JBoss EAP instance, on port 514. Replace the values of the host attribute with values appropriate to your environment.

    Example 3.34. Example syslog handler

    [.. /]batch
    [.. / #]/core-service=management/access=audit/syslog-handler=mysyslog:add(formatter=json-formatter)
    [.. / #]/core-service=management/access=audit/syslog-handler=mysyslog/protocol=udp:add(host=localhost,port=514)
    [.. /]run-batch
  3. Add a Reference to the syslog Handler

    Execute the following:
    [.. /]/core-service=management/access=audit/logger=audit-log/handler=mysyslog:add
Result

Management interface audit log entries are logged on the syslog server.

Note

Enabling audit logging to a Syslog Server in JBoss EAP will not work unless logging is enabled in the operating system as well.
For more information on rsyslog configurations on Red Hat Enterprise Linux, refer to the "Basic Configuration of rsyslog" section in the System Administrator's Guide for Red Hat Enterprise Linux in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/

3.7.4. Disable Management Interface Audit Logging

The audit logging to a file or a syslog server can be disabled by executing the following command:
/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=false)

3.7.5. Read a Management Interface Audit Log

Audit log entries output to file(s) are best viewed with a text viewer, while those output to a syslog server are best viewed using a syslog viewer application.

Note

Using a text editor for viewing log files is not recommended as some may prevent further log entries being written to the log file.
The management interface audit logs are output in JSON format. Each log entry begins with an optional timestamp, then the fields listed in the Management Interface Audit Log Fields table.

Table 3.5. Management Interface Audit Log Fields

Field Name Description
type This can have the values core, meaning it is a management operation, or jmx meaning it comes from the JMX subsystem (see the JMX subsystem for configuration of the JMX subsystem's audit logging).
r/o Has the value true if the operation does not change the management model, false otherwise.
booting Has the value true if the operation was executed during the bootup process, false if it was executed once the server is up and running.
version The version number of the JBoss EAP instance.
user The username of the authenticated user. If the operation occurs via the Management CLI on the same machine as the running server, the special user $local is used.
domainUUID An ID to link together all operations as they are propagated from the domain controller to its servers, slave host controllers, and slave host controller servers.
access This can have one of the following values:
  • NATIVE - The operation came in through the native management interface, for example the Management CLI.
  • HTTP - The operation came in through the domain HTTP interface, for example the Management Console.
  • JMX - The operation came in through the JMX subsystem. See JMX for how to configure audit logging for JMX.
remote-address The address of the client executing this operation.
success Has the value true if the operation is successful, false if it was rolled back.
ops The operations being executed. This is a list of the operations serialized to JSON. At boot this is the operations resulting from parsing the XML. Once booted the list typically contains a single entry.