Show Table of Contents
3.7. Management Interface Audit Logging
3.7.1. About Management Interface Audit Logging
When audit logging is enabled, all operations performed using the Management Console, Management CLI interface, or a custom-written management application, are subject to audit logging.
The audit log entries are stored in JSON format and, based on your configuration, can be stored in files, sent to a syslog server or both. Audit logging can only be configured using the Management CLI and is disabled by default.
Login and logout events cannot be audited as there is no 'authenticated session' in EAP. Instead. audit messages are logged when an operation is received from the user.
Note
By default, audit logging is not active. Audit logging can only be configured using the Management CLI.
To list all available management interface audit logging configuration options and their current values, enter the following Management CLI command.
Note
Add the prefix
/host=HOST_NAME to the command for a managed domain.
[... /] /core-service=management/access=audit:read-resource(recursive=true)
3.7.2. Enable Management Interface Audit Logging to a File
To enable audit logging output to a file, enter the following Management CLI command.
Note
If the change is to be applied to a managed domain, add the prefix
/host=HOST_NAME to the following command.
/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
Management operations are now logged to a file:
- Standalone mode:
EAP_HOME/standalone/data/audit-log.log - Domain mode:
EAP_HOME/domain/data/audit-log.log
For details of all file handler attributes, see Section A.3, “Management Interface Audit Logging Reference”.
3.7.3. Enable Management Interface Audit Logging to a Syslog Server
By default, audit logging is preconfigured to output to a file when enabled. This procedure configures output to a syslog server and enables audit logging to a file. For details of all syslog handler attributes see Section A.3, “Management Interface Audit Logging Reference”.
Note
If the change is to be applied to a managed domain, add the prefix
/host=HOST_NAME to the /core-service commands.
Procedure 3.24. Enable Audit Logging to a Syslog Server
Enable Audit Logging
Execute the following command:[.. /]/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
Create a
syslogHandlerIn this example thesyslogserver is running on the same server as the JBoss EAP instance, on port 514. Replace the values of thehostattribute with values appropriate to your environment.Example 3.34. Example syslog handler
[.. /]batch [.. / #]/core-service=management/access=audit/syslog-handler=mysyslog:add(formatter=json-formatter) [.. / #]/core-service=management/access=audit/syslog-handler=mysyslog/protocol=udp:add(host=localhost,port=514) [.. /]run-batch
Add a Reference to the
syslogHandlerExecute the following:[.. /]/core-service=management/access=audit/logger=audit-log/handler=mysyslog:add
Result
Management interface audit log entries are logged on the syslog server.
Note
Enabling audit logging to a Syslog Server in JBoss EAP will not work unless logging is enabled in the operating system as well.
For more information on
rsyslog configurations on Red Hat Enterprise Linux, refer to the "Basic Configuration of rsyslog" section in the System Administrator's Guide for Red Hat Enterprise Linux in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/
3.7.4. Disable Management Interface Audit Logging
The audit logging to a file or a
syslog server can be disabled by executing the following command:
/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=false)
3.7.5. Read a Management Interface Audit Log
Audit log entries output to file(s) are best viewed with a text viewer, while those output to a syslog server are best viewed using a syslog viewer application.
Note
Using a text editor for viewing log files is not recommended as some may prevent further log entries being written to the log file.
The management interface audit logs are output in JSON format. Each log entry begins with an optional timestamp, then the fields listed in the Management Interface Audit Log Fields table.
Table 3.5. Management Interface Audit Log Fields
| Field Name | Description |
|---|---|
| type | This can have the values core, meaning it is a management operation, or jmx meaning it comes from the JMX subsystem (see the JMX subsystem for configuration of the JMX subsystem's audit logging). |
| r/o | Has the value true if the operation does not change the management model, false otherwise. |
| booting | Has the value true if the operation was executed during the bootup process, false if it was executed once the server is up and running. |
| version | The version number of the JBoss EAP instance. |
| user | The username of the authenticated user. If the operation occurs via the Management CLI on the same machine as the running server, the special user $local is used. |
| domainUUID | An ID to link together all operations as they are propagated from the domain controller to its servers, slave host controllers, and slave host controller servers. |
| access | This can have one of the following values:
|
| remote-address | The address of the client executing this operation. |
| success | Has the value true if the operation is successful, false if it was rolled back. |
| ops | The operations being executed. This is a list of the operations serialized to JSON. At boot this is the operations resulting from parsing the XML. Once booted the list typically contains a single entry. |
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.