--- title: Perform an audit on consents description: The Consent Service offers two types of audit logs to track changes and to perform audits on Consent Service resources. component: pingdirectory version: 11.0 page_id: pingdirectory:consent_solution_guide:pd_cs_perform_audit_consents canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/consent_solution_guide/pd_cs_perform_audit_consents.html revdate: September 13, 2023 section_ids: trace-logger-keys-for-auditing: Trace logger keys for auditing perform-an-audit: Perform an audit new-consent-record-example: New consent record example updated-consent-record-example: Updated consent record example deleted-consent-record-example: Deleted consent record example --- # Perform an audit on consents The Consent Service offers two types of audit logs to track changes and to perform audits on Consent Service resources. For examples of configuring either type of log, see the `/resource/consent-service-cfg.dsconfig` script bundled with the server or [Logging](pd_cs_logging.html). This example uses the Consent Trace Logger, which represents Consent Service change events using the same field names used by the Consent API. **Log Publishers** | Log publisher | Log publisher type | Description | | ------------------------- | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | collaborators | Trace logger key | The collaborators value, available only when the resource type is `consent`. | | Consent Trace Logger | file-based-trace | Records Consent Service events at the Consent API level.Change events are recorded using messages of type `audit`. | | Consent LDAP Audit Logger | file-based-audit | Records data changes at the LDAP level.In combination with a Request Criteria configuration object, an LDAP audit logger can be configured to record changes to Consent Service resources only. | ## Trace logger keys for auditing Trace logger audit messages consist of a timestamp, the `CONSENT AUDIT` message type, and a set of key/value pairs. | | | | - | --------------------------------------------------------------------------------- | | | The keys used in trace log audit messages vary depending on the type of resource. | The following table describes a subset of important keys. | Trace logger key | Description | | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `requestID` | A server-specific HTTP request ID.This value can be correlated with messages produced by other loggers. | | `resourceType` | The type of Consent Service resource that was changed.Possible values are `definition`, `localization`, or `consent`. | | `changeType` | The type of change recorded by this message.Possible values are `create`, `update`, or `delete`. | | `attrsAdded` | A comma-delimited list of the attributes that were added to the resource. | | `attrsUpdated` | A comma-delimited list of the attributes that were modified on the resource. | | `attrsDeleted` | A comma-delimited list of the attributes that were removed from the resource. | | `requestDN` | The distinguished name (DN) of the requester, which is available only when the resource type is `consent`. | | `definitionID` | The consent definition ID.The following list identifies the possible resource types and their definitions:- `definition` Identifies the definition that was changed. - `localization` Identifies the parent definition. - `consent` Identifies the consent record's related definition. | | `locale` | The locale.The following list identifies the possible resource types and their definitions:- `localization` Identifies the localization in combination with the definition ID. - `consent` Identifies the related localization combined with the definition ID. | | `consentID` | The consent record ID, available only when the resource type is `consent`. | | `subject` | The subject value, available only when the resource type is `consent`. | | `subjectDN` | The subject's mapped LDAP DN.This is available only when the resource type is `consent`. | | `actor` | The actor value.This is available only when the resource type is `consent`. | | `actorDN` | The actor's mapped LDAP DN.This is available only when the resource type is `consent`. | | `audience` | The audience value.This is available only when the resource type is `consent`. | | `status` | The consent status.This is only available when the resource type is `consent`.Possible values are `pending`, `accepted`, `denied`, `revoked`, and `restricted`. | | `previousStatus` | The previous consent status, if applicable.This is only available when the resource type is `consent`. | | `msg` | A multiline value that includes the complete body of the changed resource.If the action is an `update` or a `delete`, the resource's body before the change is included. | ## Perform an audit Consent resource changes for particular entities, such as a specific user or a specific consent definition, can be audited by searching the trace log using a combination of one of the message keys and the desired value. For example, if an individual's LDAP distinguished name (DN) is known, the `subjectDN` key can be used to construct a text search for any audit log messages containing that DN. Any matching log messages constitute a history of that individual's consent activity. ## New consent record example This example shows an audit log message that provides important values in a parseable key/value format and includes a complete new consent record. ``` [22/May/2018:18:02:42.584 -0500] CONSENT AUDIT requestID=57 requestDN="uid=user.0,ou=people, dc=example,dc=com" consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0, ou=People,dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com" audience="client1" definitionID="cats" locale="en-US" status="accepted" attrsAdded="actor,audience,createdDate,dataText,subject, purposeText,definition,id,updatedDate,actorDN,status,subjectDN" changeType="create" resourceType="consent" msg=" New Consent Record: {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'accepted','subject':'user.0','subjectDN':'uid=user.0, ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example,dc=com','audience': 'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText':'Collect data about your cats','purposeText':'To recommend cat food flavors that will satisfy and delight your feline companion', 'createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:02:42.553Z'}" ``` ## Updated consent record example This example provides a complete consent record before and after it was updated. By reviewing the `attrsUpdated`, `status`, and `previousStatus` keys, you can determine that the `status` changed from `accepted` to `revoked`. ``` [22/May/2018:18:05:08.660 -0500] CONSENT AUDIT requestID=59 requestDN="uid=user.0,ou=people, dc=example,dc=com" consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0, ou=People,dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com" audience="client1" definitionID="cats" locale="en-US" status="revoked" previousStatus="accepted" attrsUpdated="status" changeType="update" resourceType="consent" msg=" Previous Consent Record: {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'accepted','subject':'user.0','subjectDN':'uid=user.0, ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example,dc=com', 'audience':'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText':'Collect data about your cats','purposeText':'To recommend cat food flavors that will satisfy and delight your feline companion','createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:02:42.553Z'} Updated Consent Record: {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'revoked','subject':'user.0','subjectDN': 'uid=user.0,ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example, dc=com','audience':'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText': 'Collect data about your cats','purposeText':'To recommend cat food flavors that will satisfy and delight your feline companion','createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:05:08.655Z'}" ``` ## Deleted consent record example This example shows that a consent record has been deleted and provides a complete representation of the consent record before it was deleted. ``` [22/May/2018:18:06:35.071 -0500] CONSENT AUDIT requestID=61 requestDN="cn=directory manager" consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0,ou=People, dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com" audience="client1" definitionID="cats" locale="en-US" status="revoked" previousStatus="revoked" attrsDeleted="actor,audience, createdDate,dataText,subject,purposeText,definition,id,updatedDate,actorDN,status,subjectDN" changeType="delete" resourceType="consent" msg=" Deleted Consent Record: {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'revoked','subject':'user.0','subjectDN': 'uid=user.0,ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People, dc=example,dc=com','audience':'client1','definition':{'id':'cats','version':'1.0','currentVersion': '1.0','locale':'en-US'},'dataText':'Collect data about your cats','purposeText':'To recommend cat food flavors that will satisfy and delight your feline companion','createdDate':'2018-05-22T23:02:42.553Z', 'updatedDate':'2018-05-22T23:05:08.655Z'}" ```