Managing the File-Based Audit Log Publishers
The PingDirectory server provides an audit log, a specialized version of the access log, for troubleshooting problems that might occur during processing.
The log records all changes to the data in LDIF format so that administrators can quickly diagnose the changes an application made to the data or replay the changes to another server for testing purposes.
The audit log does not record authentication attempts but can be used in conjunction with the access log to troubleshoot security-related issues. Because the audit log adversely impacts the server’s write performance, it is disabled by default.
Audit log format
The audit log uses standard LDIF format so that administrators can analyze what changes occurred to the data. The audit log begins logging when enabled and should be used to debug any issues that might have occurred.
Common properties include:
- Timestamp
-
Displays the date and time of the operation. Format: DD/Month/ YYYY:HH:MM:SS <offset from UTC time>.
- Connection ID
-
Numeric identifier, starting incrementally with 0, that identifies the client connection that is requesting the operation.
- Operation ID
-
Numeric identifier, starting incrementally with 0, that identifies the operation.
- Modifiers Name
-
Displays the distinguished name (DN) of the user who made the change.
- Update Time
-
Records the
modifyTimestamp
operational attribute.
Audit log example
The following example shows output from the audit log in the <server-root>/logs/audit
. The first entry shows when the audit log was enabled. The second entry show changes made to a user entry.
# 05/Jun/2011:10:29:04 -0500; conn=0; op=55 dn: cn=File-Based Audit Logger,cn=Loggers,cn=config changetype: modify replace: ds-cfg-enabled ds-cfg-enabled: true - replace: modifiersName modifiersName: cn=Directory Manager,cn=Root DNs,cn=config - replace: modifyTimestamp modifyTimestamp: 20131010020345.546Z # 05/Jun/2011:10:31:20 -0500; conn=2; op=1 dn: uid=user.996,ou=People,dc=example,dc=com changetype: modify replace: pager pager: +1 115 426 4748 - replace: homePhone homePhone: +1 407 383 4949 - replace: modifiersName modifiersName: cn=Directory Manager,cn=Root DNs,cn=config - replace: modifyTimestamp modifyTimestamp: 20131010020345.546Z
Enabling the File-Based Audit Log Publisher
About this task
Enable the File-Based Audit Log Publisher using the dsconfig
tool. The audit log impacts the PingDirectory server’s write performance. Enable it only when troubleshooting.
Steps
-
To enable the File-Based Audit Log Publisher, run
dsconfig
.Example:
In this example, the instance name and startup ID are also enabled in the audit log.
$ bin/dsconfig set-log-publisher-prop \ --publisher-name "File-Based Audit Logger" \ --set enabled:true \ --set include-instance-name:true \ --set include-startup-id:true
Obscuring values in the audit log
About this task
Each value of an obscured attribute is replaced in the audit log with
OBSCURED VALUE
.
Steps
-
To obscure the values of specific attributes in the audit log, use the
obscure-attribute
property.By default, attributes are not obscured because the values of password attributes appear in hashed form rather than in cleartext.