Log HTTP access to files
JSON format
When you install DS using procedures from Installation,
the default JSON-based HTTP access log file is logs/http-access.audit.json.
The name of the access log publisher in the configuration is Json File-Based HTTP Access Logger.
The sample DS Docker image logs to standard output instead of files.
This makes it easy to read log messages with the docker logs command,
and is a pattern you should follow when creating your own DS Docker images.
The name of the LDAP access log publisher configuration in the sample image is Console HTTP Access Logger:
-
Decide whether to trust transaction IDs sent by client applications, used to correlate requests as they traverse multiple servers.
Client applications using the ForgeRock Common Audit event framework send transaction IDs with their requests. The transaction IDs correlate audit events, tracing the request through multiple applications.
Transaction IDs are sent over LDAP using an internal DS request control. They are sent over HTTP in an HTTP header.
By default, DS servers do not trust transaction IDs sent with client application requests.
When a server trusts transaction IDs from client application requests, outgoing requests reuse the incoming ID. For each outgoing request in the transaction, the request’s transaction ID has the form
original-transaction-id/sequence-number, where sequence-number reflects the position of the request in the series of requests for this transaction. For example, if the original-transaction-id isabc123, the first outgoing request has the transaction IDabc123/0, the secondabc123/1, the thirdabc123/2, and so on. This lets you distinguish specific requests within a transaction when correlating audit events from multiple services.To trust transactions, set the advanced global server property,
trust-transaction-ids:true:$ dsconfig \ set-global-configuration-prop \ --advanced \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --set trust-transaction-ids:true \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-promptbash -
Edit the default HTTP access log publisher as necessary.
The following example enables the default log publisher for DS installed locally, not in a Docker image:
$ dsconfig \ set-log-publisher-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --publisher-name "Json File-Based HTTP Access Logger" \ --set enabled:true \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-promptbash
CSV format
A CSV handler sends messages to a comma-separated variable (CSV) file.
|
The interface stability of this feature is Deprecated. The CSV handler does not sanitize messages when writing to CSV log files. Do not open CSV logs in spreadsheets and other applications that treat data as code. |
The default CSV HTTP access log file is logs/http-access.csv:
-
Decide whether to trust transaction IDs sent by client applications, used to correlate requests as they traverse multiple servers.
Client applications using the ForgeRock Common Audit event framework send transaction IDs with their requests. The transaction IDs correlate audit events, tracing the request through multiple applications.
Transaction IDs are sent over LDAP using an internal DS request control. They are sent over HTTP in an HTTP header.
By default, DS servers do not trust transaction IDs sent with client application requests.
When a server trusts transaction IDs from client application requests, outgoing requests reuse the incoming ID. For each outgoing request in the transaction, the request’s transaction ID has the form
original-transaction-id/sequence-number, where sequence-number reflects the position of the request in the series of requests for this transaction. For example, if the original-transaction-id isabc123, the first outgoing request has the transaction IDabc123/0, the secondabc123/1, the thirdabc123/2, and so on. This lets you distinguish specific requests within a transaction when correlating audit events from multiple services.To trust transactions, set the advanced global server property,
trust-transaction-ids:true:$ dsconfig \ set-global-configuration-prop \ --advanced \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --set trust-transaction-ids:true \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-promptbash -
Create an enabled CSV file HTTP access logger with optional rotation and retention policies:
$ dsconfig \ create-log-publisher \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --publisher-name "Common Audit Csv File HTTP Access Logger" \ --type csv-file-http-access \ --set enabled:true \ --set "rotation-policy:24 Hours Time Limit Rotation Policy" \ --set "rotation-policy:Size Limit Rotation Policy" \ --set "retention-policy:File Count Retention Policy" \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-promptbash -
For tamper-evident logs, follow these steps.
Tamper-evident logging relies on digital signatures and regularly flushing messages to the log system. In high-volume directory deployments with heavy access patterns, signing log messages has a severe negative impact on server performance, reducing throughput by orders of magnitude.
Be certain to test the performance impact with realistic access patterns for your deployment before enabling the feature in production.
-
Prepare a keystore.
For details, refer to Make tampering evident.
-
Enable the tamper-evident capability:
$ dsconfig \ set-log-publisher-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --publisher-name "Common Audit Csv File HTTP Access Logger" \ --set tamper-evident:true \ --set key-store-file:config/audit-keystore \ --set key-store-pin:"&{audit.keystore.pin}" \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-promptbashIn this example,
AUDIT_KEYSTORE_PINis an environment variable containing the keystore PIN.
-