PingIntelligence

ASE management, access and audit logs

ASE generates two three of logs:

  • Access log contains information about all API traffic

  • Management log contains information about Controller and Balancer

  • Audit log contains information about various commands executed in ASE

Access logs

Access logs are generated for port 80 (default port) and 443 (default port) traffic. Each Balancer process has a corresponding Access log file (that is. two port 80 Balancer processes and two port 443 Balancer processes require four log files). The log file name format is <protocol>_<port>_pid_<process-ID>_access_<date>.log. Examples for port 80 and port 443 are:

  • httpws_80_pid_19017access__2018-01-22_13-10.log

  • https_wss_443_pid_19018access2018-01-22_13-10.log

Access logs are rotated every 10 minutes and archived. The archived log file format has.gz at the end of the log file name (for example http_ws_80_pid_19017access2018-01-22_13-10.log.gz).

ASE sends all archived log files to API Behavioral Security (ABS) to detect attacks using Machine Learning algorithms. The files are then moved to the abs_uploaded directory in the logs directory.

The following snippet shows an example log file:

-rw-r--r--. 1 root root 0 Aug 10 13:10 http_ws_80_pid_0access2018-01-22_13-10.log
-rw-r--r--. 1 root root 0 Aug 10 13:10 https_wss_443_pid_0access2018-01-22_13-10.log
-rw-r--r--. 1 root root 0 Aug 10 13:10 http_ws_80_pid_19010access2018-01-22_13-10.log
-rw-r--r--. 1 root root 0 Aug 10 13:10 http_ws_80_pid_19009access2018-01-22_13-10.log
-rw-r--r--. 1 root root 0 Aug 10 13:10 https_wss_443_pid_19022access2018-01-22_13-10.log
-rw-r--r--. 1 root root 0 Aug 10 13:10 https_wss_443_pid_19017access2018-01-22_13-10.log
-rw-r--r--. 1 root root 33223 Aug 10 13:11 balancer.log
-rw-r--r--. 1 root root 20445 Aug 10 13:11 controller.log
-rw-r--r--. 1 root root 33244 Aug 10 13:11 balancer_ssl.log

Management logs

Management log detail levels (for example INFO, WARNING, DEBUG) are configured in ase.conf. Generated by controller and balancers, management logs are stored in the logs directory and include:

  • Controller logs – controller.log

  • Balancer log for port 80 (default port) – balancer.log

  • Balancer log for port 443 – balancer_ssl.log

Controller logs

controller.logis a log file with data from the CLI, REST API, configurations, IPC, SSL, cluster, and ABS. Rotated every 24 hours, controller.log is the current file name, older files are appended with a timestamp.

Balancer logs

balancer.log for port 80 and balancer_ssl.log for port 443 are static files which are not rotated. These files contain information about IPC between controllers and balancer processes as well as IPC between balancer processes.

In a sideband ASE deployment, balancer checks for request-response parsing error at every 30-second. Parsing error statistics is logged in balancer.log file only if balancer encounters parsing errors. If there are no errors in a 30-second period, the balancer.log file does not show the JSON output. Following is a snippet of request-response parsing error statistics:

{
  "sideband stats": {
    "request parsing errors": {
      "total requests failed": 1,
      "request body absent": 0,
      "request body malformed": 0,
      "request source ip absent": 1,
      "request source ip invalid": 0,
      "request method absent": 0,
      "request url absent": 0,
      "request host header absent": 0,
      "request authentication failure": 0,
      "request error unknown": 0
    },
    "response parsing errors": {
      "total responses failed": 1,
      "response body absent": 0,
      "response body malformed": 0,
      "response code absent": 0,
      "response authentication failure": 0,
      "response correlation id not found": 1,
      "response error unknown": 0
    }
  }
}

The snippet shows that in-total there was one parsing error for request and one for the response. The statistics also lists the type of request and response error.

Balancer log rotation

You can rotate the balancer log file by running the rotate-logs script available in the util directory of ASE. By default, ASE does not rotate the balancer log like controller logs. However, you can add the balancer log rotation script to a cron job. Once the balancer log is rotated, it is saved in logs/backup directory. A separate .gz file is created for balancer.log and balancer_ssl.log file. The balancer log rotation script also moves the rotated controller.log files to the backup directory.

The rotate-logs script takes [ASE_ROOT_DIR] as the only argument. [ASE_ROOT_DIR]is the absolute path of ASE root directory.

./rotate-logs.sh --help
name
    rotate-logs.sh

synopsis
    rotate-logs.sh [<ASE_ROOT_DIR> | help | --help]

description
    Rotates balancer logs and moves rotated controller/balancer logs to the backup directory.

arguments
    <ASE_ROOT_DIR>
        absolute path of ASE root directory

    help, --help
        show this help message

exit status
    0   for ok,
    1   for errors.

You can run the balancer log rotation script as a cron jon. For example, the following command would run the cron job at mid-night. You can choose to run it at a different time.

0 0 * * * /opt/pingidentity/ase/util/rotate-logs.sh /opt/pingidentity/ase

Audit logs

ASE logs administrator actions (for example CLI commands, configuration changes) and stores audit logs in the opt/pingidentity/ase/logs directory. Performed on a per ASE node basis, audit logging is enabled by default.

Use the CLI to enable or disable audit logging using the commands enable_audit and disable_audit. For example, to enable audit logs, enter the following at the command line:

/opt/pingidentity/ase/bin/cli.sh enable_audit -u admin -p password

The audit log captures information related to:

  • System changes using CLI or REST API calls

  • API JSON changes or ase.conf file updates

  • SSL certificate updates

The logs are rotated every 24 hours with the current log file having no timestamp in its name. For more information, see Audit log. The following is a snippet of audit log files:

-rw-r--r-- 1 root root 358 Aug 13 10:00 audit.log.2018-08-13_09-54
-rw-r--r-- 1 root root 301 Aug 13 10:12 audit.log.2018-08-13_10-00
-rw-r--r-- 1 root root 1677 Aug 13 11:16 audit.log.2018-08-13_10-12
-rw-r--r-- 1 root root 942 Aug 14 06:26 audit.log.2018-08-14_06-22
-rw-r--r-- 1 root root 541 Aug 15 08:19 audit.log