--- title: ASE access, management, and audit logs description: API Security Enforcer (ASE) generates three kinds of logs: component: pingintelligence version: 5.2 page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_ase_acess_management_audit_logs canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_ase_acess_management_audit_logs.html revdate: May 6, 2024 section_ids: related-links: Related links access-logs: Access logs management-logs: Management logs audit-logs: Audit logs --- # ASE access, management, and audit logs API Security Enforcer (ASE) generates three kinds of logs: * Access logs Contain information about all application programming interface (API) *(tooltip: \
\

A specification of interactions available for building software to access an application or service.\

\
)* traffic. * Management logs Contain information about Controller and Balancer. * Audit logs Contain information about various commands executed in ASE. ## Related links * [Changing management log levels](pingintelligence_changing_management_log_levels.html) * [Purge log files](pingintelligence_purge_log_files.html) * [Configuring a syslog server](pingintelligence_configuring_syslog_server.html) - Access - Management - Audit ## Access logs Access logs are generated for port 80 (default port) and 443 (default port) traffic. Each Balancer process has a corresponding Access log file (that is. two port 80 Balancer processes and two port 443 Balancer processes require four log files). The log file name format is `_pidaccess.log`. The following are examples for port 80 and port 443: * `http_ws_80_pid_19017_access_2018-01-22_13-10.log` * `https_wss_443_pid_19018_access_2018-01-22_13-10.log` Access logs are rotated every 10 minutes and archived. The archived log file format has `.gz` at the end of the log file name, for example `http_ws_80_pid_19017_access_2018-01-22_13-10.log.gz`. ASE sends all archived log files to API Behavioral Security (ABS) to detect attacks using machine learning algorithms. The files are then moved to the `logs/abs_uploaded` directory. The following snippet shows an example log file: ``` -rw-r--r--. 1 root root 0 Aug 10 13:10 http_ws_80_pid_0access2018-01-22_13-10.log -rw-r--r--. 1 root root 0 Aug 10 13:10 https_wss_443_pid_0access2018-01-22_13-10.log -rw-r--r--. 1 root root 0 Aug 10 13:10 http_ws_80_pid_19010access2018-01-22_13-10.log -rw-r--r--. 1 root root 0 Aug 10 13:10 http_ws_80_pid_19009access2018-01-22_13-10.log -rw-r--r--. 1 root root 0 Aug 10 13:10 https_wss_443_pid_19022access2018-01-22_13-10.log -rw-r--r--. 1 root root 0 Aug 10 13:10 https_wss_443_pid_19017access2018-01-22_13-10.log -rw-r--r--. 1 root root 33223 Aug 10 13:11 balancer.log -rw-r--r--. 1 root root 20445 Aug 10 13:11 controller.log -rw-r--r--. 1 root root 33244 Aug 10 13:11 balancer_ssl.log ``` ## Management logs Management log detail levels, such as `INFO`, `WARNING`, and `DEBUG`, are configured in `ase.conf`. Generated by controller and balancers, management logs are stored in the logs directory and include: * Controller logs – `controller.log` * Balancer log for port 80 (default port) – `balancer.log` * Balancer log for port 443 – `balancer_ssl.log` \== Controller logs The `controller.log` file is a log file with data from the command-line interface (CLI), REST API, configurations, IPC, SSL, cluster, and ABS. Rotated every 24 hours, `controller.log` is the current file name. Older files are appended with a timestamp. \== Balancer logs The `balancer.log` file for port 80 and `balancer_ssl.log` file for port 443 are static files that are not rotated. These files contain information about IPC between controllers and balancer processes as well as IPC between balancer processes. In a sideband ASE deployment, the balancer checks for request-response parsing error every 30 seconds. Parsing error statistics are logged in `balancer.log` file only if the balancer encounters parsing errors. If there are no errors in a 30-second period, the `balancer.log` file does not show the JSON output. The following is a snippet of request-response parsing error statistics: ```json { "sideband stats": { "request parsing errors": { "total requests failed": 1, "request body absent": 0, "request body malformed": 0, "request source ip absent": 1, "request source ip invalid": 0, "request method absent": 0, "request url absent": 0, "request host header absent": 0, "request authentication failure": 0, "request error unknown": 0 }, "response parsing errors": { "total responses failed": 1, "response body absent": 0, "response body malformed": 0, "response code absent": 0, "response authentication failure": 0, "response correlation id not found": 1, "response error unknown": 0 } } } ``` The snippet shows that there was one parsing error for request and one for the response. The statistics also lists the type of request and response error. ## Audit logs ASE logs administrator actions, such as CLI commands and configuration changes, and stores audit logs in the `opt/pingidentity/ase/logs` directory. Performed on a per ASE node basis, audit logging is enabled by default. Use the CLI to enable or disable audit logging using the commands `enable_audit` and `disable_audit`. For example, to enable audit logs, enter the following at the command line: ``` /opt/pingidentity/ase/bin/cli.sh enable_audit -u admin -p ``` The audit log captures information related to: * System changes using CLI or REST API calls * API JSON changes or `ase.conf` file updates * SSL certificate updates The logs are rotated every 24 hours with the current log file having no timestamp in its name. For more information, see [Audit log](pingintelligence_audit_log.html). The following is a snippet of audit log files: ``` -rw-r--r-- 1 root root 358 Aug 13 10:00 audit.log.2018-08-13_09-54 -rw-r--r-- 1 root root 301 Aug 13 10:12 audit.log.2018-08-13_10-00 -rw-r--r-- 1 root root 1677 Aug 13 11:16 audit.log.2018-08-13_10-12 -rw-r--r-- 1 root root 942 Aug 14 06:26 audit.log.2018-08-14_06-22 -rw-r--r-- 1 root root 541 Aug 15 08:19 audit.log ```