PingIntelligence

ASE access, management, and audit logs

API Security Enforcer (ASE) generates three kinds of logs:

Access logs

Contain information about all application programming interface (API) traffic.

Management logs

Contain information about Controller and Balancer.

Audit logs

Contain information about various commands executed in ASE.

  • Access

  • Management

  • Audit

Access logs

Access logs are generated for port 80 (default port) and 443 (default port) traffic. Each Balancer process has a corresponding Access log file (that is. two port 80 Balancer processes and two port 443 Balancer processes require four log files). The log file name format is <protocol><port>_pid<process-ID>access<date>.log.

The following are examples for port 80 and port 443:

  • http_ws_80_pid_19017_access_2018-01-22_13-10.log

  • https_wss_443_pid_19018_access_2018-01-22_13-10.log

Access logs are rotated every 10 minutes and archived. The archived log file format has .gz at the end of the log file name, for example http_ws_80_pid_19017_access_2018-01-22_13-10.log.gz.

ASE sends all archived log files to API Behavioral Security (ABS) to detect attacks using machine learning algorithms. The files are then moved to the logs/abs_uploaded directory.

The following snippet shows an example log file:

-rw-r--r--. 1 root root 0 Aug 10 13:10 http_ws_80_pid_0access2018-01-22_13-10.log
-rw-r--r--. 1 root root 0 Aug 10 13:10 https_wss_443_pid_0access2018-01-22_13-10.log
-rw-r--r--. 1 root root 0 Aug 10 13:10 http_ws_80_pid_19010access2018-01-22_13-10.log
-rw-r--r--. 1 root root 0 Aug 10 13:10 http_ws_80_pid_19009access2018-01-22_13-10.log
-rw-r--r--. 1 root root 0 Aug 10 13:10 https_wss_443_pid_19022access2018-01-22_13-10.log
-rw-r--r--. 1 root root 0 Aug 10 13:10 https_wss_443_pid_19017access2018-01-22_13-10.log
-rw-r--r--. 1 root root 33223 Aug 10 13:11 balancer.log
-rw-r--r--. 1 root root 20445 Aug 10 13:11 controller.log
-rw-r--r--. 1 root root 33244 Aug 10 13:11 balancer_ssl.log

Management logs

Management log detail levels, such as INFO, WARNING, and DEBUG, are configured in ase.conf.

Generated by controller and balancers, management logs are stored in the logs directory and include:

  • Controller logs – controller.log

  • Balancer log for port 80 (default port) – balancer.log

  • Balancer log for port 443 – balancer_ssl.log

== Controller logs

The controller.log file is a log file with data from the command-line interface (CLI), REST API, configurations, IPC, SSL, cluster, and ABS. Rotated every 24 hours, controller.log is the current file name. Older files are appended with a timestamp.

== Balancer logs

The balancer.log file for port 80 and balancer_ssl.log file for port 443 are static files that are not rotated. These files contain information about IPC between controllers and balancer processes as well as IPC between balancer processes.

In a sideband ASE deployment, the balancer checks for request-response parsing error every 30 seconds. Parsing error statistics are logged in balancer.log file only if the balancer encounters parsing errors. If there are no errors in a 30-second period, the balancer.log file does not show the JSON output.

The following is a snippet of request-response parsing error statistics:

{
  "sideband stats": {
    "request parsing errors": {
      "total requests failed": 1,
      "request body absent": 0,
      "request body malformed": 0,
      "request source ip absent": 1,
      "request source ip invalid": 0,
      "request method absent": 0,
      "request url absent": 0,
      "request host header absent": 0,
      "request authentication failure": 0,
      "request error unknown": 0
    },
    "response parsing errors": {
      "total responses failed": 1,
      "response body absent": 0,
      "response body malformed": 0,
      "response code absent": 0,
      "response authentication failure": 0,
      "response correlation id not found": 1,
      "response error unknown": 0
    }
  }
}

The snippet shows that there was one parsing error for request and one for the response. The statistics also lists the type of request and response error.

Audit logs

ASE logs administrator actions, such as CLI commands and configuration changes, and stores audit logs in the opt/pingidentity/ase/logs directory. Performed on a per ASE node basis, audit logging is enabled by default.

Use the CLI to enable or disable audit logging using the commands enable_audit and disable_audit.

For example, to enable audit logs, enter the following at the command line:

/opt/pingidentity/ase/bin/cli.sh enable_audit -u admin -p  <password>

The audit log captures information related to:

  • System changes using CLI or REST API calls

  • API JSON changes or ase.conf file updates

  • SSL certificate updates

The logs are rotated every 24 hours with the current log file having no timestamp in its name. For more information, see Audit log.

The following is a snippet of audit log files:

-rw-r--r-- 1 root root 358 Aug 13 10:00 audit.log.2018-08-13_09-54
-rw-r--r-- 1 root root 301 Aug 13 10:12 audit.log.2018-08-13_10-00
-rw-r--r-- 1 root root 1677 Aug 13 11:16 audit.log.2018-08-13_10-12
-rw-r--r-- 1 root root 942 Aug 14 06:26 audit.log.2018-08-14_06-22
-rw-r--r-- 1 root root 541 Aug 15 08:19 audit.log