Audit Log Service

The Audit Log Service is used to write system or user actions such as "User 'xyz' has deleted a database connection" to an OpenSearch index. To query the entries, the BPC provides a ready-made Process Monitor to query the entries.

The Audit Log Service offers the following functionalities:

  • OpenSearch is used as the target

  • New loggers can be added without much effort

  • The log levels can be set individually for each logger

  • All bundles/modules can use the service

  • 3rd party developers can register their own logger if required

  • In the core, the most important actions are "ge-audit logged"

  • Can also be addressed via an endpoint

Data of an audit log

Field Content

level

DEBUG, INFO, WARNING, ERROR

originator

<Username>, [SYSTEM] or [UNKNOWN]

action

Keyword for grouping

description

Description of the action

old

the old data

new

the new data

timestamp

the timestamp at which the action was executed

OpenSearch Logger

Is activated by default and writes its data to the OpenSearch index with the alias 'bpc-auditlog'. The default log level is 'INFO'.

No old entries are deleted by default. This can be activated via the two settings in the configuration file [karaf]/etc/de.virtimo.bpc.core.cfg.

Example: Entries older than 1 year are deleted every 60 minutes
...
de.virtimo.bpc.core.auditlog.OpenSearchAuditLogger.auditlog.cleanupPeriodInMinutes=60
de.virtimo.bpc.core.auditlog.OpenSearchAuditLogger.auditlog.deleteEntriesOlderThan=1 year ago
...

Deletion is only carried out if the two settings are set. Other useful values for 'deleteEntriesOlderThan': 14 days ago, 3 weeks ago, 1 month ago, 3 months ago, 6 years ago

Backups/snapshots are created every day by default (since the last backup was performed) and all backups older than 30 days are deleted. This can be adjusted via the backup job core:audit-logger.

Set log level

This is done via the configuration file [karaf]/etc/de.virtimo.bpc.core.cfg. There is a naming convention for this which is also used for other loggers: The full class name is extended by the postfix .auditlog.level.

Example:

Our OpenSearch logger has the class name de.virtimo.bpc.core.auditlog.OpenSearchAuditLogger and is then set to the log level DEBUG, for example.

...
de.virtimo.bpc.core.auditlog.OpenSearchAuditLogger.auditlog.level=DEBUG
...

Use in code

In the core and in other bundles, audit logs can be called via static methods of the classes SystemAuditLog and UserAuditLog.

The methods of the SystemAuditLog class are used for system-triggered actions. In the UserAuditLog class for user-triggered actions.

import de.virtimo.bpc.api.auditlog.SystemAuditLog;
...
SystemAuditLog.info("UserDeleted", "User deleted due to too many login failures");
...
UserAuditLog.debug("<username>", "ProcessUpdated", "Process updated", "old values", "new values");

Endpoint

Method Endpoint

POST

/cxf/bpc-auditlog/auditlog/log

Description

To create a new audit log entry, send a JSON message with the following structure:

{
    "level": "INFO",
    "originator": "[INUBIT]",
    "action": "TESTACTION",
    "description": "Only a test",
    "oldValues": "5",
    "newValues": "10",
    "externalReference": {
        "workflow": "update_units",
        "engine": "IS8"
    }
}

Hint: 'externalReference' is optional and must be a JSON object when used.

For calls from Iguasu the following HTTP headers are used and their values written to the following 'externalReference' object fields:

HTTP Header 'externalReference' field

IGUASU-System-ID

externalReference.system

IGUASU-Instance-ID

externalReference.instance

IGUASU-Processor-ID

externalReference.processor

IGUASU-Service-ID

externalReference.service

Returns

HTTP Status Code

  • 200 : OK

  • 400 : The transferred data is not valid

  • 401 : Authentication could not be performed

Required Access Rights

The logged in user or API Key must have either the following role or right.

  • Role : AUDIT_LOG_USER

  • Right : AUDIT_LOG_CREATE_ENTRY

GET

/cxf/bpc-auditlog/auditlog/open/monitor

Description

Redirects the user to the monitor using the audit log OpenSearch index.

All provided query params are used to build a monitor filter on fields of the 'externalReference' object.

For Iguasu the following query parameters can be used to access the HTTP header values when the entry has been created.

Query parameter HTTP header

system

IGUASU-System-ID

instance

IGUASU-Instance-ID

processor

IGUASU-Processor-ID

service

IGUASU-Service-ID

Returns

The requested data as JSON.

HTTP Status Code

  • 200 : OK

  • 401 : Authentication could not be performed

  • 404 : Module instance was not found

  • 500 : BPC deeplink could not be created

  • 503 : BPC or instance are currently in maintenance mode

Content-Type

  • application/json

Required Access Rights

Can be used without a user session.

Core Audit Logs

User

level originator action description old new

DEBUG

<Username>

UserAuthenticated

Login was successful

-

-

WARNING

<Username>

UserAuthenticationFailed

Login failed

-

-

ERROR

<Username>

UserAuthenticationFailed

Login failed: <Reason>

-

-

DEBUG

<Username>

UserLogout

Logout

-

-

Backups

level originator action description old new

INFO

<Username>

BackupCreated

Backup with the snapshot name '<name> created

-

-

INFO

BackupCreated

Backup with the snapshot name '<name>' created

-

-

INFO

<Username>

BackupDeleted

Backup with the snapshot name '<name>' deleted

-

-

INFO

BackupDeleted

Backup with the snapshot name '<name>' deleted

-

-

INFO

<Username>

BackupRestored

Backup with the snapshot name '<name>' restored

-

-

INFO

<Username>

BackupRestored

Backup with the snapshot name '<name>' restored to the index '<name>'

-

-

Module and module component configurationsConfigurations

level originator action description old new

INFO

<Username>

ConfigurationUploaded

Configuration uploaded and imported

-

-

INFO

<Username>

ModuleInstanceCreated

Module instance '<instance name>' (<instance id>) of module '<name>' (<id>) created

-

-

INFO

<Username>

ModuleUpdated

Settings of module '<name>' (<id>) updated: <setting names>

+

+

INFO

<Username>

ModuleInstanceUpdated

Settings of module instance '<instance name>' (<instance id>) of module '<name>' (<id>) updated: <setting names>

+

+

INFO

<Username>

ModuleInstanceDeleted

Module instance '<instance name>' (<instance id>) of module '<name>' (<id>) deleted

-

-

INFO

<Username>

ModuleSettingDeleted

Setting of module '<name>' (<id>) deleted: <setting name>

+

-

INFO

<Username>

ModuleInstanceSettingDeleted

Setting of module instance '<instance name>' (<instance id>) of module '<name>' (<id>) deleted: <setting name>

+

-

Replication

level originator action description old new

INFO

<Username>

ReplicationJobRestart

Restarted the replication job with the id: <id>

If called via the endpoint /replication/lastupdatetimestamp/{replicationJobId}.

-

-

Deployment

level originator action description old new

INFO

<Username>

Deployment

Deployment to target '<deployment system name>' (<deployment system id>) started

-

-

INFO

<Username>

Deployment

Deployment to target '<deployment system name>' (<deployment system id>) done

-

-

ERROR

<Username>

Deployment

Deployment to target '<deployment system name>' (<deployment system id>) failed:<reason>

-

-

INFO

<Username>

BackupCreated

Backup with the snapshot name '<name>' created

-

-

INFO

<Username>

BackupRestored

Backup with the snapshot name '<name>' restored

-

-

INFO

<Username>

Deployment

Deployment import start

-

-

INFO

<Username>

Deployment

Deployment import done

-

-

ERROR

<Username>

Deployment

Deployment import failed: <reason>

-

-

INFO

<Username>

ModuleInstanceDeleted

Module instance '<module instance name>' (<module instance id>) of module '<module name>' (<module id>) deleted

-

-

INFO

<Username>

ModuleSettingDeleted

Setting of module '<module name>' (<module id>) deleted: <setting name>

+

-

INFO

<Username>

ModuleSettingDeleted

Setting of module '<module name>' (<module id>) to delete does not exist: <setting name>

-

-

INFO

<Username>

ModuleInstanceSettingDeleted

Setting of module instance '<module instance name>' (<module instance id>) and module '<module name>' (<module id>) deleted: <setting name>

+

-

INFO

<Username>

ModuleInstanceSettingDeleted

Setting of module instance '<module instance name>' (<module instance id>) and module '<module name>' (<module id>) to delete does not exist: <setting name>

-

-

INFO

<Username>

ModuleUpdated

Settings of module '<module name>' (<module id>) updated: <setting names>

+

+

INFO

<Username>

ModuleInstanceCreated

Module instance '<module instance name>' (<module instance id>) of module '<module name>' (<module id>) created

-

-

INFO

<Username>

ModuleInstanceUpdated

Settings of module instance '<module instance name>' (<module instance id>) of module '<module name>' (<module id>) updated: <setting names>

+

+

Maintenance Mode

level originator action description old new

WARNING

MaintenanceModeEnabled

Requested while reaching the file system limit of <limit> MB

-

-

INFO

<Username>

MaintenanceModeEnabled

Requested while performing a deployment

-

-

INFO

MaintenanceModeEnabled

Requested from other BPC server (Active/Active)

-

-

INFO

MaintenanceModeDisabled

Requested from other BPC server (Active/Active)

-

-

INFO

<Username>

MaintenanceModeEnabled

Requested by using the configuration endpoint (e.g. BPC Frontend)

-

-

INFO

<Username>

MaintenanceModeDisabled

Requested by using the configuration endpoint (e.g. BPC Frontend)

-

-

INFO

MaintenanceMode

Maintenance mode configuration setting updated: [karaf]/etc/en.virtimo.bpc.core.cfg

+

+
Keywords:
Press Esc to exit full screen
Modal image placeholder
Press Esc to exit full screen