Administrative audit messages in system logs

The product provides administrative audit messages in system logs containing some audit information. The audit messages described in this topic are part of the standard product audit stream and do not provide administrative event auditing information such as who changed files.

This topic references one or more of the application server log files. As a recommended alternative, we can configure the server to use the High Performance Extensible Logging (HPEL) log and trace infrastructure instead of using SystemOut.log , SystemErr.log, trace.log, and activity.log files on distributed and IBM i systems. We can also use HPEL in conjunction with the native z/OS logging facilities. If we are using HPEL, we can access all of the log and trace information using the LogViewer command-line tool from the server profile bin directory. See the information about using HPEL to troubleshoot applications for more information on using HPEL.

Important: The functionality described in this topic uses system logs and is not a part of the security auditing subsystem. The audit information captured by this functionality does not correspond with the audit information captured by the security auditing subsystem. For information about the security auditing subsystem, see the topic on auditing the security infrastructure.

Administrative audits use the same trace logging facility as the rest of the product, and do not use the logging facility that is a part of the security auditing subsystem. The audits are available in both the activity.log file and the SystemOut.log of the server that performs the action. You do not need to enable trace to produce the audits. However, through the Repository service console page, we can control whether configuration change auditing is done. This type of audit is done by default. Operational command auditing is always enabled. Information about which user performed the change is available only when security is enabled.

We can do administrative audits with or without the security audit facility.

The following administrative actions are audited:

Configuration change audits have ADMRxxxxI message IDs, where xxxx is the message number. Operational audits have ADMN10xxI message IDs, where 10xx is the message number.

Here are some audit examples from a WAS Network Deployment environment.

The following audit example is from the deployment manager SystemOut.log file:

[7/23/03 17:04:49:089 CDT] 39c26dad FileRepositor A ADMR0015I: Document  cells/ellingtonNetwork/security.xml was modified by user u1.
   [7/23/03 17:04:49:269 CDT] 3ea0edb5 FileRepositor A ADMR0016I: Document  cells/ellingtonNetwork/nodes/ellington/app.policy was created by user u1.
   ...
   [7/23/03 17:13:54:081 CDT] 39a572a1 AdminHelper   A ADMN1008I: Attempt  made to start the SamplesGallery application. (User ID = u1)
   ...
The following audit example is from the node agent SystemOut.log file:

The following audit example is from the application serverSystemOut.log file:

The message text is split for printing purposes.

  • Repository service settings
  • Administer nodes and resources
  • Audit the security infrastructure