AuditReaderCommands (AdminTask)
We can use the Jython scripting language to manage the security auditing system with wsadmin.sh. Use commands in the AuditReaderCommands group to display audit record information from the binary audit log.
Use the following commands to query the binary audit log:
binaryAuditLogReader
The binaryAuditLogReader command reads the default binary audit log and generates an HTML report based on the parameters you provide. We must use the auditor security role to use this command.
Target object: None.
Required parameters
- -fileName
- Fully qualified file name for the binary audit log. (String, required)
- -outputLocation
- Location of the HTML report that the command generates. (String, required)
Optional parameters
- -reportMode
- Type of report to generate. Valid values include basic, complete, or custom. The basic report provides the following configuration information:
- creationTime
- action
- progName
- registryType
- domain
- realm
- remoteAddr
- remotePort
- remoteHost
- resourceName
- resourceType
- resourceUniqueId
The complete report provides the data included by the default report type and each additional datapoint of interest. The custom report allows us to specify only the datapoints you choose to see generated in the report. The default value is basic. (String, optional)
See the Data point values table for the information that is available with each of the report types.
- -eventFilter
- Audit types to read and report. Specify one or more audit event types. If we specify more than one value for the eventFilter parameter, separate each audit event type with a colon character (:). (String, optional)
- -outcomeFilter
- Audit event outcomes to read and report. Specify one or more audit event outcomes. If we specify more than one value for the outcomeFilter parameter, separate each audit event outcome with a colon character (:). (String, optional)
- -sequenceFilter
- List of beginning and ending sequence numbers. Use the a:b syntax, where a, the starting sequence number where the HTML report begins, and is less than or equal to b, the sequence number where the HTML report ends. A single sequence may also be specified, such as -sequenceFilter 10, to only generate a report for the tenth record. (String, optional)
- -timeStampFilter
- Time stamp range of records to read and report. Use the a:b syntax, where a and b are strings in the format java.text.SimpleDateFormat("MMddhhmmyyyy"). We can also specify a single timestamp. (String, optional)
- -keyStorePassword
- Specifies password to open the keystore. (String, optional)
- -dataPoints
- List of specific audit data to use to generate the report. Use this option only when set the reportMode parameter as custom. If we specify multiple data points, separate each data point with a colon character (:). (String, optional)
the available data points, the report mode, its context object name,
Data point name reportMode value Context object name Field name Description RemoteAddr basic SessionContextObj remoteAddr The data point provides the IP address for the default remote host. RemotePort basic SessionContextObj remotePort The data point provides the port of the default remote host. RemoteHost basic SessionContextObj remoteHost The data point provides the host name of the remote host. RegistryType basic RegistryContextObj type The data point provides the type of user registry that is being used, such as LDAP or AIX . Domain basic ProcessContextObj domain The data point provides the domain to which the user belongs. Realm basic ProcessContextObj realm The data point provides the registry partition to which the user belongs. CreationTime basic EventContextObj creationTime The data point provides the date an event was created. ProgName basic AccessContextObj progName The data point provides the name of the program that was involved in the event. Action basic AccessContextObj action The data point provides the action being performed. ResourceName basic AccessContextObj resourceName The data point provides the name of the resource in the context of the application. ResourceType basic AccessContextObj resourceType The data point provides the type of resource. ResourceUniqueId basic AccessContextObj resourceUniqueId The data point provides the unique identifier of the resource. SessionId complete SessionContextObj sessionId The data point provides an identifier for the default user session. FirstCaller basic PropagationContextObj firstCaller The data point provides the identity of the first user in the caller list. DelegationType complete DelegationContextObj delegationType The data point provides the delegation type. The delegation types are no delegation, simple delegation, method delegation or switch user delegation information. RoleName complete DelegationContextObj roleName The data point provides the Run as role that is being used. The Run as roles are runAsClient, runAsSpecified, runAsSystem, or own ID. IdentityName complete DelegationContextObj identityName The data point provides information about the mapped user. AuthnType complete AuthnContextObj authnType The data point provides the type of authentication that is being used. Provider complete ProviderContextObj provider The data point returns the provider of the authentication or authorization service. ProviderStatus complete ProviderContextObj providerStatus The data point provides the status of whether the authentication or authorization event was successfully processed by the provider. MappedSecurityDomain complete AuthnMappingContextObj mappedSecurityDomain The data point provides the security domain after the mapping has occurred. MappedRealm complete AuthnMappingContextObj mappedRealm The data point provides the realm name after the mapping has occurred. MappedUserName complete AuthnMappingContextObj mappedUserName The data point provides the user name after the mapping has occurred. TerminateReason basic AuthnTermContextObj terminateReason The data point provides the reason that authentication ended. RegistryUserName basic AccessContextObj registryUserName The data point provides the name of the user in the registry. AppUserName basic AccessContextObj appUserName The data point provides the name of the user within an application. AccessDecision complete AccessContextObj accessDecision The data point provides the decision of the authorization call. PermissionsChecked complete AccessContextObj permissionsChecked The data point provides the permissions that were checked during the authorization call. PermissionsGranted complete AccessContextObj permissionsGranted The data point provides the permissions that were granted during the authorization call. RolesChecked complete AccessContextObj rolesChecked The data point provides the roles that were checked during the authorization call. RolesGranted complete AccessContextObj rolesGranted The data point provides the roles that were granted during the authorization call PolicyName complete PolicyContextObj policyName The data point provides the name of the policy. PolicyType complete PolicyContextObj policyType The data point provides the type of policy. KeyLabel basic KeyContextObj keyLabel The data point provides the key or certificate label. KeyLocation basic KeyContextObj keyLocation The data point provides the physical location of the key database. CertLifetime basic KeyContextObj certLifetime The data point provides the date when a certificate expires. MgmtType complete MgmtContextObj mgmtType The data point provides the type of management operation. MgmtCommand complete MgmtContextObj mgmtCommand The data point provides the application-specific command that was performed. Url complete ResponseContextObj url The data point provides the URL of the HTTP request. CallerList basic PropagationContextObj callerList The data point provides a list of names that represent the identities of the users. HttpRequestHeaders complete ResponseContextObj httpRequestHeaders The data point provides the HTTP request headers provided by the client. HttpResponseHeaders complete ResponseContextObj httpResponseHeaders The data point provides the HTTP response headers that are returned by the server TargetInfoName complete ResponseContextObj httpResponseHeaders The object the operation is targeted against TargetInfoUniqueId complete ResponseContextObj httpResponseHeaders The unique identifier of the target OutcomeReasonCode complete ResponseContextObj httpResponseHeaders A code mapping to an outcome decision
- 1 means a certificate parsing error
- 2 means a security context error
Return value
The command returns the HTML report based on the values specified for each parameter to the location specified by the outputLocation parameter.
Batch mode example
- Jython string...
AdminTask.binaryAuditLogReader('[-fileName myFileName -reportMode basic -keyStorePassword password123 -outputLocation C:\binaryLogs]')
AdminTask.binaryAuditLogReader('[-fileName myFileName -reportMode basic -keyStorePassword password123 -outputLocation /binaryLogs]')
- Jython list:
AdminTask.binaryAuditLogReader(['-fileName', 'myFileName', '-reportMode', 'basic', '-keyStorePassword', 'password123', '-outputLocation', 'C:\binaryLogs'])
AdminTask.binaryAuditLogReader(['-fileName', 'myFileName', '-reportMode', 'basic', '-keyStorePassword', 'password123', '-outputLocation', '/binaryLogs'])
Interactive mode
- Jython:
AdminTask.binaryAuditLogReader('-interactive')
showAuditLogEncryptionInfo
The showAuditLogEncryptionInfo command displays information about the keystore that the auditing system uses to encrypt audit records. Use this information as a hint of the keystore password in order to decrypt encrypted audit logs in the binary audit log.
Target object: None.
Required parameters
- -fileName
- Fully qualified path of the binary audit log. (String, required)
Return value
The command returns the certificate alias and the fully qualified path to the keystore of interest.
Batch mode example
- Jython string...
AdminTask.showAuditLogEncryptionInfo('-fileName myFileName')
- Jython list:
AdminTask.showAuditLogEncryptionInfo(['-fileName', 'myFileName'])
Interactive mode
- Jython:
AdminTask.showAuditLogEncryptionInfo('-interactive')
Related tasks
Use the audit reader
AuditKeyStoreCommands (AdminTask) AuditEmitterCommands (AdminTask) AuditSigningCommands (AdminTask) AuditEncryptionCommands (AdminTask) AuditEventFactoryCommands (AdminTask) AuditFilterCommands (AdminTask) AuditPolicyCommands (AdminTask) AuditEventFormatterCommands (AdminTask)