Use the audit reader
The audit reader utility reads the binary audit logs generated by the default binary emitter implementation, parsing the audit log to generate an HTML report. The audit reader is invoked using wsadmin commands and is not accessible using the console.
The audit reader can only be used to parse log files created by the default audit service provider. Logs created by a third-party emitter can not be parsed by the audit reader.
Your audit logs might be encrypted, signed, encrypted and signed or neither encrypted nor signed. The audit reader is able to parse any of these combinations to generate an HTML report. If the audit log file is encrypted, the password of the keystore storing the certificate used to encrypt the log must be provided. The showAuditLogEncryptionInfo wsadmin command can be used to get information to determine which keystore was used to sign the audit log.
Depending on the selections you made in the audit service provider configuration, the size of the audit logs can become large enough to make them cumbersome to review. What data has been recorded into the log is dependant on the event type filers you are using and whether specified to use verbose logging. Options are provided for you to further limit the data included in the HTML report that is generated by the audit reader to a subset specified. The audit reader can be used to parse the same data multiple times to generate separate reports for your different requirements.
By default, all event types, outcome types, timestamps, and sequence numbers will be gathered from the Binary Audit log and generated into a report. The ability to specify only specific event types, only specific sequence numbers, only records with specific timestamps, as well as specific outcome types is provided. A sequence number is a unique identifier assigned to each audit record. Options exist to limit which events, outcomes, and sequence numbers are included in the report.
The report type controls what data is reported for each audit record in the log file. The default report type includes the follow data for each audit record:
- creationTime
- action
- progName
- registryType
- domain
- realm
- remoteAddr
- remotePort
- remoteHost
- resourceName
- resourceType
- resourceUniqueId
The complete report type generates a report based on all the data that was logged for the selected audit records. The complete report type includes all the data included by the default report type and all the additional datapoints that were logged for these audit records. The additional available datapoints for an audit record varies depending on the event type it represents.
A custom report type is also included. Use the custom report type to specify only the datapoints we want generated in the report. A report may be generated based on the following criteria:
- all or specific event types
- all or specific outcome types
- all or a specific sequence number range
- all or a specific timestamp range
Run the binaryAuditLogReader wsadmin command to use the audit reader to generate a log report. See the AuditReaderCommands (AdminTask) article for more information.
Results
After completing these steps, you will generated an HTML report containing the data specific to the requirement.
Example
Audit Event Outcome CodesIn a binary audit log or the output of the audit reader tool, audit event outcomes are expressed with a numeric code. Use this table to associate the audit event outcome code in the binary audit logs to a generic error messages.
Outcome reason code Description 0 An error occurred while parsing the certificate. 1 The security context does not exist for the thread. 2 There is conflicting session evidence. 3 The session has been rejected. 4 The token has expired. 5 Successful authentication has occurred. 6 Successful authentication for accessing a resource has occurred. 7 Successful authentication occurred while mapping a user. 8 Successful authorization has occurred. 9 Login termination was successful. 10 Invalid evidence exists. 11 There was a GSS formatting error. 12 Credentials were unauthenticated. 13 Authentication failed. 14 An invalid resource was accessed. 15 Authentication was denied. 16 Authorization was denied. 17 Access was denied because of an authentication failure. 18 Authorization was excluded. 19 Authorization was excluded because of access without proper security role. 20 An unsupported authentication mechanism was used. 21 An authentication redirect occurred. 22 The context does not exist. 23 A TAI challenge occurred. 24 A TAI validation was not successful. 25 A TAI mapping was not successful. 26 A provider failure occurred. 27 A SSO token validation was not successful. 28 An invalid user id or password was provided. 29 A send login form 30 An invalid configuration exists. 31 An user id or password is missing. 32 Failure occurred for an unknown reason. 33 The account was disabled because of retry violations. 34 The account was locked out because of retry violations. 35 The account was locked out because the maximum number of unsuccessful login attempts has occurred. 36 The account is disabled. 37 The account has expired. 38 The account is unlocked. 39 The maximum inactive time permitted for the account has elapsed. 40 The password has expired. 41 The minimum interval for a password change has unexpired. 42 The maximum interval permitted before a password must be changes has elapsed. 43 An authentication failure has occurred. 44 An invalid user name was provided. 45 A pin is required. 46 This outcome code is not used in this release. 47 A user mapping did not occur successfully. 48 A certificate failure occurred. 49 A policy violation has occurred. 50 A policy violation has occurred because of the time of day. 51 The policy allows access. 52 A policy violation has occurred because the maximum number of unsuccessful login attempts has been reached. 53 A user name mismatch has occurred. 54 An invalid user password was provided. 55 A token signature violation has occurred. 56 The token is not yet valid. 57 The token is not supported. 58 The token is not in a valid format. 59 A credential mapping failure occurred. 60 The delegate is not authorized. 61 Access to a resource is unauthorized because of an authorization. 62 Access to a resource is unauthorized because of a time of day policy. 63 Access to a resource is unauthorized. 64 Access to a resource is unauthorized because of quality of protection. 65 Access to a resource is unauthorized because of an authorization level. 66 Access to a resource is unauthorized because reauthentication is required. 67 A password error has occurred because it does not meet password standards: minimum alphabetic characters required. 68 A password error has occurred because it does not meet password standards: minimum alphanumeric characters required. 69 A password error has occurred because it does not meet password standards: minimum numeric characters required. 70 A password error has occurred because it does not meet password standards: minimum alphabetic low case characters required. 71 A password error has occurred because it does not meet password standards: minimum alphabetic upper case characters required. 72 A password error has occurred because it does not meet password standards: minimum special characters required. 73 A password error has occurred because it does not meet password standards: maximum repeated characters exceeded. 74 A password error has occurred because it does not meet password standards: contains user name 75 A password error has occurred because it does not meet password standards: reused password. 76 A password error has occurred because it does not meet password standards: contains previous password. 77 A password error has occurred because it does not meet password standards: violations in number of characters. 78 A password error has occurred because it does not meet password standards: first or last characters are numeric. 79 An illegal form login configuration exists. 80 Access is denied because of a incorrect URI. 81 Start was successful 82 Stop was successful. 83 The audit subsystem has been stopped. 84 The audit subsystem has successfully been enabled. 85 The audit subsystem has had a successful policy change. 86 Delegation was successful. 87 Delegation was not successful. 88 The audit subsystem has successfully been disabled. 89 An audit subsystem has occurred because a security header is missing. 90 An audit timestamp has been confirmed. 91 A bad audit timestamp has occurred. 92 Audit confidentially has been confirmed 93 Audit confidentially cannot be confirmed. 94 An audit decryption error has occurred. 103 A login attempt has been made by a user who has already logged in successfully.
Related tasks
Audit the security infrastructureEncrypting the security audit records Signing the security audit records Protecting the security audit data Configure the default audit service providers for security auditing AuditReaderCommands (AdminTask) AuditEmitterCommands (AdminTask)