Create security auditing event type filters
Event type filters are used to specify the types of auditable security events that are audited. Default event type filters are included with the product, but we can also configure new event type filters to specify a subset of auditable event types to be recorded by the security auditing subsystem.
Before configuring security auditing filters and the rest of the security auditing subsystem, enable global security in our environment. We must be assigned the auditor role to complete this task. Event type filters are used to specify what events are audited. The amount of data that is recorded for each event is specified with the Enable verbose auditing check box on the same panel used to enable the auditing subsystem. Navigate to Security > Security auditing to enable security auditing and determine the data recorded for each event.
type filters by default in the audit.xml template file. The application server provides the following commonly used event type
New event type filters can be created, or the existing default filters can be extended, to capture more event types and outcomes. Use this task to create new event type filters. .Name Event name Outcome of event DefaultAuditSpecification_1 SECURITY_AUTHN SUCCESS DefaultAuditSpecification_2 SECURITY_AUTHN DENIED DefaultAuditSpecification_3 SECURITY_RESOURCE_ACCESS SUCCESS DefaultAuditSpecification_4 SECURITY_AUTHN REDIRECT
- Click Security > Security Auditing > Event type filters> New.
- Enter the unique name that should be associated with this event type filter configuration in the Name field.
- Specify the events that should be recorded when this filter is applied:
- Select the events to be audited from the Selectable events list.
- Click Add >> to add the selected events to the Enabled events list.
- Select the outcomes to be audited from the Selectable event outcomes list.
- Click Add >> to add the selected outcomes to the Enabled event outcomes lists.
- Click OK.
Results
The successful completion of this task results in the creation of an event type filter than can be selected by the audit service providers and audit event factories to gather and record a specific set of auditable security events.
What to do next
After creating an event type filter, the filter must be specified in the audit service provider and the audit event factory to be used to gather or report audit data. The next step in configuring the security auditing subsystem is you should configure an audit service provider to define where the audit data will be archived.
Subtopics
- Auditable security events
Auditable security events are security events that have audit instrumentation added to the security run time code to enable them to be recorded. Event filters are configured to specify which auditable security events are recorded to the audit log files.
- Event type filter settings
The Event type filter settings panel is used by an auditor to manage and create event type filters. Default event type filters have been included, this panel allows additional event type filters to be added. Existing event type filters are also managed using this panel.
- Event type filters collection
The Event type filters panel displays a listing of all configured audit specifications with their unique names, the state of their enablement, and the event types and event outcomes specified for each configuration.
- Example: Generic Event Interface
This interface is used for processing generic audit events. Other interfaces can be defined which extend this interface to process specific audit event groupings, such as security events, transaction events, or other custom groupings. For WebSphere Application Server version 7.0, only security types of events are supported.
- Context objects for security auditing
Each event has an associated set of information that is available for logging. This information is grouped into specific context objects. The context objects that are available for logging a specific event are specified by the event type. All event types have the sessionContextObj, eventContextObj, accessContextObj, propogationContextObj, processContextObj and registryContextObj objects. This topic specifies which additional context objects are available for each event type.
- Context object fields
Each auditable event has an associated set of information that is available for logging. This information is grouped into specific context objects. The context objects that are available for logging a specific event are specified by the event type. This topic details the information that exists for each context object and specifies whether the information is logged by default or is only logged when the verbose logging option is enabled.
Related tasks
Audit the security infrastructure Configure auditable events Configure the default audit service providers for security auditing