AuditReaderCommands command group for AdminTask

WAS v8.5 > Reference > Commands (wsadmin scripting)
AuditReaderCommands command group for AdminTask

We can use the Jython scripting language to manage the security auditing system with wsadmin. Use the commands and parameters in the AuditReaderCommands group to display audit record information from the binary audit log.

Use the following commands to query the binary audit log:

binaryAuditLogReader
showAuditLogEncryptionInfo

binaryAuditLogReader

The binaryAuditLogReader command reads the default binary audit log and generates an HTML report based on the parameters you provide. You must use the auditor security role to use this command.
Target object
None.
Required parameters

-fileName

Fully qualified file name for the binary audit log. (String, required)

-outputLocation

Location of the HTML report the command generates. (String, required)

Optional parameters

-reportMode

Type of report to generate. Valid values include basic, complete, or custom. The basic report provides the following configuration information:

creationTime
action
progName
registryType
domain
realm
remoteAddr
remotePort
remoteHost
resourceName
resourceType
resourceUniqueId
The complete report provides the data included by the default report type and each additional datapoint of interest. The custom report allows you to specify only the datapoints you choose to see generated in the report. Default is basic. (String, optional)
See the Data point values table for the information that is available with each of the report types.

-eventFilter

Audit types to read and report. Specify one or more audit event types. If we specify more than one value for the eventFilter parameter, separate each audit event type with a colon character (:). (String, optional)

-outcomeFilter

Audit event outcomes to read and report. Specify one or more audit event outcomes. If we specify more than one value for the outcomeFilter parameter, separate each audit event outcome with a colon character (:). (String, optional)

-sequenceFilter

List of beginning and ending sequence numbers. Use the a:b syntax, where a, the starting sequence number where the HTML report begins, and is less than or equal to b, the sequence number where the HTML report ends. A single sequence may also be specified, such as -sequenceFilter 10, to only generate a report for the tenth record. (String, optional)

-timeStampFilter

Time stamp range of records to read and report. Use the a:b syntax, where a and b are strings in the format java.text.SimpleDateFormat("MMddhhmmyyyy"). We can also specify a single timestamp. (String, optional)

-keyStorePassword

Specifies password to open the keystore. (String, optional)

-dataPoints

List of specific audit data to use to generate the report. Use this option only when we set the reportMode parameter as custom. If we specify multiple data points, separate each data point with a colon character (:). (String, optional)

Data point values. The following table includes the available data points, the report mode, its context object name, its field name, and a description of the information:

Data point name reportMode value Context object name Field name Description
RemoteAddr basic SessionContextObj remoteAddr The data point provides the IP address for the default remote host.
RemotePort basic SessionContextObj remotePort The data point provides the port of the default remote host.
RemoteHost basic SessionContextObj remoteHost The data point provides the host name of the remote host.
RegistryType basic RegistryContextObj type The data point provides the type of user registry that is being used, such as LDAP or AIX .
Domain basic ProcessContextObj domain The data point provides the domain to which the user belongs.
Realm basic ProcessContextObj realm The data point provides the registry partition to which the user belongs.
CreationTime basic EventContextObj creationTime The data point provides the date an event was created.
ProgName basic AccessContextObj progName The data point provides the name of the program that was involved in the event.
Action basic AccessContextObj action The data point provides the action being performed.
ResourceName basic AccessContextObj resourceName The data point provides the name of the resource in the context of the application.
ResourceType basic AccessContextObj resourceType The data point provides the type of resource.
ResourceUniqueId basic AccessContextObj resourceUniqueId The data point provides the unique identifier of the resource.
SessionId complete SessionContextObj sessionId The data point provides an identifier for the default user session.
FirstCaller basic PropagationContextObj firstCaller The data point provides the identity of the first user in the caller list.
DelegationType complete DelegationContextObj delegationType The data point provides the delegation type. The delegation types are no delegation, simple delegation, method delegation or switch user delegation information.
RoleName complete DelegationContextObj roleName The data point provides the Run as role that is being used. The Run as roles are runAsClient, runAsSpecified, runAsSystem, or own ID.
IdentityName complete DelegationContextObj identityName The data point provides information about the mapped user.
AuthnType complete AuthnContextObj authnType The data point provides the type of authentication that is being used.
Provider complete ProviderContextObj provider The data point returns the provider of the authentication or authorization service.
ProviderStatus complete ProviderContextObj providerStatus The data point provides the status of whether the authentication or authorization event was successfully processed by the provider.
MappedSecurityDomain complete AuthnMappingContextObj mappedSecurityDomain The data point provides the security domain after the mapping has occurred.
MappedRealm complete AuthnMappingContextObj mappedRealm The data point provides the realm name after the mapping has occurred.
MappedUserName complete AuthnMappingContextObj mappedUserName The data point provides the user name after the mapping has occurred.
TerminateReason basic AuthnTermContextObj terminateReason The data point provides the reason that authentication ended.
RegistryUserName basic AccessContextObj registryUserName The data point provides the name of the user in the registry.
AppUserName basic AccessContextObj appUserName The data point provides the name of the user within an application.
AccessDecision complete AccessContextObj accessDecision The data point provides the decision of the authorization call.
PermissionsChecked complete AccessContextObj permissionsChecked The data point provides the permissions that were checked during the authorization call.
PermissionsGranted complete AccessContextObj permissionsGranted The data point provides the permissions that were granted during the authorization call.
RolesChecked complete AccessContextObj rolesChecked The data point provides the roles that were checked during the authorization call.
RolesGranted complete AccessContextObj rolesGranted The data point provides the roles that were granted during the authorization call
PolicyName complete PolicyContextObj policyName The data point provides the name of the policy.
PolicyType complete PolicyContextObj policyType The data point provides the type of policy.
KeyLabel basic KeyContextObj keyLabel The data point provides the key or certificate label.
KeyLocation basic KeyContextObj keyLocation The data point provides the physical location of the key database.
CertLifetime basic KeyContextObj certLifetime The data point provides the date when a certificate expires.
MgmtType complete MgmtContextObj mgmtType The data point provides the type of management operation.
MgmtCommand complete MgmtContextObj mgmtCommand The data point provides the application-specific command that was performed.
Url complete ResponseContextObj url The data point provides the URL of the HTTP request.
CallerList basic PropagationContextObj callerList The data point provides a list of names that represent the identities of the users.
HttpRequestHeaders complete ResponseContextObj httpRequestHeaders The data point provides the HTTP request headers provided by the client.
HttpResponseHeaders complete ResponseContextObj httpResponseHeaders The data point provides the HTTP response headers that are returned by the server
TargetInfoName complete ResponseContextObj httpResponseHeaders The object the operation is targeted against
TargetInfoUniqueId complete ResponseContextObj httpResponseHeaders The unique identifier of the target
OutcomeReasonCode complete ResponseContextObj httpResponseHeaders A code mapping to an outcome decision

1 means a certificate parsing error
2 means a security context error

Return value
The command returns the HTML report based on the values specified for each parameter to the location specified by the outputLocation parameter.
Jython string:
AdminTask.binaryAuditLogReader('[-fileName myFileName -reportMode basic 
-keyStorePassword password123 -outputLocation C:\binaryLogs]')
AdminTask.binaryAuditLogReader('[-fileName myFileName -reportMode basic 
-keyStorePassword password123 -outputLocation /binaryLogs]')
Jython list:
AdminTask.binaryAuditLogReader(['-fileName', 'myFileName', '-reportMode', 'basic', 
'-keyStorePassword', 'password123', '-outputLocation', 'C:\binaryLogs'])
AdminTask.binaryAuditLogReader(['-fileName', 'myFileName', '-reportMode', 'basic', 
'-keyStorePassword', 'password123', '-outputLocation', '/binaryLogs'])
Interactive mode example usage

Using Jython:

AdminTask.binaryAuditLogReader('-interactive')

showAuditLogEncryptionInfo

The showAuditLogEncryptionInfo command displays information about the keystore the auditing system uses to encrypt audit records. Use this information as a hint of the keystore password in order to decrypt encrypted audit logs in the binary audit log.
Target object
None.
Required parameters

-fileName

Fully qualified path of the binary audit log. (String, required)

Return value
The command returns the certificate alias and the fully qualified path to the keystore of interest.
Batch mode example usage

Jython string:

AdminTask.showAuditLogEncryptionInfo('-fileName myFileName')

Jython list:

AdminTask.showAuditLogEncryptionInfo(['-fileName', 'myFileName'])

Interactive mode example usage

Using Jython:

AdminTask.showAuditLogEncryptionInfo('-interactive')

Related

Use the audit reader

Reference:

AuditKeyStoreCommands command group for AdminTask
AuditEmitterCommands for AdminTask
AuditSigningCommands command group for AdminTask
AuditEncryptionCommands command group for AdminTask
AuditEventFactoryCommands for AdminTask
AuditFilterCommands command group for AdminTask
AuditPolicyCommands command group for AdminTask
AuditEventFormatterCommands command group for AdminTask

+
Search Tips | Advanced Search

Data point name	reportMode value	Context object name	Field name	Description
RemoteAddr	basic	SessionContextObj	remoteAddr	The data point provides the IP address for the default remote host.
RemotePort	basic	SessionContextObj	remotePort	The data point provides the port of the default remote host.
RemoteHost	basic	SessionContextObj	remoteHost	The data point provides the host name of the remote host.
RegistryType	basic	RegistryContextObj	type	The data point provides the type of user registry that is being used, such as LDAP or AIX .
Domain	basic	ProcessContextObj	domain	The data point provides the domain to which the user belongs.
Realm	basic	ProcessContextObj	realm	The data point provides the registry partition to which the user belongs.
CreationTime	basic	EventContextObj	creationTime	The data point provides the date an event was created.
ProgName	basic	AccessContextObj	progName	The data point provides the name of the program that was involved in the event.
Action	basic	AccessContextObj	action	The data point provides the action being performed.
ResourceName	basic	AccessContextObj	resourceName	The data point provides the name of the resource in the context of the application.
ResourceType	basic	AccessContextObj	resourceType	The data point provides the type of resource.
ResourceUniqueId	basic	AccessContextObj	resourceUniqueId	The data point provides the unique identifier of the resource.
SessionId	complete	SessionContextObj	sessionId	The data point provides an identifier for the default user session.
FirstCaller	basic	PropagationContextObj	firstCaller	The data point provides the identity of the first user in the caller list.
DelegationType	complete	DelegationContextObj	delegationType	The data point provides the delegation type. The delegation types are no delegation, simple delegation, method delegation or switch user delegation information.
RoleName	complete	DelegationContextObj	roleName	The data point provides the Run as role that is being used. The Run as roles are runAsClient, runAsSpecified, runAsSystem, or own ID.
IdentityName	complete	DelegationContextObj	identityName	The data point provides information about the mapped user.
AuthnType	complete	AuthnContextObj	authnType	The data point provides the type of authentication that is being used.
Provider	complete	ProviderContextObj	provider	The data point returns the provider of the authentication or authorization service.
ProviderStatus	complete	ProviderContextObj	providerStatus	The data point provides the status of whether the authentication or authorization event was successfully processed by the provider.
MappedSecurityDomain	complete	AuthnMappingContextObj	mappedSecurityDomain	The data point provides the security domain after the mapping has occurred.
MappedRealm	complete	AuthnMappingContextObj	mappedRealm	The data point provides the realm name after the mapping has occurred.
MappedUserName	complete	AuthnMappingContextObj	mappedUserName	The data point provides the user name after the mapping has occurred.
TerminateReason	basic	AuthnTermContextObj	terminateReason	The data point provides the reason that authentication ended.
RegistryUserName	basic	AccessContextObj	registryUserName	The data point provides the name of the user in the registry.
AppUserName	basic	AccessContextObj	appUserName	The data point provides the name of the user within an application.
AccessDecision	complete	AccessContextObj	accessDecision	The data point provides the decision of the authorization call.
PermissionsChecked	complete	AccessContextObj	permissionsChecked	The data point provides the permissions that were checked during the authorization call.
PermissionsGranted	complete	AccessContextObj	permissionsGranted	The data point provides the permissions that were granted during the authorization call.
RolesChecked	complete	AccessContextObj	rolesChecked	The data point provides the roles that were checked during the authorization call.
RolesGranted	complete	AccessContextObj	rolesGranted	The data point provides the roles that were granted during the authorization call
PolicyName	complete	PolicyContextObj	policyName	The data point provides the name of the policy.
PolicyType	complete	PolicyContextObj	policyType	The data point provides the type of policy.
KeyLabel	basic	KeyContextObj	keyLabel	The data point provides the key or certificate label.
KeyLocation	basic	KeyContextObj	keyLocation	The data point provides the physical location of the key database.
CertLifetime	basic	KeyContextObj	certLifetime	The data point provides the date when a certificate expires.
MgmtType	complete	MgmtContextObj	mgmtType	The data point provides the type of management operation.
MgmtCommand	complete	MgmtContextObj	mgmtCommand	The data point provides the application-specific command that was performed.
Url	complete	ResponseContextObj	url	The data point provides the URL of the HTTP request.
CallerList	basic	PropagationContextObj	callerList	The data point provides a list of names that represent the identities of the users.
HttpRequestHeaders	complete	ResponseContextObj	httpRequestHeaders	The data point provides the HTTP request headers provided by the client.
HttpResponseHeaders	complete	ResponseContextObj	httpResponseHeaders	The data point provides the HTTP response headers that are returned by the server
TargetInfoName	complete	ResponseContextObj	httpResponseHeaders	The object the operation is targeted against
TargetInfoUniqueId	complete	ResponseContextObj	httpResponseHeaders	The unique identifier of the target
OutcomeReasonCode	complete	ResponseContextObj	httpResponseHeaders	A code mapping to an outcome decision 1 means a certificate parsing error 2 means a security context error