WAS v8.5 > Secure applications > Auditing the security infrastructureConfigure the default audit service providers for security auditing
The audit service provider is used to format the audit data object sent by the audit event factory. After being formatted, the audit data is recorded to the repository defined in the audit service provider configuration.
Before configuring the audit service provider, enable global security in the environment.
This task configures the audit service provider used to record generated audit records.
- Click Security > Security Auditing > Audit service provider.
- Click New and then select Binary file based emitter.
- Enter the unique name that should be associated with this audit service provider in the Name field.
- Enter the file location of the binary log file in the Audit log file location field.
When the server is stopped, the current audit file will be saved with a timestamp in the file name; this is to facilitate archiving and to allow us to are determine the audit files for specific periods. When you start the server again, audit data will be written to a new audit file that does not include the timestamp in the name.
- Optional: Enter the maximum size allowed for a single binary log file in the Audit log file size field.
This field is specified in megabytes. After the maximum audit file size is reached, a new audit file will be created or an existing audit file will be overwritten. If the maximum number of audit log files has not been set, the default maximum file value used is 10 megabytes. There is no audit archiving utility included with the product. You are responsible for the archiving of your audit data.
- Optional: In the Maximum number of audit log files field, enter the maximum number of audit logs to be stored before the oldest is overwritten.
The default value for this field is 100. The value of 100 is also used if the field is empty.
Maximum number of logs does not include the current binary log that is being written to. It is a reference to the maximum number of archived (timestamped) logs. The total number of binary logs that can exist for a server process is the maximum number of archived logs plus the current log.
Also under this field, there are additional options to select the behavior when the maximum number of logs is reached. The choices are:
- oldest
- If selected, when the maximum audit logs are reached, the oldest audit log is rewritten; notification is not sent to the auditor.
- stop server
- This option does not rewrite over the oldest audit log. It stops the audit service, sends a notification to the SystemOut.log, and quiesces the application server.
- stop logging
- This option does not rewrite over the oldest audit log. It also stops the audit service, but does allow the WebSphere process to continue. Notifications are not posted in the SystemOut.log.
- Select the filters to be used by this audit service provider. The Selectable filter list consists of a list of the configured filters that have been configured and are currently enabled.
- Select the filters that should be audited from the Selectable filter list.
- Click Add >> to add the selected filters to the Enabled filter list.
- Click Apply.
Results
After completing these steps, your audit data will be sent to the specified repository in the format required by that repository.
After creating an audit service provider, the audit service provider must be associated with an audit event factory provide the audit data objects to the audit service provider. Next you should configure an audit event factory.
Subtopics
- Audit service provider page
The Audit service provider panel displays a listing of all configured audit service provider implementations. Using this panel, a user can define a new audit service provider implementation, delete an existing implementation, and display or modify the fields associated with an existing implementation.- Audit service provider settings
Use this page to define the implementation details of the audit service provider. There are three types of audit service providers: binary file-based, third party and SMF.- Example: Base Generic Emitter Interface
The Base Generic Emitter interface defines how audit events are emitted. Other interfaces can exist to extend this interface and to process specific audit events groupings, such as security events, transactional events, or some other custom grouping. Use this interface to create a custom implementation of the emitter.- Audit service provider page
The Audit service provider panel displays a listing of all configured audit service provider implementations. Using this panel, a user can define a new audit service provider implementation, delete an existing implementation, and display or modify the fields associated with an existing implementation.- Audit service provider settings
Use this page to define the implementation details of the audit service provider. There are three types of audit service providers: binary file-based, third party and SMF.- Example: Base Generic Emitter Interface
The Base Generic Emitter interface defines how audit events are emitted. Other interfaces can exist to extend this interface and to process specific audit events groupings, such as security events, transactional events, or some other custom grouping. Use this interface to create a custom implementation of the emitter.
Related
Auditing the security infrastructure
Configure auditable events using scripting