+

Search Tips   |   Advanced Search

AuditReaderCommands

Use the Jython scripting language to manage the security auditing system with the wsadmin tool. Use the commands in the AuditReaderCommands group to display audit record information from the binary audit log.

Use the following commands to query the binary audit log:


binaryAuditLogReader

The binaryAuditLogReader command reads the default binary audit log and generates an HTML report based on the parameters we provide. We must use the auditor security role to use this command.

Target object: None.

Required parameters:

-fileName

Fully qualified file name for the binary audit log. (String, required)

-outputLocation

Location of the HTML report that the command generates. (String, required)

Optional parameters:

-reportMode

Type of report to generate. Valid values include basic, complete, or custom. The basic report provides the following configuration information:

  • creationTime
  • action
  • progName
  • registryType
  • domain
  • realm
  • remoteAddr
  • remotePort
  • remoteHost
  • resourceName
  • resourceType
  • resourceUniqueId

The complete report provides the data included by the default report type and each additional datapoint of interest. The custom report allows us to specify only the datapoints we choose to see generated. The default is basic. (String, optional)

See the Data point values table for the information that is available with each of the report types.

-eventFilter

Audit types to read and report. Specify one or more audit event types. If we specify more than one value for the eventFilter parameter, separate each audit event type with a colon character (:). (String, optional)

-outcomeFilter

Audit event outcomes to read and report. Specify one or more audit event outcomes. If we specify more than one value for the outcomeFilter parameter, separate each audit event outcome with a colon character (:). (String, optional)

-sequenceFilter

List of beginning and ending sequence numbers. Use the a:b syntax, where a, the starting sequence number where the HTML report begins, and is less than or equal to b, the sequence number where the HTML report ends. A single sequence may also be specified, such as -sequenceFilter 10, to only generate a report for the tenth record. (String, optional)

-timeStampFilter

Time stamp range of records to read and report. Use the a:b syntax, where a and b are strings in the format java.text.SimpleDateFormat("MMddhhmmyyyy"). We can also specify a single timestamp. (String, optional)

-keyStorePassword

Specifies password to open the keystore. (String, optional)

-dataPoints

List of specific audit data to use to generate the report. Use this option only when we set the reportMode parameter as custom. If we specify multiple data points, separate each data point with a colon character (:). (String, optional)

Data point name reportMode value Context object name Field name Description
RemoteAddr basic SessionContextObj remoteAddr The data point provides the IP address for the default remote host.
RemotePort basic SessionContextObj remotePort The data point provides the port of the default remote host.
RemoteHost basic SessionContextObj remoteHost The data point provides the host name of the remote host.
RegistryType basic RegistryContextObj type The data point provides the type of user registry being used used, such as LDAP or AIX .
Domain basic ProcessContextObj domain The data point provides the domain to which the user belongs.
Realm basic ProcessContextObj realm The data point provides the registry partition to which the user belongs.
CreationTime basic EventContextObj creationTime The data point provides the date an event was created.
ProgName basic AccessContextObj progName The data point provides the name of the program that was involved in the event.
Action basic AccessContextObj action The data point provides the action being performed.
ResourceName basic AccessContextObj resourceName The data point provides the name of the resource in the context of the application.
ResourceType basic AccessContextObj resourceType The data point provides the type of resource.
ResourceUniqueId basic AccessContextObj resourceUniqueId The data point provides the unique identifier of the resource.
SessionId complete SessionContextObj sessionId The data point provides an identifier for the default user session.
FirstCaller basic PropagationContextObj firstCaller The data point provides the identity of the first user in the caller list.
DelegationType complete DelegationContextObj delegationType The data point provides the delegation type. The delegation types are no delegation, simple delegation, method delegation or switch user delegation information.
RoleName complete DelegationContextObj roleName The data point provides the Run as role being used used. The Run as roles are runAsClient, runAsSpecified, runAsSystem, or own ID.
IdentityName complete DelegationContextObj identityName The data point provides information about the mapped user.
AuthnType complete AuthnContextObj authnType The data point provides the type of authentication being used used.
Provider complete ProviderContextObj provider The data point returns the provider of the authentication or authorization service.
ProviderStatus complete ProviderContextObj providerStatus The data point provides the status of whether the authentication or authorization event was successfully processed by the provider.
MappedSecurityDomain complete AuthnMappingContextObj mappedSecurityDomain The data point provides the security domain after the mapping has occurred.
MappedRealm complete AuthnMappingContextObj mappedRealm The data point provides the realm name after the mapping has occurred.
MappedUserName complete AuthnMappingContextObj mappedUserName The data point provides the user name after the mapping has occurred.
TerminateReason basic AuthnTermContextObj terminateReason The data point provides the reason that authentication ended.
RegistryUserName basic AccessContextObj registryUserName The data point provides the name of the user in the registry.
AppUserName basic AccessContextObj appUserName The data point provides the name of the user within an application.
AccessDecision complete AccessContextObj accessDecision The data point provides the decision of the authorization call.
PermissionsChecked complete AccessContextObj permissionsChecked The data point provides the permissions that were checked during the authorization call.
PermissionsGranted complete AccessContextObj permissionsGranted The data point provides the permissions that were granted during the authorization call.
RolesChecked complete AccessContextObj rolesChecked The data point provides the roles that were checked during the authorization call.
RolesGranted complete AccessContextObj rolesGranted The data point provides the roles that were granted during the authorization call
PolicyName complete PolicyContextObj policyName The data point provides the name of the policy.
PolicyType complete PolicyContextObj policyType The data point provides the type of policy.
KeyLabel basic KeyContextObj keyLabel The data point provides the key or certificate label.
KeyLocation basic KeyContextObj keyLocation The data point provides the physical location of the key database.
CertLifetime basic KeyContextObj certLifetime The data point provides the date when a certificate expires.
MgmtType complete MgmtContextObj mgmtType The data point provides the type of management operation.
MgmtCommand complete MgmtContextObj mgmtCommand The data point provides the application-specific command that was performed.
Url complete ResponseContextObj url The data point provides the URL of the HTTP request.
CallerList basic PropagationContextObj callerList The data point provides a list of names that represent the identities of the users.
HttpRequestHeaders complete ResponseContextObj httpRequestHeaders The data point provides the HTTP request headers provided by the client.
HttpResponseHeaders complete ResponseContextObj httpResponseHeaders The data point provides the HTTP response headers that are returned by the server
TargetInfoName complete ResponseContextObj httpResponseHeaders The object the operation is targeted against
TargetInfoUniqueId complete ResponseContextObj httpResponseHeaders The unique identifier of the target
OutcomeReasonCode complete ResponseContextObj httpResponseHeaders A code mapping to an outcome decision

  • 1 means a certificate parsing error
  • 2 means a security context error

Return value.

The command returns the HTML report based on the values specified for each parameter to the location specified by the outputLocation parameter.

Batch mode example usage

Interactive mode example usage


showAuditLogEncryptionInfo

The showAuditLogEncryptionInfo command displays information about the keystore that the auditing system uses to encrypt audit records. Use this information as a hint of the keystore password in order to decrypt encrypted audit logs in the binary audit log.

Target object: None.

Required parameters:

-fileName

Fully qualified path of the binary audit log. (String, required)

Return value.

The command returns the certificate alias and the fully qualified path to the keystore of interest.

Batch mode example usage

Interactive mode example usage

  • Use the audit reader
  • AuditKeyStoreCommands
  • AuditEmitterCommands for the AdminTask object
  • AuditSigningCommands
  • AuditEncryptionCommands
  • AuditEventFactoryCommands for the AdminTask object
  • AuditFilterCommands
  • AuditPolicyCommands
  • AuditEventFormatterCommands