Use the audit reader
The audit reader is a utility used to read the binary audit logs generated by the default binary emitter implementation. The audit reader parses the audit log to generate an HTML report. The audit reader is invoked using wsadmin commands and is not accessible using the administrative console.
The audit reader can only be used to parse log files created by the default audit service provider. Logs created by a third-party emitter can not be parsed by the audit reader.
Your audit logs might be encrypted, signed, encrypted and signed or neither encrypted nor signed. The audit reader is able to parse any of these combinations to generate an HTML report. If the audit log file is encrypted, the password of the keystore storing the certificate used to encrypt the log must be provided. The showAuditLogEncryptionInfo wsadmin command can be used to get information to determine which keystore was used to sign the audit log.
Depending on the selections we made in our audit service provider configuration, the size of the audit logs can become large enough to make them cumbersome to review. What data has been recorded into your log is dependant on the event type filers we are using and whether we specified to use verbose logging. Options are provided for you to further limit the data included in the HTML report generated by the audit reader to a subset specified. The audit reader can be used to parse the same data multiple times to generate separate reports for our different requirements.
By default, all event types, outcome types, timestamps, and sequence numbers will be gathered from the Binary Audit log and generated into a report. The ability to specify only specific event types, only specific sequence numbers, only records with specific timestamps, as well as specific outcome types is provided. A sequence number is a unique identifier assigned to each audit record. Options exist to limit which events, outcomes, and sequence numbers are included in the report.
The report type controls what data is reported for each audit record in the log file. The default report type includes the follow data for each audit record:
- creationTime
- action
- progName
- registryType
- domain
- realm
- remoteAddr
- remotePort
- remoteHost
- resourceName
- resourceType
- resourceUniqueId
The complete report type generates a report based on all the data that was logged for the selected audit records. The complete report type includes all the data that is included by the default report type and all the additional datapoints that were logged for these audit records. The additional available datapoints for an audit record varies depending on the event type it represents.
A custom report type is also included. Use the custom report type to specify only the datapoints that we want generated in the report. A report may be generated based on the following criteria:
- all or specific event types
- all or specific outcome types
- all or a specific sequence number range
- all or a specific timestamp range
Tasks
Run the binaryAuditLogReader wsadmin command to use the audit reader to generate a log report. See the AuditReaderCommands .article for more information.
After completing these steps, we will generated an HTML report containing the data specific to your requirement.
Example
Audit Event Outcome CodesIn a binary audit log or the output of the audit reader tool, audit event outcomes are expressed with a numeric code. Use this table to associate the audit event outcome code in the binary audit logs to a generic error messages.
Outcome reason code Description 0 An error occurred while parsing the certificate. 1 The security context does not exist for the thread. 2 There is conflicting session evidence. 3 The session has been rejected. 4 The token has expired. 5 Successful authentication has occurred. 6 Successful authentication for accessing a resource has occurred. 7 Successful authentication occurred while mapping a user. 8 Successful authorization has occurred. 9 Login termination was successful. 10 Invalid evidence exists. 11 There was a GSS formatting error. 12 Credentials were unauthenticated. 13 Authentication failed. 14 An invalid resource was accessed. 15 Authentication was denied. 16 Authorization was denied. 17 Access was denied because of an authentication failure. 18 Authorization was excluded. 19 Authorization was excluded because of access without proper security role. 20 An unsupported authentication mechanism was used. 21 An authentication redirect occurred. 22 The context does not exist. 23 A TAI challenge occurred. 24 A TAI validation was not successful. 25 A TAI mapping was not successful. 26 A provider failure occurred. 27 A SSO token validation was not successful. 28 An invalid user id or password was provided. 29 A send login form 30 An invalid configuration exists. 31 An user id or password is missing. 32 Failure occurred for an unknown reason. 33 The account was disabled because of retry violations. 34 The account was locked out because of retry violations. 35 The account was locked out because the maximum number of unsuccessful login attempts has occurred. 36 The account is disabled. 37 The account has expired. 38 The account is unlocked. 39 The maximum inactive time permitted for the account has elapsed. 40 The password has expired. 41 The minimum interval for a password change has unexpired. 42 The maximum interval permitted before a password must be changes has elapsed. 43 An authentication failure has occurred. 44 An invalid user name was provided. 45 A pin is required. 46 This outcome code is not used in this release. 47 A user mapping did not occur successfully. 48 A certificate failure occurred. 49 A policy violation has occurred. 50 A policy violation has occurred because of the time of day. 51 The policy allows access. 52 A policy violation has occurred because the maximum number of unsuccessful login attempts has been reached. 53 A user name mismatch has occurred. 54 An invalid user password was provided. 55 A token signature violation has occurred. 56 The token is not yet valid. 57 The token is not supported. 58 The token is not in a valid format. 59 A credential mapping failure occurred. 60 The delegate is not authorized. 61 Access to a resource is unauthorized because of an authorization. 62 Access to a resource is unauthorized because of a time of day policy. 63 Access to a resource is unauthorized. 64 Access to a resource is unauthorized because of quality of protection. 65 Access to a resource is unauthorized because of an authorization level. 66 Access to a resource is unauthorized because reauthentication is required. 67 A password error has occurred because it does not meet password standards: minimum alphabetic characters required. 68 A password error has occurred because it does not meet password standards: minimum alphanumeric characters required. 69 A password error has occurred because it does not meet password standards: minimum numeric characters required. 70 A password error has occurred because it does not meet password standards: minimum alphabetic low case characters required. 71 A password error has occurred because it does not meet password standards: minimum alphabetic uppercase characters required. 72 A password error has occurred because it does not meet password standards: minimum special characters required. 73 A password error has occurred because it does not meet password standards: maximum repeated characters exceeded. 74 A password error has occurred because it does not meet password standards: contains user name 75 A password error has occurred because it does not meet password standards: reused password. 76 A password error has occurred because it does not meet password standards: contains previous password. 77 A password error has occurred because it does not meet password standards: violations in number of characters. 78 A password error has occurred because it does not meet password standards: first or last characters are numeric. 79 An illegal form login configuration exists. 80 Access is denied because of a incorrect URI. 81 Start was successful 82 Stop was successful. 83 The audit subsystem has been stopped. 84 The audit subsystem has successfully been enabled. 85 The audit subsystem has had a successful policy change. 86 Delegation was successful. 87 Delegation was not successful. 88 The audit subsystem has successfully been disabled. 89 An audit subsystem has occurred because a security header is missing. 90 An audit timestamp has been confirmed. 91 A bad audit timestamp has occurred. 92 Audit confidentially has been confirmed 93 Audit confidentially cannot be confirmed. 94 An audit decryption error has occurred. 103 A login attempt has been made by a user who has already logged in successfully.
Auditing the security infrastructure Encrypting our security audit records Signing our security audit records Protecting our security audit data Configure the default audit service providers for security auditing AuditReaderCommands AuditEmitterCommands for the AdminTask object