Configure the default audit service providers for security auditing
The audit service provider is used to format the audit data object that was sent by the audit event factory. After being formatted, the audit data is recorded to the repository defined in the audit service provider configuration.
Before configuring the audit service provider, enable global security in the environment.
This task configures the audit service provider used to record generated audit records.
Tasks
- Click Security > Security Auditing > Audit service provider.
- Click New and then select Binary file based emitter.
- Enter the unique name that should be associated with this audit service provider in the Name field.
- Enter the file location of the binary log file in the Audit log file location field.
When the server is stopped, the current audit file will be saved with a timestamp in the file name; this is to facilitate archiving and to allow us to determine the audit files for specific periods. When we start the server again, audit data will be written to a new audit file that does not include the timestamp in the name.
- Optional: Enter the maximum size allowed for a single binary log file in the Audit log file size field.
This field is specified in megabytes. After the maximum audit file size is reached, a new audit file will be created or an existing audit file will be overwritten. If the maximum number of audit log files has not been set, the default maximum file value used is 10 megabytes. There is no audit archiving utility included with the product. We are responsible for the archiving of our audit data.
- Optional: In the Maximum number of audit log files field, enter the maximum number of audit logs to be stored before the oldest is overwritten.
The default is 100. The value of 100 is also used if the field is empty.
The maximum number of logs does not include the current binary log being used written to. It is a reference to the maximum number of archived (timestamped) logs. The total number of binary logs that can exist for a server process is the maximum number of archived logs plus the current log.
Also under this field, there are additional options to select the behavior when the maximum number of logs is reached. The choices are:
- oldest
- If we select this option, when the maximum audit logs are reached, the oldest audit log is rewritten; notification is not sent to the auditor.
- stop server
- This option does not rewrite over the oldest audit log. It stops the audit service, sends a notification to the SystemOut.log, and quiesces the application server.
- stop logging
- This option does not rewrite over the oldest audit log. It also stops the audit service, but does allow the WebSphere process to continue. Notifications are not posted in the SystemOut.log.
- Select the filters to be used by this audit service provider. The Selectable filter list consists of a list of the configured filters that have been configured and are currently enabled.
- Select the filters that should be audited from the Selectable filter list.
- Click Add >> to add the selected filters to the Enabled filter list.
- Click Apply.
After completing these steps, our audit data will be sent to the specified repository in the format required by that repository.
What to do next
After creating an audit service provider, the audit service provider must be associated with an audit event factory provide the audit data objects to the audit service provider. Next we should configure an audit event factory.
Subtopics
- Audit service provider collection
- Audit service provider settings
- Example: Base Generic Emitter Interface
Auditing the security infrastructure Configure auditable events using scripting