Process flow for [logging] and logcfg logging

Process flow for [logging] and logcfg logging

We can configure WebSEAL auditing we use both the [logging] stanza and the [aznapi-configuration] stanza.
When we use both configuration settings, WebSEAL processes the [aznapi-configuration] stanza before the [logging] stanza.
For example, assuming the following entries in the WebSEAL configuration file:
[logging] requests = yes requests-file =request.log [aznapi-configuration] logcfg = stats.pdweb.authn:file path=stats.log,log_id=stats logcfg = http.agent:file path=abc.log,log_id=httplogs logcfg = http.ref:file log_id=httplogs

WebSEAL processes these entries in the following manner:

The [aznapi-configuration] stanza is read.
The stats.log file with log_id=stats is opened. All stats.pdweb.authn events are logged to this file.
The abc.log file with log_id=httplogs is opened. All http.agent events are logged to this file.
Because the next log agent uses log_id=httplogs, all http.ref events are logged to the previously opened abc.log file.
The [logging] stanza is read.
HTTP request logging is enabled. All http.clf events are logged to the request.log file that uses the default log_id=clf. See the following example for an explanation of this default identifier.

HTTP logging using the [logging] stanza operates by generating its own default log agent entries. Each HTTP log file has a default value for the log_id parameter.

Log file log_id

request.log log_id=clf

referer.log log_id=ref

agent.log log_id=agent

If a logcfg entry in the [aznapi-configuration] stanza contains the same log_id as one used in the [logging] stanza, the HTTP log file is not created. Audit events with the same log_id are directed to 1 log file only. That 1 log file is always the first one opened.
In the following example, the abc.log file with log_id=clf is opened first. Because the HTTP requests logging defined in the [logging] stanza uses a default log_id=clf, the requests.log file is never created and all http.clf (requests) events are directed to abc.log file.
[logging] requests = yes requests-file = request.log [aznapi-configuration] logcfg = http.agent:file path=abc.log,log_id=clf logcfg = http.ref:file log_id=clf

HTTP logging can be configured in the [logging] and [aznapi-configuration] stanzas. Therefore, it is possible to have duplicate entries for HTTP events in a log file when both mechanisms are enabled. In the following example, http.clf audit events are recorded twice in the abc.log file:

From the event logging configuration.
From the enabled request logging, which uses log_id=clf by default. The requests.log is not created because the abc.log file with log_id=clf is opened first.

[logging] requests = yes requests-file =request.log [aznapi-configuration] logcfg = http.agent:file path=abc.log,log_id=clf logcfg = http.ref:file log_id=clf logcfg = http.clf:file log_id=clf

Parent topic: WebSEAL HTTP logging

Log file	log_id
request.log	log_id=clf
referer.log	log_id=ref
agent.log	log_id=agent