Use the audit reader
The audit reader is a utility that can be used to read the binary audit logs generated by the default binary emitter implementation. The audit reader parses the audit log to generate an HTML report. The audit reader is invoked using wsadmin commands and is not accessible using the admin console.
The audit reader can only be used to parse log files that are created by the default audit service provider. Logs created by a third-party emitter can not be parsed by the audit reader.
Your audit logs might be encrypted, signed, encrypted and signed or neither encrypted nor signed. The audit reader is able to parse any of these combinations to generate an HTML report. If the audit log file is encrypted, the password of the keystore storing the certificate used to encrypt the log must be provided. The showAuditLogEncryptionInfo wsadmin command can be used to get information to determine which keystore was used to sign the audit log.
Depending on the selections you made in the audit service provider configuration, the size of the audit logs can become large enough to make them cumbersome to review. What data has been recorded into the log is dependant on the event type filers we are using and whether you specified to use verbose logging. Options are provided for you to further limit the data included in the HTML report that is generated by the audit reader to a subset specified. The audit reader can be used to parse the same data multiple times to generate separate reports for the different requirements.
By default, all event types, outcome types, timestamps, and sequence numbers will be gathered from the Binary Audit log and generated into a report. The ability to specify only specific event types, only specific sequence numbers, only records with specific timestamps, as well as specific outcome types is provided. A sequence number is a unique identifier assigned to each audit record. Options exist to limit which events, outcomes, and sequence numbers are included in the report. The report type controls what data is reported for each audit record in the log file.
The default report type includes the follow data for each audit record:
- creationTime
- action
- progName
- registryType
- domain
- realm
- remoteAddr
- remotePort
- remoteHost
- resourceName
- resourceType
- resourceUniqueId
The complete report type generates a report based on all the data that was logged for the selected audit records. The complete report type includes all the data that is included by the default report type and all the additional datapoints that were logged for these audit records. The additional available datapoints for an audit record varies depending on the event type it represents. A custom report type is also included. Use the custom report type to specify only the datapoints that you want generated in the report. A report may be generated based on the following criteria:
- all or specific event types
- all or specific outcome types
- all or a specific sequence number range
- all or a specific timestamp range
Run the binaryAuditLogReader wsadmin command to use the audit reader to generate a log report. See AuditReaderCommands
Results
After you complete these steps, you will generated an HTML report containing the data specific to the requirement.
Example: Audit Event Outcome Codes
Related tasks
Encrypting the security audit records
Signing the security audit records
Protecting the security audit data
Set the default audit service providers for security auditing
Audit the security infrastructure
Related
AuditReaderCommands
AuditEmitterCommands for AdminTask