Admin Console Auditing Service

This feature allows users to log all actions and operations executed via the admin console for auditing purposes.

Configuring the Auditing Service

All operations executed by users with access to the admin console will be translated to events that correspond to the specific admin user that executed the operation and the asadmin command (and its parameters) that is equivalent to the operation being executed in the admin console. For example if the default admin user modifies the monitoring level of the Web Services Container, the following event will be generated:

AUDIT - admin issued command set with parameters
{
    DEFAULT: [configs.config.server-config.monitoring-service.module-monitoring-levels.web-services-container=HIGH]
}

The auditing service will relay these events to the Notification Service. In this manner, administrators can be alerted of suspicious activity as soon as possible.

This service can be configured from the admin console and from the command line.

From the Admin Console

The auditing service configuration can be found in the web console under Configurations<configuration-name>`SecurityAdmin Audit:

Admin Audit Service in Web Console

Once enabled, actions in the admin console that have a corresponding asadmin command will be sent to the Notification service.

Check the Enabled option (and the Dynamic option too if you don’t want to restart the domain) to switch the auditing service on.

The Audit Level options sets the level of operations that will be logged:

MODIFIERS

(Default setting) All operations that modify the configuration of the server in some capacity.

ACCESSORS

All operations query the configuration of the server in some capacity.

INTERNAL

All existing operations, including internal operations of the server.

Aside from this configuration setting, you can also define which notifiers will be used to relay the admin console audit events by moving them to the Selected Notifiers box.

Activate Notifiers in the Admin Console

Keep in mind that for audit events to be relayed to the selected notifiers, both the Notification Service and each selected notifier must be enabled and configured beforehand.
You don’t need to manually add each notifier on this screen. When enabling a notifier on its configuration screen, the server will automatically add it to the list of selected notifiers for the Admin audit service. This same result occurs when enabling the notifier using the appropriate asadmin command.

From the Command Line

The following is the list of available asadmin commands with their available options to configure the auditing service:

set-admin-audit-configuration

Usage

asadmin> set-admin-audit-configuration

Aim

This command can be used to set the configuration settings of the service.

Command Options
Option Type Description Default Mandatory

--enabled

Boolean

Enables or disables the service

false

No

--dynamic

Boolean

Whether to apply changes immediately of after a domain restart.

false

No

--auditLevel

String

Sets the auditing level. One of:

  • MODIFIERS

  • ACCESSORS

  • INTERNAL

MODIFIERS

No

Example
asadmin> set-admin-audit-configuration --enabled=true --dynamic=true --auditLevel=ACCESSORS

Command set-admin-audit-configuration executed successfully.

set-admin-audit-service-notifier-configuration

Usage
asadmin> set-admin-audit-service-notifier-configuration
 --notifier=<string>
 --enabled=true|false
 --dynamic=true|false
 --noisy=true|false
Aim

This command can be used to enable or disable a specific notifier and the verbosity of the events being relayed.

Command Options
Option Type Description Default Mandatory

--notifier

String

The notifier to configure. One of (case-insensitive):

  • LOG

  • HIPCHAT

  • SLACK

  • JMS

  • EMAIL

  • XMPP

  • SNMP

  • EVENTBUS

  • NEWRELIC

  • DATADOG

  • CDIEVENTBUS

-

yes

--enable

Boolean

Enables or disables the notifier

false

Yes

--noisy

Boolean

Enables or disables noisy mode. A noisy notifier includes verbose information in the notifiers output.

-

No

--dynamic

Boolean

Whether to apply the changes immediately or after server restart

false

No

--target

String

The instance or cluster that will be configured

server

no

Examples

To configure the auditing service to relay events to the log notifier without having to restart the domain run the following command:

asadmin> set-admin-audit-service-notifier-configuration --notifier=log --enabled=true --dynamic=true --noisy=false
log.enabled was false set to true
log.noisy was true set to false

Command set-admin-audit-service-notifier-configuration executed successfully.

get-admin-audit-configuration

Usage

asadmin> get-admin-audit-configuration

Aim

This command can be used to list the configuration settings of the auditing service.

Command Options

There are no available options for this command.

Example

Running the following command will yield the current configuration of the auditing service:

asadmin> get-admin-audit-configuration

Enabled  Audit Level
false    MODIFIERS
Name     Notifier Enabled
LOG      false

Command get-admin-audit-configuration executed successfully.
The first row corresponds to the service configuration, second row onwards will detail any notifiers being configured..