PhenixID

PSD1109 – Send Identity Manager audit log to database

Fact

PhenixID Identity Manager 5.1.0 to 5.3.3.

This document does NOT cover the basics of logging. The basics, like logging level for example is explained in PSD1105.

Situation

This document describes the steps needed to perform IM auditing to database. It is assumed that a database and table for the audit log has been created.

Solution

1. Edit log4j.xml

The settings for logs are made in log4j.xml, located in /customer/extension/class, and by default the audit log is sent to a file.

2. Available log values

The values that could be written to the database are standard log4j values, like time, log level and the whole log message. But, if you would like to separate different parts of the log message into different columns in the database table, we provide the following values:

%X{audit.userDN} - The DN for the logged in user
%X{audit.objectDN} - The DN for the affected object
%X{audit.message} - The audit message, without the above values

3. Example

<appender name="jdbc" class="org.apache.log4j.jdbc.JDBCAppender"> 
  <param name="URL" value="jdbc:jtds:sqlserver://192.168.0.53:1433/IMAudit" /> 
  <param name="Driver" value="net.sourceforge.jtds.jdbc.Driver" /> 
  <param name="User" value="admin" /> 
  <param name="Password" value="password" /> 
  <layout class="org.apache.log4j.PatternLayout"> 
    <param name="ConversionPattern" value="INSERT INTO imaudit (auditDate, userDN, objectDN, message) VALUES ( '%d{yyyy-MM-dd HH:mm:ss}', '%X{audit.userDN}','%X{audit.objectDN}','%X{audit.message}' )" /> 
  </layout> 
</appender> 

<logger name="audit" >
  <level value="DEBUG"/>
  <appender-ref ref="jdbc"/> 
</logger>

This is an example of sending the audit log to a Microsoft SQL database. If using other database, use the appropriate driver and url.

4. Set policies for audit in DSEditor.properties

To enable audit logging, set this policy:

Enable_Audit_Log=true

To set the audit level, set this policy with one of the values:

Audit_Level=Normal
Audit_Level=Detailed
Audit_Level=Detailed-History

After the changes please restart PhenixID Identity Manager service.

5. Other

Ensure the database user has “insert” and “read” access rights to the audit table.

Make sure to copy the appropriate .jar files for the database driver to the /customer/extension/lib folder. 

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se