PhenixID

PSD1136 – Configure audit logging

Summary

This PSD is written PhenixID Identity Manager (IM) 5.4.0 or later. (info regarding PIPFiltler only applies to PIM 5.6.2)
For an overview and application logging, please read PSD1135
How to configure logging in earlier version of IM, please read PSD1105.

System Requirements

  • PhenixID Identity Manager 5.4.0 or later

Overview of Audit and CEF logging

All audit logging is in format CEF (Common Event Format).
CEF is an open log management standard that improves the interoperability of security-related information from different security and network devices and applications. CEF enables customers to use a common event log format so that data can easily be collected and aggregated for analysis by an enterprise management system.
With 5.4.0 the log format when doing audit will be Common Event Format (CEF).

Events that are logged by PIM are:

  • Authentication (Login/Logoff)
  • Selected role
  • Create
  • Change
  • Delete

Configure audit logging

Enable audit logging

To enable audit logging you configure this policy in DSEditor.properties:

Enable_Audit_Log=true

Audit log levels

There are different levels of audit. Default is Normal. To set the audit level, set one of the policy values below for the degree of logging: (configure this policy in DSEditor.properties)

# Normal logs who changed what object
Audit_Level=Normal

# Detailed logs who changed what object to what value
Audit_Level=Detailed

# Detailed-History logs who changed what object to what value and from what value. PIPFilter does not support from what value.
Audit_Level=Detailed-History

Login audit event

Following event is added when a user login to PIM

#
# Patrik Holsti logged in
#
2021-05-31T13:48:16+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_011|LOGIN|1|suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net

Logout audit event

Following event is added when a user logout from PIM

#
# Patrik Holsti logged out
#
2021-05-31T13:48:28+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_010|LOGOUT|1|suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net

Role selection audit event

Following event is added when a user selects a role PIM. Either during login or changing role from within PIM.

#
# The role Patrik Holsti logged with
#
2021-05-31T13:48:25+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_012|ROLE|1|role=UC<space>-<space>PSD1172<space>-<space>1<space>Requestor
suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net

Normal – PIM writes to LDAP

Example of what is logged in Normal when editing a user. (Who changed what?)

#
# Patrik Holsti updated title on user BOBBY ANDERSSON
#
2021-05-31T12:56:45+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_001|UPDATE|1|attr=title
dn=CN\=BOBBY<space>ANDERSON,OU\=PIM_REST_WS_TEST,DC\=demo,DC\=phenixid,DC\=net 
operation=REPLACE 
suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net

Example of what is logged in Normal when creating a user. (Who created what?)

#
# Patrik Holsti created user kallea
#
2021-05-31T12:56:19+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_002|CREATE|1|dn=cn\=kallea,OU\=PIM_REST_WS_TEST,DC\=demo,DC\=phenixid,DC\=net suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net

Normal – PIM sends data to PIP using PIPFilter

Example of what is logged in Normal when editing a user. (Who changed what?)

#
# Patrik Holsti updated title on user BOBBY ANDERSON
#
2021-05-31T13:19:14+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_100|SEND_EXTERNAL|1|attr=title
dn=CN\=BOBBY<space>ANDERSON,OU\=PIM_REST_WS_TEST,DC\=demo,DC\=phenixid,DC\=net 
externalsystem=http://127.0.0.1:8085/rest/edituser 
suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net

Example of what is logged in Normal when creating a user.

#
# Patrik Holsti created a new user with a value on attribute company
# Note that we do not know the new user since PIM does not do the creation
#
2021-05-31T13:15:20+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_100|SEND_EXTERNAL|1|attr=company
dn=OU\=OU1,OU\=PIM_REST_WS_TEST,DC\=demo,DC\=phenixid,DC\=net
externalsystem=http://127.0.0.1:8085/rest/create1 
suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net

Detailed – PIM writes to LDAP

Example of what is logged in Detailed when editing a user.

#
# Log of one value before update of object.
# Patrik Holsti changed attribute title on Bobby Andersson
# 
2021-05-31T11:35:28+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_001|UPDATE|1|attr=title 
dn=CN\=BOBBY<space>ANDERSON,OU\=PIM_REST_WS_TEST,DC\=demo,DC\=phenixid,DC\=net 
operation=REPLACE 
suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net 
value=AAAAA

Example of what is logged in Detailed when creating a user.

#
# Example of one attribute logged when creating an object.
# Patrik Holsti created user Bobby Andersson
# and added attribute mobile
#
2021-05-31T10:16:00+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_001|UPDATE|1|attr=mobile 
dn=CN\=BOBBY<space>ANDERSON,OU\=PIM_REST_WS_TEST,DC\=demo,DC\=phenixid,DC\=net
operation=REPLACE
suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net
value=22222

Detailed – PIM sends data to PIP using PIPFilter

Example of what is logged in Detailed when editing a user. (Who changed what and to what value?)

#
# Log of one value before update of object.
# Patrik Holsti changed attribute title on Bobby Andersson
# 
2021-05-31T11:35:54+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_100|SEND_EXTERNAL|1|attr=title
dn=CN\=BOBBY<space>ANDERSON,OU\=PIM_REST_WS_TEST,DC\=demo,DC\=phenixid,DC\=net 
externalsystem=http://127.0.0.1:8085/rest/edituser 
suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net 
value=BBBBB

Example of what is logged in Detailed when creating a user. (Who created what and to what value?)

#
# Example of one attribute logged when creating an object.
# Patrik Holsti created user Bobby Andersson and added attribute description
#
2021-05-31T11:13:50+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_100|SEND_EXTERNAL|1|attr=description 
dn=OU\=OU1,OU\=PIM_REST_WS_TEST,DC\=demo,DC\=phenixid,DC\=net 
externalsystem=http://127.0.0.1:8085/rest/create1 
suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net 
value=BBBBBBB

Detailed-History – PIM writes to LDAP

Example of what is logged in Detailed-History when editing a user. (Who changed what and to what value and from what value?)

#
# Log of one value before update of object.
# The value of attribute mobile before change on Bobby Andersson
# 
2021-05-31T10:16:00+02:00 WIN-NMMBRACCA44
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_009|STATE|1|attr=mobile
dn=CN\=BOBBY<space>ANDERSON,OU\=PIM_REST_WS_TEST,DC\=demo,DC\=phenixid,DC\=net
state=11111
suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net
#
# Log of one value before update of object.
# Patrik Holsti changed attribute mobile on Bobby Andersson
# 
2021-05-31T10:16:00+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_001|UPDATE|1|attr=mobile 
dn=CN\=BOBBY<space>ANDERSON,OU\=PIM_REST_WS_TEST,DC\=demo,DC\=phenixid,DC\=net
operation=REPLACE
suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net
value=22222

Example of what is logged in Detailed-History when creating a user. (Who created what and to what value?)

#
# Example of one attribute logged when creating an object.
# Patrik Holsti created user clarkk
# and added attribute company
#
2021-05-31T11:24:43+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_002|CREATE|1|cn=[clarkk] 
company=[BBBBB] 
dn=cn\=clarkk,OU\=PIM_REST_WS_TEST,DC\=demo,DC\=phenixid,DC\=net 
suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net

Detailed-History – PIM sends data to PIP using PIPFilter

Example of what is logged in Detailed-History when editing a user. (Who changed what and to what value and from what value?)

#
# Log of one value before update of object.
# Patrik Holsti changed attribute title on Bobby Andersson
# 
2021-05-31T11:35:54+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_100|SEND_EXTERNAL|1|attr=title
dn=CN\=BOBBY<space>ANDERSON,OU\=PIM_REST_WS_TEST,DC\=demo,DC\=phenixid,DC\=net 
externalsystem=http://127.0.0.1:8085/rest/edituser 
suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net 
value=BBBBB

Example of what is logged in Detailed-History when creating a user. (Who created what and to what value?)

#
# Example of one attribute logged when creating an object.
# Patrik Holsti created user Bobby Andersson and added attribute description
#
2021-05-31T11:13:50+02:00 WIN-NMMBRACCA44 
CEF:0|PhenixID|IM|5.6.2-SNAPSHOT|AUDIT_100|SEND_EXTERNAL|1|attr=description 
dn=OU\=OU1,OU\=PIM_REST_WS_TEST,DC\=demo,DC\=phenixid,DC\=net 
externalsystem=http://127.0.0.1:8085/rest/create1 
suser=CN\=Patrik<space>Holsti,OU\=PhenixID<space>Employees,DC\=demo,DC\=phenixid,DC\=net 
value=BBBBBBB

Configure separator for multi-value attributes

In version 5.6.3 and earlier, comma was used to separate multi-value attributes in audit.log. If the values where a DN, for example, a comma would not be a great solution. It would be difficult to see where one value ends and next starts. 
In PIM versions after 5.6.3 you can now specify per multi-value attribute what separator to use to get your audit log-file easier to interpret. Default will be comma.
To configure this you add in the DSEditor.properties of the web app the policy:
Audit_Multivalue_Separator_ATTRIBUTENAME=separator_value
The attribute name must be in capital letters.
For example, if you have the member attribute and like to use a # as separator, it would look like:
Audit_Multivalue_Separator_MEMBER=#

Send audit log data to SYSLOG server

To send events to a syslog server, use configuration according to this example. Add

       <Syslog
            name="CEF"
            host="ip_adress_of_CEF/SYSLOG_server"  
            port="port_of_CEF/SYSLOG server"
            protocol="UDP">
            <PatternLayout>
                <Pattern>pattern_send_to_CEF/SYSLOG_server</Pattern>
            </PatternLayout>
       </Syslog>

Default pattern for IM where log is sent to file is:
 <Pattern>%d{yyyy-MM-dd'T'HH:mm:ssXXX} %m%n</Pattern>

%d = date when event was registered
%m = the event
%n = line break

Add the appender to EVENT logger:

<Logger name="audit" additivity="false" level="info">
      <AppenderRef ref="auditLogger" />
      <AppenderRef ref="CEF" />
</Logger>

In example above, events will both be written locally to file and to syslog server.

Event ID in audit file

  • LOGIN
    eventid = AUDIT_011
    eventname = LOGIN
  • UNSUCCESSFUL LOGIN
    eventid = AUDIT_013
    eventname = UNSUCCESSFUL_LOGIN
    Note: Since this could be a typo with username this will not be added with DN as suser. The userid typed by user will be added as suser.
  • LOGOUT
    eventid = AUDIT_010
    eventname = LOGOUT
  • ROLE
    eventid = AUDIT_012
    eventname = ROLE
  • STATE
    states the value before a change is made on an object.
    eventid = AUDIT_009
    eventname = STATE
    parameters =
    dn = dn for object being updated
    attr = attribute being updated
    state = what is the value right now?
  • UPDATE
    eventid = AUDIT_001
    eventname = UPDATE
    operation = ADD| REPLACE | DELETE
    value = value after update
    suser = object who changed the object
  • CREATE
    eventid = AUDIT_002
    eventname = CREATE
    parameters =
    dn = dn for object being created
    <attributename>=<attributevalue> all attributes and values added for the changed object
    suser = object who created the object
  • DELETE OBJECT
    eventid = AUDIT_004
    eventname = DELETE OBJECT
    dn = dn of the object removed
  • BINARY UPDATE
    eventid = AUDIT_007
    eventname = BINARY UPDATE
  • SEND DATA TO PIP
    eventid = AUDIT_100
    eventname = SEND_EXTERNAL
    externalsystem = URL and Endpoint
    dn = dn for object being send
    value = value of attribute being send
    suser = object who created the object

Filter audit log events

If you like to have some audit log event NOT logging to the audit log there is a policy you can enable.
This policy was added to PIM 6.0.5.

FilterEventFromAuditLog=AUDIT_100,AUDIT_101,AUDIT_102

Above example will NOT log event 100, 101 and 102 to audit log file

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se