Bug 1032237 - Audit logging length of log maintained
Audit logging length of log maintained
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Documentation (Show other bugs)
6.0.0
Unspecified Unspecified
unspecified Severity unspecified
: ER3
: EAP 6.4.0
Assigned To: Russell Dickenson
Ondrej Lukas
: Documentation
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-19 13:46 EST by Catherine Robson
Modified: 2015-04-17 01:31 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-04-17 01:31:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Catherine Robson 2013-11-19 13:46:08 EST
Description of problem:
We need to add information to the documentation about how long the audit log is maintained (it sounded like for the entirety of the server being up?  Verify with development) by the system.

We also need to add information about how they are archived.  (It sounds like they are moved to a history folder every time the server is brought down/restarted?  Verify with development)



Version-Release number of selected component (if applicable):
6.2.0.ER5.2-Beta
Comment 1 Russell Dickenson 2014-05-22 00:19:42 EDT
I sent an email directly to James Perkins as I believe he is the component lead for Logging.
Comment 2 Russell Dickenson 2014-05-22 19:26:21 EDT
Emails to and from Kabir Khan seeking clarification:

Kabir,

Thank you for your reply. I have some follow-up questions.

I need to clarify the audit log generated by the LogAuditProvider module (described at [1]), versus the management API audit log (described at [2]). If I understand correctly the former logs system-level events, while the latter logs events which occur only via the management API, with no overlap between them. Is my understanding correct?

Regarding cycling of the log, I understand from your reply that the audit log (not the management API audit log) is NOT cycled, except in circumstances where logging is reconfigured. Regardles of what happens though, no audit log files are ever deleted by EAP itself. Is my understanding correct? If so, is there a risk to the system that disk space may be exhausted by the audit log?

Regarding sending audit log records to a syslog server, this has not been documented for the audit log, but has for the management API audit log, as you can see at [2]. Is the syslog configuration the same, regardless of the audit log file?


[1] http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Administration_and_Configuration_Guide/index.html#sect-Management_Interface_Audit_Logging


[1] http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Administration_and_Configuration_Guide/index.html#Configure_Security_Auditing1

[2] http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Administration_and_Configuration_Guide/index.html#sect-Management_Interface_Audit_Logging

----- Original Message -----
> From: "Kabir Khan" <kabir.khan@jboss.com>
> To: "James R. Perkins" <jperkins@redhat.com>
> Cc: "Russell Dickenson" <rdickens@redhat.com>, "Kabir Khan" <kkhan@redhat.com>
> Sent: Friday, 23 May, 2014 3:24:39 AM
> Subject: Re: Question about "Bug 1032237 - Audit logging length of log maintained"
> 
> It is for the entirety of the audit log handler being up and running, which
> unless something horrible happens would be the lifetime of the server.
> 
> To clarify a bit, this is for the file-handler once the handler is
> initialised (there is a an op to recycle it, but in reality it will be the
> lifetime of the server. The recycle op is just in case something bad
> happened, logging stopped, it it reconfigured and you want to kickstart it
> again without taking dwen the server), the current log will be backed up
> (see FileAuditLogHandler.initialize()).
> 
> If syslog-handler is used, then it will just append to whatever is there.
> Length/backup policy is done by the syslog implementation. The recycle stuff
> applies here too, but again what happens to the data depends on the syslog
> implementation.
> On 22 May 2014, at 18:12, James R. Perkins <jperkins@redhat.com> wrote:
> 
> > Kabir, in CC, can probably answer better than I can.
> > 
> > That said, Kabir with your new duties is audit logging something you'd like
> > me to take over?
> Thanks for offering :-) Perhaps, but at least for now I can pretend to be
> useful ;-)
> > 
> > On 05/21/2014 09:19 PM, Russell Dickenson wrote:
> >> James,
> >> 
> >> I am contacting you about the above BZ ticket. Please tell me if I am
> >> asking the wrong person.
> >> 
> >> In the BZ ticket are a number of questions about JBoss EAP's audit logs.
> >> Can you answer those? Once I have answers to those questions I will
> >> include that information in the documentation.
> >> 
> >> 
> > 
> > --
> > James R. Perkins
> > JBoss by Red Hat
Comment 3 Russell Dickenson 2014-05-26 23:52:56 EDT
Further information from Kabir via email:

Aha, my replies were about the management api audit logging
On 23 May 2014, at 00:20, Russell Dickenson <rdickens@redhat.com> wrote:

> Kabir,
>
> Thank you for your reply. I have some follow-up questions.
>
> I need to clarify the audit log generated by the LogAuditProvider module (described at [1]), versus the management API audit log (described at [2]). If I understand correctly the former logs system-level events,
TBH I am not 100% sure, CCing the PicketBox people who should know, and also about how it

> while the latter logs events which occur only via the management API, with no overlap between them. Is my understanding correct?
Yes
>
> Regarding cycling of the log, I understand from your reply that the audit log (not the management API audit log) is NOT cycled, except in circumstances where logging is reconfigured. Regardles of what happens though, no audit log files are ever deleted by EAP itself. Is my understanding correct? If so, is there a risk to the system that disk space may be exhausted by the audit log?
My reply was about the management API one, and correct there is no cleanup that needs to happen manually.
>
> Regarding sending audit log records to a syslog server, this has not been documented for the audit log, but has for the management API audit log, as you can see at [2]. Is the syslog configuration the same, regardless of the audit log file?
The PicketBox one probably has a different config, deferring to PB team
Comment 4 Russell Dickenson 2014-05-26 23:57:43 EDT
Email sent to Anil Saldhana asking for recommended contacts:

QUOTE--------
Anil,

I am trying to get to the heart of the audit log, for BZ1032237. Kabir has contributed some information, but that mainly relates to the management API audit log, *not* the system's audit log. Kabir recommended I contact "the PicketBox people" so I thought you might be able to suggest an appropriate contact?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1032237
--------------
Comment 5 Peter Skopek 2014-05-27 06:32:53 EDT
PicketBox LogAuditProvider uses logging subsystem Log Handlers for logging audit log events. The behaviour of log handler is configured in logging subsystem.

For example: 
 create periodic rotating file handler called "AUDIT" using CLI:
   /subsystem=logging/periodic-rotating-file-handler=AUDIT/:add(suffix=.yyyy-MM-dd,formatter=%d{HH:mm:ss,SSS} %-5p [%c] (%t)
%s%E%n,level=TRACE,file={"relative-to" => "jboss.server.log.dir","path" => "audit.log"})

I would provide user a link in the doc. to section "13.1.12. Types of Log Handlers".

syslog is also a possible log handler.

PicketBox audit manager is logging events related to authentication and authorization in applications and login modules.
Comment 6 Russell Dickenson 2014-05-28 00:49:47 EDT
I have added to the Admin & Config Guide a section titled "About the Audit Log", which describes the "audit.log" file. It makes references to the sections on log handlers for completeness. When the amended revision of the A&C Guide is available on the docs-devel site, I will set this ticket to ON_QA.
Comment 7 Russell Dickenson 2014-06-09 20:01:04 EDT
Topic(s):
About the Audit Log [32115]

Change(s) implemented:
New topic written, based on content contained in this ticket and information provided by James Perkins via email.
----------------------------

The new content is available for verification in revision 6.3.0-22 (or higher) in the "Administration and Configuration Guide" at [1].

[1] http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Administration_and_Configuration_Guide/index.html#About_the_Audit_Log
Comment 8 Ondrej Lukas 2014-06-12 07:59:49 EDT
I think content of this new section should be changed. Information about LogAuditProvider is irrelevant for this section, it should be rather rewritten similar as is in [1] in section 5.4.3. Enable Audit Logging. There are two important information which are missing in this new section:
1) you have to create category for logging
2) you have to set tag disable-audit to false in jboss-web.xml for every application
Both steps are described in [1].

[1] http://documentation-devel.engineering.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Enterprise_Application_Platform_Common_Criteria_Certification/6.2.2/html-single/Common_Criteria_Configuration_Guide/index.html#Enable_Audit_Logging1
Comment 9 Russell Dickenson 2014-08-17 19:47:25 EDT
Attention: Ondrej

I understand your feedback in comment 8, except for the statement "Information about LogAuditProvider is irrelevant for this section..."  Why do you think mention of LogAuditProvider is not relevant here? Since it's the module which provides the functionality being used, I think it is very relevant.
Comment 10 Ondrej Lukas 2014-08-18 06:06:42 EDT
Russell, you are right, information about LogAuditProvider is relevant for this section. For that reason please fix only missing parts from comment 8.
Comment 15 Ondrej Lukas 2015-01-15 04:19:49 EST
It seems almost ok now. I found only small typo which has to be fixed - in first step of Procedure 11.5. Implement a Periodic Rotating File Handler for the Audit Log there is CLI command with: "...,formatter=%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n,...". This part of CLI command causes failure, it has to be rewritten to "...,formatter="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n",..." (quotes are added for formatter value).
Comment 18 Ondrej Lukas 2015-02-24 08:14:24 EST
Verified in Administration and Configuration Guide in Revision 6.4.0-15.

Note You need to log in before you can comment on or make changes to this bug.