Skip to main content
Version: 1.16

Audit logging

Audit logs in Access Decision Service (ADS) are detailed records that capture and store information about every authorization request processed by the service. These logs are essential for monitoring, security, and compliance purposes.

Audit logs in ADS can usually be customized to suit your deployment's needs. This includes adjusting the level of detail recorded, specifying which types of events to log, and determining how long logs should be retained. Proper management and analysis of these logs are critical for maintaining the security and integrity of the access control system.

Audit logging is disabled by default in ADS. However, when enabled, it will track every authorization request processed. This includes detailed records of the attributes involved, their sources, and the specific values used during request evaluation.

You can enable or disable audit logging in the deployment.yaml configuration file. See Enable audit logging for instructions on how to enable this feature.

Basic and additional logging options

Audit logging is part of the basic configuration options for logs in ADS. However, you can enable additional logging configurations.

  • For more details on basic logging options refer to the Logging section under Basic configuration.
  • For more details on additional logging options refer to the Additional logging properties section under Additional configuration.

Logging events

The audit logs produced by ADS contain two types of logging events:

  • Evaluation Events: These events cover the specifics of access requests, including the queries made and the system's responses.
  • Administrative Events: These focus on modifications made to the ADS configuration during runtime.

You can configure the inclusion of either event type in the audit logs. You can find detailed instructions on separating these event types within the audit log output in Separate event types in the audit log output.

By default, the log output for evaluation events is presented in a concise format, that is, information not essential to auditing is excluded from the evaluation events. To configure logging to use the verbose format for the output instead of the default concise format refer to section Enable verbose audit logging.

Audit log message format

Audit log messages are recorded one per line in US-ASCII format. Parameter values within these messages utilize a variant of the RFC 3986 URL encoding scheme (%) to represent special and reserved characters.

Parameter values are UTF-8 encoded to octet streams that are subsequently percent-encoded as needed.

Basically, the logger will do a URL encoding of the value of every parameter but will exclude the following characters from the encoding:

'|', '~', '!', '#', '$', '&', '\'', '(', ')', '*', '+', '/', ':', ';', '?', '@', '[', ']', '\'', '-', '.', '<', '>', '\', '^', '_', '`'

Evaluation event log example (concise)

This XML snippet showcases a sample log entry in the default concise format while the table below explains each line in detail.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EvaluationEvent xmlns="http://www.axiomatics.com/v1/EvaluationEvent" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
 <GroupId>4f1c96e8-9749-4233-b170-9560c5905904</GroupId>
 <Timestamp>2020-07-02T07:55:28.379Z</Timestamp>
 <ClientIdentity>Username%3A+ads-user</ClientIdentity>
 <ClientSource>127.0.0.1:53633</ClientSource>
 <xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false">
  <xacml-ctx:RequestDefaults>
   <xacml-ctx:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml-ctx:XPathVersion>
  </xacml-ctx:RequestDefaults>
  <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
   <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
    <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
   </xacml-ctx:Attribute>
  </xacml-ctx:Attributes>
 </xacml-ctx:Request>
 <ResultEntries>
  <ResultEntry>
   <xacml-ctx:Result>
    <xacml-ctx:Decision>Permit</xacml-ctx:Decision>
    <xacml-ctx:Status>
    <xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
    </xacml-ctx:Status>
   </xacml-ctx:Result>
   <Call attributeRef="A1">
    <Value>Stockholm</Value>
   </Call>
   <Call attributeRef="A2">
    <Value>QA</Value>
   </Call>
   <Call attributeRef="A3">
    <Value>Engineering</Value>
   </Call>
   <Call attributeRef="A4">
    <Value>%3C%3Fxml+version%3D%271.0%27%3F%3E%0A%3Cresources+xmlns%3D%27http%3A%2F%2Fietf.org%2Fns%2Fhome-documents%27+xmlns%3Aatom%3D%27http%3A%2F%2Fwww.w3.org%2F2005%2FAtom%27%3E%0A++%3Cresource+rel%3D%27http%3A%2F%2Fdocs.oasis-open.org%2Fxacml%2Fns%2Frelation%2Fpdp%27%3E%0A++++%3Catom%3Alink+href%3D%27%2Fauthorize%27%2F%3E%0A++%3C%2Fresource%3E%0A%3C%2Fresources%3E</Value>
   </Call>
   <Call attributeRef="A5">
    <Value>write</Value>
   </Call>
  </ResultEntry>
 </ResultEntries>
</EvaluationEvent>
Line numberDescription
3The ID of the Authorization Domain.
4The time when the evaluation started.
5The identity of the caller. If ADS is started without authentication, this line will be excluded.
6IP address and port number of the calling PEP.
7-16The XACML request evaluated by ADS.
17Element that contains individual ResultEntry elements.
18Element that contains information about an individual XACML evaluation. If this is a normal XACML evaluation, there will only be one ResultEntry element. If this is an MDP (Multiple Decision Profile) request, there will be mulitple ResultEntry elements.
19-24The XACML result of the evaluation.
20The XACML Decision (Permit, Deny, Not applicable, Indeterminate)
21-23The status of the evaluation (OK, processing error).
25-39Information on attribute values that have been fetched from an Attribute Connector and used in the evaluation. The attribute attributeRef will refer to which attributes these are values for.

Line description, evaluation log example (concise)

Evaluation event log example (verbose)

The following XML snippet showcases a sample log entry in the verbose format while the table below explains each line in detail.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EvaluationEvent xmlns="http://www.axiomatics.com/v1/EvaluationEvent" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
 <GroupId>4f1c96e8-9749-4233-b170-9560c5905904</GroupId>
 <GroupVersion>0</GroupVersion>
  <Timestamp>2020-07-02T07:55:28.379Z</Timestamp>
  <EvaluationTimeMillis>510</EvaluationTimeMillis>
   <ClientIdentity>Username%3A+ads-user</ClientIdentity>
   <ClientSource>127.0.0.1:53633</ClientSource>
   <InterfaceType>REST</InterfaceType>
   <PdpIdentity />
   <xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false">
     <xacml-ctx:RequestDefaults>
       <xacml-ctx:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml-ctx:XPathVersion>
     </xacml-ctx:RequestDefaults>
     <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
       <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
       </xacml-ctx:Attribute>
     </xacml-ctx:Attributes>
   </xacml-ctx:Request>
   <Pip refId="P1">
     <Id>318ce3f1-c4dd-4540-be17-73766fe9afed</Id>
     <Type>com.axiomatics.attributeconnector.ldap.LDAPAttributeFinder</Type>
     <Version>0</Version>
   </Pip>
   <Pip refId="P2">
     <Id>13371bff-a2db-4e17-9dba-166747dfd047</Id>
     <Type>com.axiomatics.attributeconnector.jdbc.SQLAttributeFinder</Type>
     <Version>0</Version>
   </Pip>
   <Pip refId="P3">
     <Id>3c629267-2cda-4c91-bb14-ccc272c1d94e</Id>
     <Type>com.axiomatics.attributeconnector.table.TableAttributeFinder</Type>
     <Version>0</Version>
   </Pip>
   <Pip refId="P4">
     <Id>6c07041e-17a2-4982-92e1-ff137f09b947</Id>
     <Type>com.axiomatics.pip.http.HttpClient</Type>
     <Version>0</Version>
   </Pip>
   <Pip refId="P5">
     <Id>b5dda2a1-7cba-43e0-a658-36168a071d64</Id>
     <Type>com.axiomatics.pip.parser.XmlParser</Type>
     <Version>0</Version>
   </Pip>
   <Attribute refId="A3" id="department" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" />
   <Attribute refId="A5" id="urn:oasis:names:tc:xacml:1.0:action:action-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" datatype="http://www.w3.org/2001/XMLSchema#string" />
   <Attribute refId="A1" id="location" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" />
   <Attribute refId="A2" id="role" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" />
   <Attribute refId="A4" id="entrypoint" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" />
   <ResultEntries>
     <ResultEntry>
       <xacml-ctx:Result>
         <xacml-ctx:Decision>Permit</xacml-ctx:Decision>
         <xacml-ctx:Status>
         <xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
         </xacml-ctx:Status>
       </xacml-ctx:Result>
       <Call attributeRef="A1" pipRef="P1" cachedValue="false">
         <Value>Stockholm</Value>
       </Call>
       <Call attributeRef="A2" pipRef="P2" cachedValue="false">
         <Value>QA</Value>
       </Call>
       <Call attributeRef="A3" pipRef="P3" cachedValue="false">
         <Value>Engineering</Value>
       </Call>
       <Call attributeRef="A4" pipRef="P4" cachedValue="false">
         <Value>%3C%3Fxml+version%3D%271.0%27%3F%3E%0A%3Cresources+xmlns%3D%27http%3A%2F%2Fietf.org%2Fns%2Fhome-documents%27+xmlns%3Aatom%3D%27http%3A%2F%2Fwww.w3.org%2F2005%2FAtom%27%3E%0A++%3Cresource+rel%3D%27http%3A%2F%2Fdocs.oasis-open.org%2Fxacml%2Fns%2Frelation%2Fpdp%27%3E%0A++++%3Catom%3Alink+href%3D%27%2Fauthorize%27%2F%3E%0A++%3C%2Fresource%3E%0A%3C%2Fresources%3E</Value>
       </Call>
       <Call attributeRef="A5" pipRef="P5" cachedValue="false">
         <Value>write</Value>
       </Call>
       <EvaluationComplexity>36</EvaluationComplexity>
     </ResultEntry>
   </ResultEntries>
</EvaluationEvent>
Line numberDescription
3The ID of the Authorization Domain.
4The object version of the Authorization Domain.
5The time when the evaluation started.
6Evaluation time in milliseconds for this request.
7The identity of the caller. If ADS is started without authentication, this line will be excluded.
8IP address and port number of the calling PEP.
9The interface by which the client contacts ADS for authorization services.
10Identity of the PDP as registered in ASM. For ADS this is always an empty string.
11-20The XACML request evaluated by ADS.
21-45The definition of an Attribute Connector that was called during evaluation, where
refId - The evaluation unique identifier as referenced by the Call element in this evaluation to denote this Attribute Finder
Id - The unique identifier of the Attribute Connector object
Type - The Attribute Connector Type
Version - The object version of the Attribute Connector
46-50The definition of an external Attribute that was used during evaluation and for which values were fetched from an Attribute Finder (PIP), where
refId - The evaluation unique identifier as referenced by the Call element in this evaluation to denote this attribute
id - the id of the attribute
category - the XACML category of the attribute
datatype - the XACML datatype
51Element that contains individual ResultEntry elements.
52Element that contains information about an individual XACML evaluation. If this is a normal XACML evaluation, there will only be one ResultEntry element. If this is an MDP (Multiple Decision Profile) request, there will be mulitple ResultEntry elements.
53-58The XACML result of the evaluation.
54The XACML Decision (Permit, Deny, Not applicable, Indeterminate)
55-57The status of the evaluation (OK, processing error).
59-73Information on attribute values that have been fetched from an Attribute Connector and used in the evaluation. The attribute attributeRef will refer to which attributes these are values for. The attribute pipRef will refer to which Attribute Connector these values were fetched from.
The attribute cachedValue indicates whether these values were obtained from the cache.
74A metric indicating the complexity of the evaluation process, measured by the number of steps required.

Line description, evaluation log example (verbose)

Administrative event log example

The following text is a sample log entry for an administrative event, with explanations provided in the table below:

"thread":"main","message":"Domain with id 08922b78-48f7-4147-b9eb-ae0034b6ccd0 was loaded","level":"INFO","timestamp":1629726715756,"logger":"com.axiomatics.audit.ads.admin"
ItemDescription
threadWhich thread of the log stream this entry belongs to.
messageThe event that was logged.
levelThe severity level set for the logging configuration.
timestampThe time of the event.
loggerThe logger that produced the event.

Administrative event log description

note

There is only one version of the output, the concise/verbose option is only relevant for evaluation events.