Skip to main content

The most recent patch for this version is 2.1.1.  Learn more  

Version: 2.1

Additional logging properties

This section describes several advanced logging configuration options supported by Access Decision Service (ADS), defined within the deployment.yaml file.

The logs produced by ADS contain two types of events:

  • evaluation events - data regarding access requests and their responses
  • administrative events - data regarding runtime changes to the configuration of ADS

Separate event types in the audit log output

The audit logs produced by ADS contain two types of events:

  • evaluation events - data regarding access requests and their responses

  • administrative events - data regarding runtime changes to the configuration of ADS

The log output can be sent to a file, the console, or both. Additionally, you can control whether the output contains:

  • evaluation events only
  • administrative events only
  • both types combined
  • both types but on separate output items

Select which log types display in the log output, by declaring the appropriate logger under the logging section.

LoggerLog types
com.axiomatics.audit.ads.evalOnly evaluation events
com.axiomatics.audit.ads.adminOnly administrative events
com.axiomatics.auditBoth evaluation and administrative events

Audit logging format and mode

Audit logs can be generated in either JSON or XML format and in one of two modes: concise or verbose, which control the level of detail captured. The concise mode excludes information not essential to auditing from the evaluation events, keeping logs streamlined. On the other hand, the verbose mode provides full logging information for comprehensive detail.

By default, the log output for evaluation events is presented in JSON format and concise mode. JSON is the default choice because it offers reduced log sizes, enhanced readability, and improved overall performance for ADS. Additionally, it provides more comprehensive audit trail data about attribute values fetched from an Attribute Connector and utilized in policy evaluations.

You can change both the audit log format and mode within the deployment.yaml configuration file by setting the mode sub-property. The available options are:

  • concise_json (default)
  • verbose_json
  • concise (for concise XML)
  • verbose (for verbose XML)

For example, to enable verbose audit logging in JSON format, you should configure your deployment.yaml as follows:

audit:
  mode: verbose_json

logging:
  level:
    root: WARN
    com.axiomatics.audit: INFO

See the section Audit log message format for output examples and more information about the logging output format.

Logback

The log output can be sent to a file, the console, or both. Additionally, you can control whether the output contains:

  • evaluation events only
  • administrative events only
  • both types combined in a single file
  • both types but on separate output files
  • JSON-format output

For applying more complex logging related changes, such as updating the additivity property or the log format, you should use the Logback documentationOpens in a new tab to create a custom logback.xml file and apply the corresponding changes.

Add the following configuration to the deployment.yml file that the application is using:

logging:
  config: <path_to_file>/logback.xml

Further examples of logging configurations are available in the section below:

Logback configuration samples

For your convenience, some logback related settings for several modes of audit logging in ADS are provided below.

Admin events

For enabling the audit events and logging only the administrative events to a file named ads-admin-event.log, use the following part to the deployment file:

logging:
  config: <path_to_file>/logbackAdmin.xml
  level:
    com:
      axiomatics:
         audit: INFO

For the detailed logging samples refer to the Logback samples section.