Audit logging
Audit logs in Access Decision Service (ADS) are detailed records that capture and store information about every authorization request processed by the service. These logs are essential for monitoring, security, and compliance purposes. You can customize the audit logs to suit your deployment's needs. This includes adjusting the level of detail recorded, specifying which types of events to log, and determining how long logs should be retained.
Audit logging is disabled by default. You can enable it in the deployment.yaml configuration file, following the instructions in the Enable audit logging section.
By default, audit logs are generated in JSON file format, but you can opt for XML, which was used in ADS 1.x. Read the Audit logging format and mode section for details.
Even though audit logging is part of the basic configuration options for logs in ADS, you can enable additional logging configurations:
- Basic logging options can be found in the Logging section under Basic configuration.
- Additional logging options are available in the Additional logging properties section under Additional configuration.
Logging events
The audit logs produced by ADS contain two types of logging events:
- Evaluation Events: These events cover the specifics of access requests, including the queries made and the system's responses.
- Administrative Events: These focus on modifications made to the ADS configuration during runtime.
You can configure the inclusion of either event type in the audit logs. You can find detailed instructions on separating these event types within the audit log output in Separate event types in the audit log output.
By default, the log output for evaluation events is presented in a concise layout, that is, information not essential to auditing is excluded from the evaluation events. To configure logging to use the verbose mode for the output refer to the Audit logging format and mode section.
Audit log message character encoding
Audit log messages are recorded one per line in US-ASCII character encoding. Parameter values within these messages utilize a variant of the RFC 3986 URL encoding scheme (%) to represent special and reserved characters.
Parameter values are UTF-8 encoded to octet streams that are subsequently percent-encoded as needed.
Basically, the logger will do a URL encoding of the value of every parameter but will exclude the following characters from the encoding:
"|", "~", "!", "#", "$", "&", "'", "(", ")", "*", "+", "/", ":", ";", "?", "@", "[", "]", "-", ".", "<", ">", "\", "^", "_", "`"
Audit log samples
Evaluation event log - concise mode
This snippet showcases a sample log entry in the default concise mode while the table below explains each line in detail.
- JSON
- XML
{
"DomainId": "4f1c96e8-9749-4233-b170-9560c5905904",
"ClientIdentity": "Username%3A+ads-user",
"ClientSource": "172.0.0.1:53633",
"Request": {
"Category": [
{
"CategoryId": "AccessSubject",
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id",
"Value": "Alice"
}
]
}
],
"XPathVersion": "http://www.w3.org/TR/1999/REC-xpath-19991116"
},
"Response": [
{
"Decision": "Permit",
"Call": [
{
"attribute": {
"Id": "location",
"Category": "AccessSubject",
"Datatype": "string"
},
"Values": [
"Stockholm"
]
},
{
"attribute": {
"Id": "role",
"Category": "AccessSubject",
"Datatype": "string"
},
"Values": [
"QA"
]
},
{
"attribute": {
"Id": "department",
"Category": "AccessSubject",
"Datatype": "string"
},
"Values": [
"Engineering"
]
}
]
}
]
}
| Line | Description |
|---|---|
| 2 | The ID of the Authorization Domain. |
| 3 | The identity of the caller. If ADS is started without authentication, this line will be excluded. |
| 4 | IP address and port number of the calling PEP. |
| 5-18 | The XACML request evaluated by ADS. |
| 21 | The XACML decision (Permit, Deny, Not applicable, Indeterminate) |
| 22-53 | Details regarding attribute Values, fetched from an Attribute Connector and utilized in the evaluation. The attribute object specifies the ID, category, and datatype of the attributes to which these values correspond to, where:Id - the id of the attributeCategory - the XACML category of the attributeDatatype - the XACML datatype |
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EvaluationEvent xmlns="http://www.axiomatics.com/v1/EvaluationEvent" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<GroupId>4f1c96e8-9749-4233-b170-9560c5905904</GroupId>
<Timestamp>2020-07-02T07:55:28.379Z</Timestamp>
<ClientIdentity>Username%3A+ads-user</ClientIdentity>
<ClientSource>127.0.0.1:53633</ClientSource>
<xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false">
<xacml-ctx:RequestDefaults>
<xacml-ctx:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml-ctx:XPathVersion>
</xacml-ctx:RequestDefaults>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
<ResultEntries>
<ResultEntry>
<xacml-ctx:Result>
<xacml-ctx:Decision>Permit</xacml-ctx:Decision>
<xacml-ctx:Status>
<xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</xacml-ctx:Status>
</xacml-ctx:Result>
<Call attributeRef="A1">
<Value>Stockholm</Value>
</Call>
<Call attributeRef="A2">
<Value>QA</Value>
</Call>
<Call attributeRef="A3">
<Value>Engineering</Value>
</Call>
<Call attributeRef="A4">
<Value>%3C%3Fxml+version%3D%271.0%27%3F%3E%0A%3Cresources+xmlns%3D%27http%3A%2F%2Fietf.org%2Fns%2Fhome-documents%27+xmlns%3Aatom%3D%27http%3A%2F%2Fwww.w3.org%2F2005%2FAtom%27%3E%0A++%3Cresource+rel%3D%27http%3A%2F%2Fdocs.oasis-open.org%2Fxacml%2Fns%2Frelation%2Fpdp%27%3E%0A++++%3Catom%3Alink+href%3D%27%2Fauthorize%27%2F%3E%0A++%3C%2Fresource%3E%0A%3C%2Fresources%3E</Value>
</Call>
<Call attributeRef="A5">
<Value>write</Value>
</Call>
</ResultEntry>
</ResultEntries>
</EvaluationEvent>
| Line | Description |
|---|---|
| 3 | The ID of the Authorization Domain. |
| 4 | The time when the evaluation started. |
| 5 | The identity of the caller. If ADS is started without authentication, this line will be excluded. |
| 6 | IP address and port number of the calling PEP. |
| 7-16 | The XACML request evaluated by ADS. |
| 17 | Element that contains individual ResultEntry elements. |
| 18 | Element that contains information about an individual XACML evaluation. If this is a normal XACML evaluation, there will only be one ResultEntry element. If this is an MDP (Multiple Decision Profile) request, there will be mulitple ResultEntry elements. |
| 19-24 | The XACML result of the evaluation. |
| 20 | The XACML Decision (Permit, Deny, Not applicable, Indeterminate) |
| 21-23 | The status of the evaluation (OK, processing error). |
| 25-39 | Details regarding attribute values, fetched from an Attribute Connector and utilized in the evaluation. The attributeRef attribute specifies the attributes to which these values correspond to. |
Evaluation event log - verbose mode
The following snippet showcases a sample log entry in verbose mode while the table below explains each line in detail.
- JSON
- XML
{
"DomainId": "4f1c96e8-9749-4233-b170-9560c5905904",
"GroupVersion": "0",
"ClientIdentity": "Username%3A+ads-user",
"ClientSource": "172.0.0.1:53633",
"EvaluationTimeMillis": 343,
"InterfaceType": "REST",
"PdpIdentity": "",
"Request": {
"Category": [
{
"CategoryId": "AccessSubject",
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id",
"Value": "Alice"
}
]
}
],
"XPathVersion": "http://www.w3.org/TR/1999/REC-xpath-19991116"
},
"Pips": [
{
"refId": "P1",
"Id": "318ce3f1-c4dd-4540-be17-73766fe9afed",
"Type": "com.axiomatics.attributeconnector.ldap.LDAPAttributeFinder",
"Version": "0"
},
{
"refId": "P2",
"Id": "13371bff-a2db-4e17-9dba-166747dfd047",
"Type": "com.axiomatics.attributeconnector.jdbc.SQLAttributeFinder",
"Version": "0"
},
{
"refId": "P3",
"Id": "3c629267-2cda-4c91-bb14-ccc272c1d94e",
"Type": "com.axiomatics.attributeconnector.table.TableAttributeFinder",
"Version": "0"
}
],
"Attributes": [
{
"refId": "A3",
"Id": "department",
"Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
"Datatype": "http://www.w3.org/2001/XMLSchema#string"
},
{
"refId": "A1",
"Id": "location",
"Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
"Datatype": "http://www.w3.org/2001/XMLSchema#string"
},
{
"refId": "A2",
"Id": "role",
"Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
"Datatype": "http://www.w3.org/2001/XMLSchema#string"
}
],
"Response": [
{
"Decision": "Permit",
"Call": [
{
"attribute": {
"Id": "location",
"Category": "AccessSubject",
"Datatype": "string"
},
"pipRef": "P1",
"cachedValue": false,
"Values": [
"Stockholm"
]
},
{
"attribute": {
"Id": "role",
"Category": "AccessSubject",
"Datatype": "string"
},
"pipRef": "P2",
"cachedValue": false,
"Values": [
"QA"
]
},
{
"attribute": {
"Id": "department",
"Category": "AccessSubject",
"Datatype": "string"
},
"pipRef": "P3",
"cachedValue": false,
"Values": [
"Engineering"
]
}
],
"EvaluationComplexity": 26
}
]
}
| Line | Description |
|---|---|
| 2 | The ID of the Authorization Domain. |
| 3 | The object version of the Authorization Domain. |
| 4 | The identity of the caller. If ADS is started without authentication, this line will be excluded. |
| 5 | IP address and port number of the calling PEP. |
| 6 | Evaluation time in milliseconds for this request. |
| 7 | The interface by which the client contacts ADS for authorization services. |
| 8 | Identity of the PDP as registered in ASM. For ADS this is always an empty string. |
| 23-42 | The definition of an Attribute Connector that was called during evaluation, where:refId - The evaluation unique identifier as referenced by the Call element in this evaluation to denote this Attribute FinderId - The unique identifier of the Attribute Connector objectType - The Attribute Connector TypeVersion - The object version of the Attribute Connector |
| 43-62 | The definition of an external Attribute that was used during evaluation and for which values were fetched from an Attribute Finder (PIP), whererefId - The evaluation unique identifier as referenced by the Call element in this evaluation to denote this attributeId - the id of the attributeCategory - the XACML category of the attributeDatatype - the XACML datatype |
| 63-94 | The XACML result of the evaluation. |
| 65 | The XACML Decision (Permit, Deny, Not applicable, Indeterminate) |
| 66-103 | Details regarding attribute Values, fetched from an Attribute Connector and utilized in the evaluation. The attribute object specifies the ID, category, and datatype of the attributes to which these values correspond to, where:Id - the id of the attributeCategory - the XACML category of the attributeDatatype - the XACML datatype The attribute pipRef refers to the Attribute Connector these values were fetched from.The attribute cachedValue indicates whether these values were obtained from the cache. |
| 104 | A metric indicating the complexity of the evaluation process, measured by the number of steps required. |
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EvaluationEvent xmlns="http://www.axiomatics.com/v1/EvaluationEvent" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<GroupId>4f1c96e8-9749-4233-b170-9560c5905904</GroupId>
<GroupVersion>0</GroupVersion>
<Timestamp>2020-07-02T07:55:28.379Z</Timestamp>
<EvaluationTimeMillis>510</EvaluationTimeMillis>
<ClientIdentity>Username%3A+ads-user</ClientIdentity>
<ClientSource>127.0.0.1:53633</ClientSource>
<InterfaceType>REST</InterfaceType>
<PdpIdentity />
<xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false">
<xacml-ctx:RequestDefaults>
<xacml-ctx:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml-ctx:XPathVersion>
</xacml-ctx:RequestDefaults>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
<Pip refId="P1">
<Id>318ce3f1-c4dd-4540-be17-73766fe9afed</Id>
<Type>com.axiomatics.attributeconnector.ldap.LDAPAttributeFinder</Type>
<Version>0</Version>
</Pip>
<Pip refId="P2">
<Id>13371bff-a2db-4e17-9dba-166747dfd047</Id>
<Type>com.axiomatics.attributeconnector.jdbc.SQLAttributeFinder</Type>
<Version>0</Version>
</Pip>
<Pip refId="P3">
<Id>3c629267-2cda-4c91-bb14-ccc272c1d94e</Id>
<Type>com.axiomatics.attributeconnector.table.TableAttributeFinder</Type>
<Version>0</Version>
</Pip>
<Pip refId="P4">
<Id>6c07041e-17a2-4982-92e1-ff137f09b947</Id>
<Type>com.axiomatics.pip.http.HttpClient</Type>
<Version>0</Version>
</Pip>
<Pip refId="P5">
<Id>b5dda2a1-7cba-43e0-a658-36168a071d64</Id>
<Type>com.axiomatics.pip.parser.XmlParser</Type>
<Version>0</Version>
</Pip>
<Attribute refId="A3" id="department" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" />
<Attribute refId="A5" id="urn:oasis:names:tc:xacml:1.0:action:action-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" datatype="http://www.w3.org/2001/XMLSchema#string" />
<Attribute refId="A1" id="location" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" />
<Attribute refId="A2" id="role" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" />
<Attribute refId="A4" id="entrypoint" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" />
<ResultEntries>
<ResultEntry>
<xacml-ctx:Result>
<xacml-ctx:Decision>Permit</xacml-ctx:Decision>
<xacml-ctx:Status>
<xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</xacml-ctx:Status>
</xacml-ctx:Result>
<Call attributeRef="A1" pipRef="P1" cachedValue="false">
<Value>Stockholm</Value>
</Call>
<Call attributeRef="A2" pipRef="P2" cachedValue="false">
<Value>QA</Value>
</Call>
<Call attributeRef="A3" pipRef="P3" cachedValue="false">
<Value>Engineering</Value>
</Call>
<Call attributeRef="A4" pipRef="P4" cachedValue="false">
<Value>%3C%3Fxml+version%3D%271.0%27%3F%3E%0A%3Cresources+xmlns%3D%27http%3A%2F%2Fietf.org%2Fns%2Fhome-documents%27+xmlns%3Aatom%3D%27http%3A%2F%2Fwww.w3.org%2F2005%2FAtom%27%3E%0A++%3Cresource+rel%3D%27http%3A%2F%2Fdocs.oasis-open.org%2Fxacml%2Fns%2Frelation%2Fpdp%27%3E%0A++++%3Catom%3Alink+href%3D%27%2Fauthorize%27%2F%3E%0A++%3C%2Fresource%3E%0A%3C%2Fresources%3E</Value>
</Call>
<Call attributeRef="A5" pipRef="P5" cachedValue="false">
<Value>write</Value>
</Call>
<EvaluationComplexity>36</EvaluationComplexity>
</ResultEntry>
</ResultEntries>
</EvaluationEvent>
| Line | Description |
|---|---|
| 3 | The ID of the Authorization Domain. |
| 4 | The object version of the Authorization Domain. |
| 5 | The time when the evaluation started. |
| 6 | Evaluation time in milliseconds for this request. |
| 7 | The identity of the caller. If ADS is started without authentication, this line will be excluded. |
| 8 | IP address and port number of the calling PEP. |
| 9 | The interface by which the client contacts ADS for authorization services. |
| 10 | Identity of the PDP as registered in ASM. For ADS this is always an empty string. |
| 11-20 | The XACML request evaluated by ADS. |
| 21-45 | The definition of an Attribute Connector that was called during evaluation, where refId - The evaluation unique identifier as referenced by the Call element in this evaluation to denote this Attribute Finder Id - The unique identifier of the Attribute Connector object Type - The Attribute Connector Type Version - The object version of the Attribute Connector |
| 46-50 | The definition of an external Attribute that was used during evaluation and for which values were fetched from an Attribute Finder (PIP), where refId - The evaluation unique identifier as referenced by the Call element in this evaluation to denote this attribute id - the id of the attribute category - the XACML category of the attribute datatype - the XACML datatype |
| 51 | Element that contains individual ResultEntry elements. |
| 52 | Element that contains information about an individual XACML evaluation. If this is a normal XACML evaluation, there will only be one ResultEntry element. If this is an MDP (Multiple Decision Profile) request, there will be mulitple ResultEntry elements. |
| 53-58 | The XACML result of the evaluation. |
| 54 | The XACML Decision (Permit, Deny, Not applicable, Indeterminate) |
| 55-57 | The status of the evaluation (OK, processing error). |
| 59-73 | Information on attribute values that have been fetched from an Attribute Connector and used in the evaluation. The attribute attributeRef will refer to which attributes these are values for. The attribute pipRef will refer to which Attribute Connector these values were fetched from. The attribute cachedValue indicates whether these values were obtained from the cache. |
| 74 | A metric indicating the complexity of the evaluation process, measured by the number of steps required. |
Administrative event log example
The following text is a sample log entry for an administrative event, with explanations provided in the table below:
"thread":"main","message":"Domain with id 08922b78-48f7-4147-b9eb-ae0034b6ccd0 was loaded","level":"INFO","timestamp":1629726715756,"logger":"com.axiomatics.audit.ads.admin"
| Item | Description |
|---|---|
| thread | Which thread of the log stream this entry belongs to. |
| message | The event that was logged. |
| level | The severity level set for the logging configuration. |
| timestamp | The time of the event. |
| logger | The logger that produced the event. |
Administrative event log description
note
There is only one version of the output, the concise/verbose option is only relevant for evaluation events.