Audit logging
Audit logs in Access Decision Service (ADS) are detailed records that capture and store information about every authorization request processed by the service. These logs are essential for monitoring, security, and compliance purposes.
Audit logs in ADS can usually be customized to suit your deployment's needs. This includes adjusting the level of detail recorded, specifying which types of events to log, and determining how long logs should be retained. Proper management and analysis of these logs are critical for maintaining the security and integrity of the access control system.
Audit logging is disabled by default in ADS. However, when enabled, it will track every authorization request processed. This includes detailed records of the attributes involved, their sources, and the specific values used during request evaluation.
You can enable or disable audit logging in the deployment.yaml configuration file. See Enable audit logging for instructions on how to enable this feature.
Basic and additional logging options
Audit logging is part of the basic configuration options for logs in ADS. However, you can enable additional logging configurations.
- For more details on basic logging options refer to the Logging section under Basic configuration.
- For more details on additional logging options refer to the Additional logging properties section under Additional configuration.
Logging events
The audit logs produced by ADS contain two types of logging events:
- Evaluation Events: These events cover the specifics of access requests, including the queries made and the system's responses.
- Administrative Events: These focus on modifications made to the ADS configuration during runtime.
You can configure the inclusion of either event type in the audit logs. You can find detailed instructions on separating these event types within the audit log output in Separate event types in the audit log output.
By default, the log output for evaluation events is presented in a concise format, that is, information not essential to auditing is excluded from the evaluation events. To configure logging to use the verbose format for the output instead of the default concise format refer to section Enable verbose audit logging.
Audit log message format
Audit log messages are recorded one per line in US-ASCII format. Parameter values within these messages utilize a variant of the RFC 3986 URL encoding scheme (%) to represent special and reserved characters.
Parameter values are UTF-8 encoded to octet streams that are subsequently percent-encoded as needed.
Basically, the logger will do a URL encoding of the value of every parameter but will exclude the following characters from the encoding:
'|', '~', '!', '#', '$', '&', '\'', '(', ')', '*', '+', '/', ':', ';', '?', '@', '[', ']', '\'', '-', '.', '<', '>', '\', '^', '_', '`'
Evaluation event log example (concise)
This XML snippet showcases a sample log entry in the default concise format while the table below explains each line in detail.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EvaluationEvent xmlns="http://www.axiomatics.com/v1/EvaluationEvent" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<GroupId>4f1c96e8-9749-4233-b170-9560c5905904</GroupId>
<Timestamp>2020-07-02T07:55:28.379Z</Timestamp>
<ClientIdentity>Username%3A+ads-user</ClientIdentity>
<ClientSource>127.0.0.1:53633</ClientSource>
<xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false">
<xacml-ctx:RequestDefaults>
<xacml-ctx:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml-ctx:XPathVersion>
</xacml-ctx:RequestDefaults>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
<ResultEntries>
<ResultEntry>
<xacml-ctx:Result>
<xacml-ctx:Decision>Permit</xacml-ctx:Decision>
<xacml-ctx:Status>
<xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</xacml-ctx:Status>
</xacml-ctx:Result>
<Call attributeRef="A1">
<Value>Stockholm</Value>
</Call>
<Call attributeRef="A2">
<Value>QA</Value>
</Call>
<Call attributeRef="A3">
<Value>Engineering</Value>
</Call>
<Call attributeRef="A4">
<Value>%3C%3Fxml+version%3D%271.0%27%3F%3E%0A%3Cresources+xmlns%3D%27http%3A%2F%2Fietf.org%2Fns%2Fhome-documents%27+xmlns%3Aatom%3D%27http%3A%2F%2Fwww.w3.org%2F2005%2FAtom%27%3E%0A++%3Cresource+rel%3D%27http%3A%2F%2Fdocs.oasis-open.org%2Fxacml%2Fns%2Frelation%2Fpdp%27%3E%0A++++%3Catom%3Alink+href%3D%27%2Fauthorize%27%2F%3E%0A++%3C%2Fresource%3E%0A%3C%2Fresources%3E</Value>
</Call>
<Call attributeRef="A5">
<Value>write</Value>
</Call>
</ResultEntry>
</ResultEntries>
</EvaluationEvent>
| Line number | Description |
|---|---|
| 3 | The ID of the Authorization Domain. |
| 4 | The time when the evaluation started. |
| 5 | The identity of the caller. If ADS is started without authentication, this line will be excluded. |
| 6 | IP address and port number of the calling PEP. |
| 7-16 | The XACML request evaluated by ADS. |
| 17 | Element that contains individual ResultEntry elements. |
| 18 | Element that contains information about an individual XACML evaluation. If this is a normal XACML evaluation, there will only be one ResultEntry element. If this is an MDP (Multiple Decision Profile) request, there will be mulitple ResultEntry elements. |
| 19-24 | The XACML result of the evaluation. |
| 20 | The XACML Decision (Permit, Deny, Not applicable, Indeterminate) |
| 21-23 | The status of the evaluation (OK, processing error). |
| 25-39 | Information on attribute values that have been fetched from an Attribute Connector and used in the evaluation. The attribute attributeRef will refer to which attributes these are values for. |
Line description, evaluation log example (concise)
Evaluation event log example (verbose)
The following XML snippet showcases a sample log entry in the verbose format while the table below explains each line in detail.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EvaluationEvent xmlns="http://www.axiomatics.com/v1/EvaluationEvent" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<GroupId>4f1c96e8-9749-4233-b170-9560c5905904</GroupId>
<GroupVersion>0</GroupVersion>
<Timestamp>2020-07-02T07:55:28.379Z</Timestamp>
<EvaluationTimeMillis>510</EvaluationTimeMillis>
<ClientIdentity>Username%3A+ads-user</ClientIdentity>
<ClientSource>127.0.0.1:53633</ClientSource>
<InterfaceType>REST</InterfaceType>
<PdpIdentity />
<xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false">
<xacml-ctx:RequestDefaults>
<xacml-ctx:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml-ctx:XPathVersion>
</xacml-ctx:RequestDefaults>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
<Pip refId="P1">
<Id>318ce3f1-c4dd-4540-be17-73766fe9afed</Id>
<Type>com.axiomatics.attributeconnector.ldap.LDAPAttributeFinder</Type>
<Version>0</Version>
</Pip>
<Pip refId="P2">
<Id>13371bff-a2db-4e17-9dba-166747dfd047</Id>
<Type>com.axiomatics.attributeconnector.jdbc.SQLAttributeFinder</Type>
<Version>0</Version>
</Pip>
<Pip refId="P3">
<Id>3c629267-2cda-4c91-bb14-ccc272c1d94e</Id>
<Type>com.axiomatics.attributeconnector.table.TableAttributeFinder</Type>
<Version>0</Version>
</Pip>
<Pip refId="P4">
<Id>6c07041e-17a2-4982-92e1-ff137f09b947</Id>
<Type>com.axiomatics.pip.http.HttpClient</Type>
<Version>0</Version>
</Pip>
<Pip refId="P5">
<Id>b5dda2a1-7cba-43e0-a658-36168a071d64</Id>
<Type>com.axiomatics.pip.parser.XmlParser</Type>
<Version>0</Version>
</Pip>
<Attribute refId="A3" id="department" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" />
<Attribute refId="A5" id="urn:oasis:names:tc:xacml:1.0:action:action-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" datatype="http://www.w3.org/2001/XMLSchema#string" />
<Attribute refId="A1" id="location" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" />
<Attribute refId="A2" id="role" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" />
<Attribute refId="A4" id="entrypoint" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" />
<ResultEntries>
<ResultEntry>
<xacml-ctx:Result>
<xacml-ctx:Decision>Permit</xacml-ctx:Decision>
<xacml-ctx:Status>
<xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</xacml-ctx:Status>
</xacml-ctx:Result>
<Call attributeRef="A1" pipRef="P1" cachedValue="false">
<Value>Stockholm</Value>
</Call>
<Call attributeRef="A2" pipRef="P2" cachedValue="false">
<Value>QA</Value>
</Call>
<Call attributeRef="A3" pipRef="P3" cachedValue="false">
<Value>Engineering</Value>
</Call>
<Call attributeRef="A4" pipRef="P4" cachedValue="false">
<Value>%3C%3Fxml+version%3D%271.0%27%3F%3E%0A%3Cresources+xmlns%3D%27http%3A%2F%2Fietf.org%2Fns%2Fhome-documents%27+xmlns%3Aatom%3D%27http%3A%2F%2Fwww.w3.org%2F2005%2FAtom%27%3E%0A++%3Cresource+rel%3D%27http%3A%2F%2Fdocs.oasis-open.org%2Fxacml%2Fns%2Frelation%2Fpdp%27%3E%0A++++%3Catom%3Alink+href%3D%27%2Fauthorize%27%2F%3E%0A++%3C%2Fresource%3E%0A%3C%2Fresources%3E</Value>
</Call>
<Call attributeRef="A5" pipRef="P5" cachedValue="false">
<Value>write</Value>
</Call>
<EvaluationComplexity>36</EvaluationComplexity>
</ResultEntry>
</ResultEntries>
</EvaluationEvent>
| Line number | Description |
|---|---|
| 3 | The ID of the Authorization Domain. |
| 4 | The object version of the Authorization Domain. |
| 5 | The time when the evaluation started. |
| 6 | Evaluation time in milliseconds for this request. |
| 7 | The identity of the caller. If ADS is started without authentication, this line will be excluded. |
| 8 | IP address and port number of the calling PEP. |
| 9 | The interface by which the client contacts ADS for authorization services. |
| 10 | Identity of the PDP as registered in ASM. For ADS this is always an empty string. |
| 11-20 | The XACML request evaluated by ADS. |
| 21-45 | The definition of an Attribute Connector that was called during evaluation, where refId - The evaluation unique identifier as referenced by the Call element in this evaluation to denote this Attribute Finder Id - The unique identifier of the Attribute Connector object Type - The Attribute Connector Type Version - The object version of the Attribute Connector |
| 46-50 | The definition of an external Attribute that was used during evaluation and for which values were fetched from an Attribute Finder (PIP), where refId - The evaluation unique identifier as referenced by the Call element in this evaluation to denote this attribute id - the id of the attribute category - the XACML category of the attribute datatype - the XACML datatype |
| 51 | Element that contains individual ResultEntry elements. |
| 52 | Element that contains information about an individual XACML evaluation. If this is a normal XACML evaluation, there will only be one ResultEntry element. If this is an MDP (Multiple Decision Profile) request, there will be mulitple ResultEntry elements. |
| 53-58 | The XACML result of the evaluation. |
| 54 | The XACML Decision (Permit, Deny, Not applicable, Indeterminate) |
| 55-57 | The status of the evaluation (OK, processing error). |
| 59-73 | Information on attribute values that have been fetched from an Attribute Connector and used in the evaluation. The attribute attributeRef will refer to which attributes these are values for. The attribute pipRef will refer to which Attribute Connector these values were fetched from. The attribute cachedValue indicates whether these values were obtained from the cache. |
| 74 | A metric indicating the complexity of the evaluation process, measured by the number of steps required. |
Line description, evaluation log example (verbose)
Administrative event log example
The following text is a sample log entry for an administrative event, with explanations provided in the table below:
"thread":"main","message":"Domain with id 08922b78-48f7-4147-b9eb-ae0034b6ccd0 was loaded","level":"INFO","timestamp":1629726715756,"logger":"com.axiomatics.audit.ads.admin"
| Item | Description |
|---|---|
| thread | Which thread of the log stream this entry belongs to. |
| message | The event that was logged. |
| level | The severity level set for the logging configuration. |
| timestamp | The time of the event. |
| logger | The logger that produced the event. |
Administrative event log description
There is only one version of the output, the concise/verbose option is only relevant for evaluation events.