Introduction / FirstSpirit Server configuration / Additional security measures / Audit logging (Log4j2) / Audit logging (Log4j1)
Audit logging in FirstSpirit
Table of contents |
To ensure that FirstSpirit Servers operate securely and without any problems, audit functions can be added to the FirstSpirit logging, enabling suspicious activities to be traced and assigned in order to prevent permissions being misused.
Logged activities
The following activities can be tracked:
- Creating / deleting projects
- Creating / deleting users
- Creating / deleting groups
- Adding users to / removing users from a project
- Installing / updating / deleting modules
- Creating / updating / deleting schedule entries (globally and for a specific project)
- Creating / updating / deleting action templates (globally and for a specific project)
Log levels
There are three log levels that can be output: INFO, DEBUG, and TRACE.
- INFO: General output of who has made which change where. The “who” is defined by the user name, the user ID, and the session context.
- DEBUG: This log level also provides an easy to understand, simple comparison view of the changes.
- TRACE: This outputs all the modified configurations in full. Changes are highlighted so they are easy to spot.
Enabling audit logging
Audit logging is disabled by default, but can be activated in fs-server.conf by setting the parameter audit.logging.enabled=true. Once enabled, audit logging is persistently stored in the fs-server.log file by default. Audit logging behavior should be adjusted using the Log4j configuration within fs-logging.conf ( see Logging configuration).
Basic audit logging cofiguration example
Example configuration of basic audit logging at the DEBUG level with an output in fs-audit.log:
# enable audit logging
log4j.logger.de.espirit.firstspirit.logging.audit=DEBUG, audit
# disable root logger for audit logging (fs)
log4j.additivity.de.espirit.firstspirit.logging.audit=false
log4j.appender.audit=org.apache.log4j.RollingFileAppender
log4j.appender.audit.File=/home/fstester07/firstspirit/log/fs-audit.log
log4j.appender.audit.MaxFileSize=5MB
# keep only one backup file
log4j.appender.audit.MaxBackupIndex=1
log4j.appender.audit.layout=org.apache.log4j.PatternLayout
log4j.appender.audit.layout.ConversionPattern=%p %d (%c) %m%n
Example configuration with output of TRACE messages
Example audit logging with output of INFO and DEBUG messages in fs-audit.log and TRACE messages in fs-traceaudit.log:
# enable audit logging with two logfiles.
# The audit log for INFO and DEBUG and the traceAudit log for TRACE logging
log4j.logger.de.espirit.firstspirit.logging.audit=TRACE, audit, traceAudit
# disable root logger for audit logging (fs)
log4j.additivity.de.espirit.firstspirit.logging.audit=false
log4j.appender.audit=org.apache.log4j.RollingFileAppender
log4j.appender.audit.File=/home/fstester07/firstspirit/log/fs-audit.log
log4j.appender.audit.MaxFileSize=5MB
#don't log TRACE to the audit log
log4j.appender.audit.Threshold=DEBUG
# keep only one backup file
log4j.appender.audit.MaxBackupIndex=1
log4j.appender.audit.layout=org.apache.log4j.PatternLayout
log4j.appender.audit.layout.ConversionPattern=%p %d (%c) %m%n
log4j.appender.traceAudit=org.apache.log4j.RollingFileAppender
log4j.appender.traceAudit.File=/home/fstester07/firstspirit/log/fs-traceaudit.log
log4j.appender.traceAudit.MaxFileSize=5MB
# log TRACE only to the traceAudit log
log4j.appender.traceAudit.filter.a=org.apache.log4j.varia.LevelRangeFilter
log4j.appender.traceAudit.filter.a.LevelMin=TRACE
log4j.appender.traceAudit.filter.a.LevelMax=TRACE
# keep only one backup file
log4j.appender.traceAudit.MaxBackupIndex=1
log4j.appender.traceAudit.layout=org.apache.log4j.PatternLayout
log4j.appender.traceAudit.layout.ConversionPattern=%p %d (%c) %m%n
Exemplary audit logging entry
An exemplary logging entry at the INFO level when members of a project group are changed could look like this:
INFO 2018-07-10 08:34:50,443 (de.espirit.firstspirit.logging.audit.ProjectDTOLogger)
Benutzername ( id: 5471 ) changed project properties for
{ project : Mithras ; id : 296791 }
172.17.16.206 (fsSession=877290240094464842, fsLogin=FirstSpiritLogin,
session=SystemUser, client=Windows 10 10.0 amd64
(Java(TM) SE Runtime Environment 1.8.0_171-b11))
Accessing log files via ServerMonitoring
The audit log files can be downloaded via the FirstSpirit ServerMonitoring. To do this, start said ServerMonitoring, and click “File download” under FirstSpirit / Configuration / System (as seen on the Screenshot). Now open the directory log and pick the desired log file.
To be able to download log files as mentioned before, they have to be inside the FirstSpirit log directory. This can be configured accordingly by the Log4J settings in the fs-logging.conf file. |