For auditing and other serviceability purposes, Security Access Manager uses a structured hierarchy of events. This hierarchy is built dynamically and allows runtime-associations to be made between event categories and the log agents that record those events.
Figure 5 shows the hierarchy of Security Access Manager events in the event pool.
Natively, Security Access Manager generates and can record the following primary categories of events:
Audit events
For information about audit events, see Chapter 19, “Audit event logging,” on page 173.
HTTP request events
For information about HTTP request events, see Chapter 20, “WebSEAL HTTP logging,” on page 197.
Statistical events
For information about statistical events, see Chapter 21, “Working with statistics,” on page 205.
Trace events
For information about trace events, see IBM Security Access Manager for Web
Troubleshooting Guide.
Native auditing
Auditing is defined as the logging of audit records. It includes the collection of data
about system activities that affect the secure operation of the Security Access Manager server processes. Each Security Access Manager server can capture audit events whenever any security-related auditable activity occurs.
Auditing uses the concepts of a record, an audit event, and an audit trail. Each audited activity is called an audit event. The output of a specific server event is called a record. An audit trail is a collection of multiple records that document the server activity.
Event pool
audit trace stats http
. . . authn
azn
pd . . . .
ras log . . .
When configuring for auditing, think about the source of the events that you want to capture. Audit trail files can capture authorization, authentication, and
management events that are generated by the Security Access Manager servers. There are multiple sources for auditing events that you want to gather. You can collect either a combination or all the different types of auditing events at the same time. Table 1 shows some of the event types that can be used for native auditing.
Table 1. Categories and description of native audit events
Event category Description
audit.authz Authorization events for WebSEAL servers audit.azn Authorization events for base servers
audit.authn Authentication, credential acquisition authentication, password change, and logout events
audit.authn.successful Successful authentication credential acquisition authentication, password change, and logout events audit.authn.unsuccessful Failed authentication credential acquisition authentication,
password change, and logout events audit.http HTTP access events
audit.http.successful Successful HTTP access events audit.http.unsuccessful Failed HTTP access events audit.mgmt Management events http HTTP logging information
http.clf HTTP request information defined by the
request-log-format configuration entry in the [logging] stanza. clf stands for common log format.
http.ref HTTP Referrer header information http.agent HTTP User Agent head information
Statistics gathering
Security Access Manager servers provide a series of modules that can monitor and collect information about specific server activity. After enabling a module, you can display the statistical information that it gathered since it was enabled. In addition to displaying this information, you can direct these statistics to a log file.
You can work with statistics with the server task stats command or with stanza entries in the configuration file for the specific server.
When you display statistics, you see a snapshot of the statistics. These statistics provide a view of the recorded activity. If you capture statistics at regular intervals, you can determine trend analyses against the server activities.
For information about enabling and working with the statistics gathering modules, see Chapter 21, “Working with statistics,” on page 205.
Logging process
Figure 6 depicts the relationships among the steps in the logging process. The top part of the figure represents the code of a Security Access Manager server. The code contains probe points where events of specific types can be generated. Generated events are submitted to the server event pool for possible recording through a point of capture (event sink). The event pool defines the events category.
At run time, you can subscribe a log agent at any point in the event pool hierarchy. You can selectively record events that are generated at the probe points for the program. The middle part of the figure depicts subscription.
For example, you can subscribe to a remote client for capturing events. This client forwards the selected events to a remote authorization server.
The lower part of the figure depicts this remote server. Relayed events are placed in the event pool at the remote probe points for the authorization server.
Audit data in UTF-8 format
Security Access Manager produces audit data that uses UTF-8 encoding. When the operating system uses a non-UTF-8 code page, Security Access Manager converts the data to a format that matches the non-UTF-8 code page. In some cases, the conversion can result in data loss. For this reason, run Security Access Manager in an environment that uses UTF-8 encoded code pages.
Event sink Event pool Security Access Manager server Remote logging authorization server Other networked log clients Subscribed log agents
Console adaptorFile
File adaptor Pipe adaptor Pipe adaptor Console log Log file Log file Remote log server Event sink Event pool Subscribed log agents Remote log client Event cache
When the operating system does not use a UTF-8 code page, the conversion to UTF-8 can result in data loss. When data loss occurs, the log file contains a series of question mark (?) characters at the location where the data conversion was problematic.
When running in a non-UTF-8 locale, use the UTF8FILE type in the routing file. For more information about the UTF8FILE type, see Appendix A, “Routing files,” on page 371.