Configure audit service providers using scripting

Network Deployment (Distributed operating systems), v8.0 > Scripting the application serving environment (wsadmin) > Scripting for security > Configure security with scripting > Configure security auditing using scripting

Configure audit service providers using scripting

Before enabling security auditing, use this task to configure audit service providers using wsadmin. Security auditing provides tracking and archiving of auditable events.
Before configuring security audit service providers, enable administrative security in the environment.
New feature: Beginning in WAS v8.0 you can configure the server to use the High Performance Extensible Logging (HPEL) log and trace infrastructure instead of using SystemOut.log , SystemErr.log, trace.log, and activity.log files or native z/OS logging facilities. If you are using HPEL, you can access all of your log and trace information using the LogViewer command-line tool from your server profile bin directory. See the information about using HPEL to troubleshoot applications for more information on using HPEL.New feature:
In order to enable security auditing in the environment, configure an audit service provider. The audit service provider writes the audit records and data to the back-end repository associated with the service provide implementation. The security auditing configuration provides a default service provider. Use this topic to customize your security auditing subsystem by creating additional audit service providers.
Use the following steps to configure the security auditing subsystem using wsadmin:

Procedure
Launch wsadmin.sh using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
Configure an audit service provider. We can use the default binary-based audit service provider, or use this step to create a new audit service provider.
There are binary file-based and third-party audit service providers. In addition to the default binary file-based service provider, you can configure a third-party audit service provider.
Choose the type of audit service provider to create.
Use the createBinaryEmitter command and the following required parameters to create a default audit service provider:

Command parameters. This table describes the createBinaryEmitter command parameters.

Parameter Description Data Type Required
-uniqueName Unique name that identifies the audit service provider. String Yes
-className Class implementation of the audit service provider interface. String Yes
-fileLocation File location for the audit service provider to write the audit logs. String Yes
-auditFilters Specifies a reference or a group of references to predefined audit filters, using the following format: reference, reference, reference String Yes
-wrapBehavior Specifies a string representing the customizable behavior for binary audit log wrapping.
There are three values for this parameter: WRAP, NOWRAP and SILENT_FAIL
If you use the WRAP option, when the maximum logs are reached, the oldest audit log is rewritten; notification is not sent to the auditor.
The NOWRAP option does not rewrite over the oldest audit log. It stops the audit service, sends a notification to the SystemOut.log, and quiesces the application server.
The SILENT_FAIL option does not rewrite over the oldest audit log. It also stops the audit service, but does allow the WebSphere process to continue. Notifications are not posted in the SystemOut.log.
String Yes
-maxFileSize Maximum size each audit log reaches before the system saves it with a timestamp and creates a new file. Specify the file size in megabytes. If not specified, the system sets the maximum file size to 10 megabytes. Integer No
-maxLogs Maximum number of audit logs to create before rewriting the oldest log. If not specified, the system allows up to 100 audit logs before overwriting the oldest log. Integer No

The following example creates a new audit service provider in the security auditing configuration:
AdminTask.createBinaryEmitter('-uniqueName newASP  -wrapBehavior NOWRAP
-className com.ibm.ws.security.audit.BinaryEmitterImpl -fileLocation /AUDIT_logs
-auditFilters "AuditSpecification_1173199825608, AuditSpecification_1173199825609,
AuditSpecification_1173199825610, AuditSpecification_1173199825611"')
Use the createThirdPartyEmitter command to use a third-party audit service provider.

Command parameters. Use the following parameters with the createThirdPartyEmitter command:

Parameter Description Data Type Required
-uniqueName Unique name that identifies the audit service provider. String Yes
-className Class implementation of the audit service provider interface. String Yes
-eventFormatterClass Class that implements how the audit event is formatted for output. If not specified, the system uses the standard text format for output. String Yes
-auditFilters Specifies a reference identifier or a group of reference identifiers to pre-defined audit filters, using the following format: reference, reference, reference. String Yes
-customProperties Specifies any custom properties that might be required to configure a third party audit service provider. String No

The following example creates a new third party audit service provider in the security auditing configuration:
AdminTask.createThirdPartyEmitter('-uniqueName myAuditServiceProvider -className
com.mycompany.myclass -fileLocation /auditLogs -auditFilters
"AuditSpecification_1173199825608, AuditSpecification_1173199825609,
AuditSpecification_1173199825610, AuditSpecification_1173199825611"')
Save the configuration changes.
Save the configuration changes:
AdminConfig.save()
What to do next

Enable security auditing in the environment.
Configure auditable events using scripting
Configure audit event factories using scripting
Configure security auditing using scripting
Enable security auditing using scripting
Encrypting security audit data using scripting
Signing security audit data using scripting
Configure security audit notifications using scripting
Start the wsadmin scripting client using wsadmin.sh

Related

AuditKeyStoreCommands command group
AuditEmitterCommands
AuditSigningCommands command group
AuditEncryptionCommands command group
AuditEventFactoryCommands
AuditFilterCommands command group
AuditNotificationCommands command group
AuditPolicyCommands command group
AuditEventFormatterCommands command group

+
Search Tips | Advanced Search

Parameter	Description	Data Type	Required
-uniqueName	Unique name that identifies the audit service provider.	String	Yes
-className	Class implementation of the audit service provider interface.	String	Yes
-fileLocation	File location for the audit service provider to write the audit logs.	String	Yes
-auditFilters	Specifies a reference or a group of references to predefined audit filters, using the following format: reference, reference, reference	String	Yes
-wrapBehavior	Specifies a string representing the customizable behavior for binary audit log wrapping. There are three values for this parameter: WRAP, NOWRAP and SILENT_FAIL If you use the WRAP option, when the maximum logs are reached, the oldest audit log is rewritten; notification is not sent to the auditor. The NOWRAP option does not rewrite over the oldest audit log. It stops the audit service, sends a notification to the SystemOut.log, and quiesces the application server. The SILENT_FAIL option does not rewrite over the oldest audit log. It also stops the audit service, but does allow the WebSphere process to continue. Notifications are not posted in the SystemOut.log.	String	Yes
-maxFileSize	Maximum size each audit log reaches before the system saves it with a timestamp and creates a new file. Specify the file size in megabytes. If not specified, the system sets the maximum file size to 10 megabytes.	Integer	No
-maxLogs	Maximum number of audit logs to create before rewriting the oldest log. If not specified, the system allows up to 100 audit logs before overwriting the oldest log.	Integer	No