This topic discusses the auditing features available in an IBM InfoSphere Enterprise Records environment as well as how to configure and use these features. Also for more information on displaying an entity's audit history, refer to View Audit Log Entries. For more information on auditing, System Administrators should refer to the Help for Content Engine Administration, specifically Concepts: audit logging.
NOTE For Auto Destroy, use the standard CE audit mechanism, specifically the delete audit event to keep the destruction history, For more information, refer to Concepts: audit logging.
Using the auditing features available for IBM InfoSphere Enterprise Records, you can:
The Content Engine includes a number of system events that, if configured for auditing, are automatically recorded to the audit log when the event occurs. Examples of these events include creating an object and filing an object into a folder. IBM InfoSphere Enterprise Records adds to the object store the custom event, RMAudit, which records IBM InfoSphere Enterprise Records events such as relocating or destroying an entity.
Each recorded event is stored in Content Engine as an object, and you can perform operations—such as searching, exporting, and examining properties—on these recorded event objects.
When a IBM InfoSphere Enterprise Records data model is imported into an object store, the RMAudit event is added to the object store. In addition, the event is automatically subscribed to for an FPOS's RecordCategory, RecordFolder, and Volume classes, and you can manually configure this event for the Record class. (Note, however, that auditing is not automatically enabled for the object store.)
The RMAudit event records an audit entry whenever any of the following actions are performed on an entity:
In addition to recording audit events for the above-mentioned IBM InfoSphere Enterprise Records actions, you can configure auditing for the following system events supplied with Content Engine. The following table lists a subset of the available system events; the listed events are those you are probably most interested in auditing for IBM InfoSphere Enterprise Records.
Event | Logged when | Applies to |
---|---|---|
Creation | An instance of a class is created (includes declaring a record--configure the event for the Record class on the FPOS). | You can audit this event for any class, including the RecordCategory, RecordFolder, Volume, and Record classes in the FPOS, and the Document class in the ROS. |
Deletion | An object is deleted from the object store. | You can audit this event for any class. |
File | An object is filed in a folder (includes creating a subfolder and the automatic filing that occurs when declaring a record). | You can audit this event for any Folder class (and subclass), including the RecordCategory, RecordFolder, and Volume classes in the FPOS. |
GetContent | The content of a content-carrying object is retrieved (for example, when a user views the content of a document). | You can audit this event for any Document class (and subclass). To audit when a user displays a document's content, enable this event on the ROS. |
GetObject | An object is retrieved from the content engine (which includes retrieval attempts by the IBM InfoSphere Enterprise Records application). | You can audit this event for any class. |
Query | A query is performed (which includes queries the IBM InfoSphere Enterprise Records application performs as part of its processing). | You can audit this event for any class (except VersionSeries). |
Unfile | An object is removed (unfiled) from a folder (includes deleting a subfolder). | You can audit this event for any Folder class (and subclass), including the RecordCategory, RecordFolder, and Volume classes in the FPOS. |
Update | An object's properties are changed (which includes marking a container as Vital and activating or inactivating a container). | You can audit this event for any class. |
UpdateSecurity | The security of an object is changed. Note, however, that a failure will not be logged when a user attempts to delete an object from the IBM InfoSphere Enterprise Records application and the attempt is unsuccessful because the deletion is protected by a marking (which is the case with some IBM InfoSphere Enterprise Records objects). | You can audit this event for any class (except ReferentialContainmentRelationship and VersionSeries). |
When you enable and configure audit logging on an object store, the system generates audit log entries. These entries exist as a table in a database in the object store. To perform actions on the log (such as viewing or exporting it), you first run a query for the events you want and then perform the action, if necessary, against the result set of the query. Audit events remain in the audit log even if the audited object is deleted. For detailed information about audit logs, including information on how to delete unneeded log entries and manage the log size, see Concepts: audit logging in the Help for Content Engine Administration.
The audit log stores the following information:
Some audit log entries can contain additional information, depending on the type of audit event that occurred. For example, a successful Query event logs the original query text from which the query was generated as well as the class ID of the object that was the subject of the audit event.
The following lists the symbolic name and a brief description of the properties available for audit events. Properties that are specific to the RMAudit event are AuditActionType, ReasonForAction, Reviewer, and RMEntityDescription.
AuditActionType – For an RMAudit event, specifies the type of audit action, such as Delete, Relocate, Destroy, Transfer, Interim Transfer, or Review.
AuditLevel – For an AuditConfiguration event, specifies the level of auditing (auditing disabled = 0, auditing enabled = 1).
ContainmentName – For a File and Unfile event, specifies the name of the object added or removed from the container object.
Creator – For all events, specifies the short name of the user who generated the event (the user who created the event object).
DateCreated – For all events, contains the date and time the event was generated (the date and time the event object was created). Content Engine stores dates and times using Coordinated Universal Time (UTC).
DateLastModified – For all events, contains the date and time the event was last modified (the date and time the event object was last modified).
EventStatus – For all events, indicates whether the operation that generated this event was successful (0) or not (an internally-used error code).
LastModifier – For all events, contains the short name of the user who last modified the event object.
LifecycleOperation – For a ChangeState event, specifies the lifecycle operation performed on the source object.
ModifiedProperties – For a ChangeClass, ChangeState, Checkin, Checkout, ClassifyComplete, Custom, DemoteVersion, Freeze, Lock, PromoteVersion, RMAudit, Unlock, Update, and UpdateSecurity event, specifies a list of the symbolic names of the properties modified by the operation being audited.
ObjectType – For all events, specifies a number that denotes the base type of an object. For event objects, the value is always 1180.
QueryText – For a Query event, specifies the original text from which the query was generated.
ReasonForAction – For an RMAudit event, specifies the reason for the action. This field is populated with the value entered by the user in the Review Comments field while completing the workflow.
Reviewer – For an RMAudit event, specifies the name of the user who performed the action that generated the event (the user who started the IBM InfoSphere Enterprise Records workflow queue).
RMEntityDescription – For an RMAudit event, specifies a description for the audited action where appropriate. For example, a Relocate action might be described as "RM entity 'MyRecordFolder' moved from source '/Records Management/My File Plan/My Record Category' to destination '/Records Management/My File Plan/Another Record Category')
SourceClassId – For a CancelCheckout, ChangeClass, ChangeState, Checkin, Checkout, ClassifyComplete, Creation, Custom, Deletion, DemoteVersion, File, Freeze, GetContent, GetObject, Lock, PromoteVersion, Query, RMAudit, Unfile, Unlock, Update and UpdateSecurityEvent event, specifies the class ID of the object that is the subject of an audit event.
SourceObject – For a CancelCheckout, ChangeClass, ChangeState, Checkin, Checkout, ClassifyComplete, Creation, Custom, Deletion, DemoteVersion, File, Freeze, Lock, PromoteVersion, RMAudit, Unfile, Unlock, Update, and UpdateSecurity event, specifies a snapshot of the object that is the source of an audit event at the time the event occurred. (Note that the object reference contained in this property represents the object in its state when the event occurred, and might be different from the object's current state.)
SourceObjectId – For a CancelCheckout, ChangeClass, ChangeState, Checkin, Checkout, ClassifyComplete, Creation, Custom, Deletion, DemoteVersion, File, Freeze, GetContent, GetObject, Lock, PromoteVersion, RMAudit, Unfile, Unlock, Update, and UpdateSecurity event, specifies the ID of the object that is the subject of an audit event.
VersionSeriesId – For a CancelCheckout, ChangeClass, ChangeState, Checkin, Checkout, ClassifyComplete, Creation, Custom, Deletion, DemoteVersion, Freeze, Lock, PromoteVersion, RMAudit, Unlock, Update, and UpdateSecurity event, specifies (where relevant) the ID of the version series for the source object.