You can configure additional audit event types to track
and archive various events. Use the following command to list all
supported auditable events:
print AdminTask.getSupportedAuditEvents()
Use
the createAuditFilter command with the -eventType and -outcome parameters
to enable one or multiple audit events and outcomes. You can specify
multiple event types and multiple outcomes separated by a comma with
one command invocation. The following list describes each valid auditable
event that you can specify with the -eventType parameter:
Table 2. Event types. This table lists the auditable event types.
Event name |
Description |
SECURITY_AUTHN |
Audits all authentication events |
SECURITY_AUTHN_MAPPING |
Audits events that record mapping of credentials
where two user identities are involved |
SECURITY_AUTHN_TERMINATE |
Audits authentication termination events such
as a timeout, terminated session, or user-initiated logging out |
SECURITY_AUTHZ |
Audits events related to authorization checks
when the system enforces access control policies |
SECURITY_MGMT_AUDIT |
Audits events that record operations related
to the audit subsystem such as starting audit, stopping audit, turning
audit on or off, changing configuration of audit filters or level,
archiving audit data, purging audit data, and so on. |
SECURITY_RESOURCE_ACCESS |
Audits events that record all accesses to a
resource. Examples are all accesses to a file, all HTTP requests and
responses to a given Web page, and all accesses to a critical database
table |
SECURITY_SIGNING |
Audits events that record signing such as signing
operations used to validate parts of a SOAP Message for Web services |
SECURITY_ENCRYPTION |
Audits events that record encryption information
such as encryption for Web services |
SECURITY_AUTHN_DELEGATION |
Audits events that record delegation, including
identity assertion, RunAs, and low assertion. Used when the client
identity is propagated or when delegation involves the use of a special
identity. This event type is also used when switching user identities
within a given session. |
SECURITY_AUTHN_CREDS_MODIFY |
Audits events to modify credentials for a given
user identity |
Important: The following security audit event
types are not used in this release of
WebSphere® Application Server:
- SECURITY_MGMT_KEY
- SECURITY_RUNTIME_KEY
- SECURITY_MGMT_PROVISIONING
- SECURITY_MGMT_REGISTRY
- SECURITY_RUNTIME
- SECURITY_AUTHN_CREDS_MODIFY
For each audit event type, you must specify an outcome.
Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED,
WARNING, and INFO. The following command example creates an audit
filter to log users who receive an error when modifying credentials:
AdminTask.createAuditFilter('-name uniqueFilterName -eventType
SECURITY_RESOURCE_ACCESS,SECURITY_AUTHN_DELEGATION -outcome ERROR,REDIRECT')