To create an audit configuration file, it is necessary to know which data can be audited and how the data is mapped onto your application.
-
Turn on debugging for the inbound data. For a better understanding, you can
turn on debug logging for the mapping components as well, although this is more
verbose.
$cat tomcat/shared/classes/alfresco/extension/audit-log4j2.properties logger.alfresco-repo-audit-AuditComponentImpl.name=org.alfresco.repo.audit.AuditComponentImpl logger.alfresco-repo-audit-AuditComponentImpl.level=debug logger.alfresco-repo-audit-inbound.name=org.alfresco.repo.audit.inbound logger.alfresco-repo-audit-inbound.level=debug
- Tail the log file and examine the output.
-
Log in as
admin:
16:47:37,434 DEBUG [repo.audit.inbound] Inbound audit values: /alfresco-api/pre/AuthenticationService/authenticate/args/userName=admin 16:47:37,443 User:admin DEBUG [repo.audit.inbound] Inbound audit values: /alfresco-api/post/AuthenticationService/authenticate/no-error=null /alfresco-api/post/AuthenticationService/authenticate/args/userName=admin
-
From the inbound values (and if you have the
AuditComponentImpl debugging
on):
16:47:37,445 User:System DEBUG [repo.audit.AuditComponentImpl] Extracted audit data: Application: AuditApplication[ name=AuditExampleLogin2, id=7, disabledPathsId=7] Raw values: {/auditexamplelogin2/login=null} Extracted: {} 16:47:37,447 User:admin DEBUG [repo.audit.AuditComponentImpl] New audit entry: Application ID: 7 Entry ID: 130 Values: {/auditexamplelogin2/login=null} Audit Data: {/auditexamplelogin2/login/user=Administrator} 16:47:37,447 User:System DEBUG [repo.audit.AuditComponentImpl] Extracted audit data: Application: AuditApplication[ name=AuditExampleLogin1, id=6, disabledPathsId=6] Raw values: {/auditexamplelogin1/login/no-error=null, /auditexamplelogin1/login/args/userName=admin} Extracted: {/auditexamplelogin1/login/no-error/user=admin} 16:47:37,449 User:admin DEBUG [repo.audit.AuditComponentImpl] New audit entry: Application ID: 6 Entry ID: 131 Values: {/auditexamplelogin1/login/no-error=null, /auditexamplelogin1/login/args/userName=admin} Audit Data: {/auditexamplelogin1/login/no-error/user=admin}
You can see that the AuthenticationService.authenticate method generate two sets of “inbound” data: the /alfresco-api/**pre**/AuthenticationService/authenticate data is passed through before the service call is processed; the /alfresco-api/**post**/AuthenticationService/authenticate data is passed through after the service call has been processed. When logging in successfully, the post-call data is generated with a no-error path.
-
Perform a failed login with user
joe.
17:02:09,697 DEBUG [repo.audit.inbound] Inbound audit values: /alfresco-api/pre/AuthenticationService/authenticate/args/userName=joe 17:02:09,704 DEBUG [repo.audit.inbound] Inbound audit values: /alfresco-api/post/AuthenticationService/authenticate/error=08200014 Failed to authenticate Started at: org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.authenticate(AbstractChainingAuthenticationService.java:188) ...
This is translated and recorded:
17:02:09,704 User:System DEBUG [repo.audit.AuditComponentImpl] Extracted audit data: Application: AuditApplication[ name=AuditExampleLogin1, id=6, disabledPathsId=6] Raw values: {/auditexamplelogin1/login/error=08200014 Failed to authenticate Started at: org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.authenticate(AbstractChainingAuthenticationService.java:188) ... 17:02:09,704 DEBUG [repo.audit.AuditComponentImpl] New audit entry: Application ID: 6 E6try ID: 135 Values: {/auditexamplelogin1/login/error=08200016 Failed to authenticate Started at: org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.authenticate(AbstractChainingAuthenticationService.java:188) ... Audit Data: {/auditexamplelogin1/login/error/user=joe}
-
Notice that the failed log in did not generate any data for audit application
AuditExampleLogin2. To understand this, look at the
PathMappings section of the
example:
<PathMappings> <PathMap source="/alfresco-api/post/AuthenticationService/authenticate" target="/auditexamplelogin1/login"/> <PathMap source="/alfresco-api/post/AuthenticationService/authenticate/no-error" target="/auditexamplelogin2/login"/> </PathMappings>
Before any data is considered for persistence, the inbound data paths are remapped using the PathMappings configuration. The /auditexamplelogin2/login path is mapped onto .../no-error only, so failed logins were not recorded for the AuditExampleLogin2 audit application, while the AuditExampleLogin1 application recorded both successful and failed logins.