Configure/Decoding AEM AuditLogs

AEM Developers, Infrastructure Engineers / Dev-ops teams working in the financial domain regularly come across a challenge for event auditing in AEM. This helps in identifying most of the activities happening in AEM.
Audit logs are a very effective way to debug the content issue & to know what all is happening in your environment and by whom.
This article addresses in a simple way on how to enable the audit logs, its different ways, and how to understand the audit logs. 
This article covers the following -

  • How can we enable Audit logs in AEM.
  • How can we read and understand the Audit logs/ tools to use it.
  • Audit log on file system in crx-quickstart/logs folder.  
  • Audit logs for User creation / Modification.
  • How can you archive/purge the audit logs.

How can we enable Audit logs in AEM?         

By Default, the Audit logs are pre-configured in AEM, for a few basic operations of DAM and for all other operations of Pages and replications activity etc..
To get it configured for all the operations or as per the need for assets you need to change/update a couple of configurations –

1 – Open system console and check the configuration -Adobe CQ DAM Event Audit Listener” make sure it is enabled, if not please enable it.


2 – Make sure you have all required events checked in the configuration by default few are checked you can check more events as per your need.  – Day CQ DAM Event Recorder


This will enable the audit logs for required events in DAM and you can test it by doing some modification, replication, delete operation from the console to any of your asset/page etc.. 

NOTE : Any operation done from the crx/de or from crx/explorer will not be captured in the audit log.

How can we read and understand the audit logs/ tools to use it?

Option -1 

You can find the audit logs in crx/de in form of node structure under the path /var/audit/ –


Option 2  – 
You can write your own query to search the /var/audit folder to fetch the information based on any page, asset, time, user etc.. 

Option 3 - 
Adobe ACS team has GUI tool for Audit logs search, which you can leverage to find audit trail. This tool is easy to use and can save your efforts for the manual query.


Enable Audit log in the file system -
You can also enable the audit log on the file system and it will be written in the /crx-quickstart/logs folder like any other logs file.
2. Search for audit.log entry (not the auditlog.log) and change the log level to Debug or Trace.
3. Save your changes.

Audit logs for User creation / Modification
You can also achieve the auditing of the user / group creation, modification etc.. Please follow the below steps – 
2. Create a new log file , say useraudit.log and add the API mentioned.  Leave the logger level to information.
           a- com.adobe.granite.security.user.internal.Audit
          b- com.adobe.granite.security.user.internal.servlets.AuthorizableServlet

 This will give the logs like below –


23.04.2020 07:42:17.464 *INFO* [0:0:0:0:0:0:0:1 [1579569137461] POST /home/users/c/cND9nn7ZEFMG6-O-z-OJ HTTP/1.1] com.adobe.granite.security.user.internal.audit.AuditGroupAction User 'admin56' was added to the group 'administrators'
23.04.2020 08:16:01.684 *INFO* [0:0:0:0:0:0:0:1 [1579571161681] POST /home/users/R/R3oxB9kTexWYrXRzjDki HTTP/1.1] com.adobe.granite.security.user.internal.audit.AuditGroupAction User '2' was removed from the group 'administrators'
23.04.2020 08:17:57.491 *INFO* [0:0:0:0:0:0:0:1 [1579571277489] POST /home/users/R/R3oxB9kTexWYrXRzjDki HTTP/1.1] com.adobe.granite.security.user.internal.audit.AuditGroupAction User '2' was added to the group 'administrators'
23.04.2020 08:20:14.820 *INFO* [0:0:0:0:0:0:0:1 [1579571414818] POST /home/users/R/R3oxB9kTexWYrXRzjDki HTTP/1.1] com.adobe.granite.security.user.internal.audit.AuditGroupAction User '2' was removed from the group 'administrators'
23.04.2020 08:26:57.536 *INFO* [0:0:0:0:0:0:0:1 [1579571817534] POST /home/users/R/R3oxB9kTexWYrXRzjDki HTTP/1.1] com.adobe.granite.security.user.internal.audit.AuditGroupAction User '2' was removed from the group 'administrators'
23.04.2020 08:27:07.581 *INFO* [0:0:0:0:0:0:0:1 [1579571827579] POST /home/users/R/R3oxB9kTexWYrXRzjDki HTTP/1.1] com.adobe.granite.security.user.internal.audit.AuditGroupAction User '2' was added to the group 'administrators'
23.04.2020 08:27:13.358 *INFO* [0:0:0:0:0:0:0:1 [1579571833356] POST /home/users/R/R3oxB9kTexWYrXRzjDki HTTP/1.1] com.adobe.granite.security.user.internal.audit.AuditGroupAction User '2' was removed from the group

  How can you archive/purge the audit logs?


Vital points to keep in mind, the audit log keeps a very huge space in the disk as well as in the crx/de node structure under /var/audit/. Hence you need to configure the audit log purge in AEM, both from the file system and crx/de. 

Purging from crx/de -
OTB AEM gives you the mechanism for audit log purging. 
Adobe helpx documentation has a good description of audit logs purge.  Please refer the link for detailed steps [3]
[3]   https://docs.adobe.com/content/help/en/experience-manager-65/administering/operations/operations-audit-log.html

Purging from File system - 
For the logs creating on the file system in you crx-quickstart/logs folder, please develop the script for purging the log files to free the disk space. Or move these to some other location/server.

References –





Comments

  1. Nice article. To the point, informative.

    ReplyDelete

Post a Comment

Popular Posts

how to clear dispatcher cache in aem ?

How Does S3 works with AEM ?

How to Increase Apache Request Per Second ?

AdobeDispatcherHacks ".statfile"

How to Sync HMAC in AEM ?

How to configure s3 in AEM ?

AEM Security Headers

Dispatcher flush from AEM UI

How Encrypt-Decrypt Data in AEM , AEM Crypto Support ?