This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Enabling Audit Logs

Audit logs contain log information of all security related user activities that occurred in the WSO2 App Manager server. User activities that affect operations/procedures, events and files are listed along with the user responsible and the time stamp. Audit logs can be used to trace missing records (e.g. to identify compliance issues or to investigate fraudulent activities).

Audit logs can be enabled for the following user actions in the App Publisher and App Store,

App PublisherApp Store
  • Logging in to the App Publisher
  • Creating a webapp
  • Updating a webapp
  • Changing the lifecycle state of a webapp
  • Deleting a webapp
  • Creating a new version of a webapp
  • Creating documentation
  • Logging out from the App Publisher
  • Logging in to the App Store 
  • Subscribing to a webapp
  • Unsubscribing to a webapp
  • Adding a web app into the Favourite app list
  • Removing a web app from the Favourite app list
  • Rating/commenting on a webapp
  1. To enable audit logs, open the <APPM_HOME>/repository/conf/log4j.properties file and append the following audit log configurations, 

    # Configure audit log for auditing purposes
    log4j.logger.AUDIT_LOG=INFO, AUDIT_LOGFILE
    log4j.appender.AUDIT_LOGFILE=org.apache.log4j.DailyRollingFileAppender
    log4j.appender.AUDIT_LOGFILE.File=${carbon.home}/repository/logs/audit.log
    log4j.appender.AUDIT_LOGFILE.Append=true
    log4j.appender.AUDIT_LOGFILE.layout=org.wso2.carbon.utils.logging.TenantAwarePatternLayout
    log4j.appender.AUDIT_LOGFILE.layout.ConversionPattern=[%d] %P%5p - %x %m %n
    log4j.appender.AUDIT_LOGFILE.layout.TenantPattern=%U%@%D [%T] [%S]
    log4j.appender.AUDIT_LOGFILE.threshold=INFO
    log4j.additivity.AUDIT_LOG=false
  2. If the WSO2 App Manager server is already running, restart the server.
  3. Notice that an audit.log file is created in the <APPM_HOME>/repository/logs folder. 
  4. Once any of the above user actions occur, the relevant logs are generated and persisted in the audit.log file. User log in, app creation, update and delete actions contain audit logs similar to the example below,

    [2016-06-22 09:47:24,242]  INFO -  Initiator : admin@carbon.super | Action : Login | Target : ApplicationAuthenticationFramework | Data : { "ContextIdentifier" : "6003337f-ec87-4bbb-8ada-32a89ba1c99a","AuthenticatedUser" : "admin@carbon.super","AuthenticatedUserTenantDomain" : "carbon.super","ServiceProviderName" : "publisher","RequestType" : "samlsso","RelyingParty" : "publisher","AuthenticatedIdPs" : "eyJ0eXAiOiJKV1QiLCAiYWxnIjoibm9uZSJ9.eyJpc3MiOiJ3c28yIiwiZXhwIjoxNDY2NTY5MDQ0MjI4MzAwMCwiaWF0IjoxNDY2NTY5MDQ0MjI4LCJpZHBzIjpbeyJpZHAiOiJMT0NBTCIsImF1dGhlbnRpY2F0b3IiOiJCYXNpY0F1dGhlbnRpY2F0b3IifV19." } | Result : Success
    [2016-06-22 09:47:24,619]  INFO -  "Time" : "2016-06-22 09:47:24 +0530 ", "Action" : "User SignedIn ","TenantID" : "-1234","UserName" : "admin@carbon.super ", "Subject" : "", "SubjectID" : ""
    [2016-06-22 09:47:30,061]  INFO -  "Time" : "2016-06-22 09:47:30 +0530 ", "Action" : "NewPolicyCreated ","TenantID" : "-1234","UserName" : "admin@carbon.super ", "Subject" : "", "SubjectID" : ""
    [2016-06-22 09:48:00,371]  INFO -  "Time" : "2016-06-22 09:48:00 +0530 ", "Action" : "NewAssetAdded ","TenantID" : "-1234","UserName" : "admin@carbon.super ", "Subject" : "webapp", "SubjectID" : "{providerName='admin', apiName='travelApp', version='v1'}"
    [2016-06-22 09:48:00,580]  INFO -  Initiator : admin | Action : create | Target : 0 | Data : { travelApp-v1 } | Result : Success
    [2016-06-22 09:48:00,689]  INFO -  Initiator : admin | Action : update | Target : 21 | Data : { travelApp-v1 } | Result : Success
    [2016-06-22 09:49:37,522]  INFO -  "Time" : "2016-06-22 09:49:37 +0530 ", "Action" : "AssetUpdated ","TenantID" : "-1234","UserName" : "admin ", "Subject" : "webapp", "SubjectID" : "{providerName='admin', apiName='travelApp', version='v1'}"
    [2016-06-22 09:50:03,527]  INFO -  "Time" : "2016-06-22 09:50:03 +0530 ", "Action" : "AssetDeleted ","TenantID" : "-1234","UserName" : "admin@carbon.super ", "Subject" : "webapp", "SubjectID" : "{providerName='admin', apiName='travelApp', version='v1'}"