Enabling Audit Logs

Audit logs contain log information of all security related user activities that occurred in the WSO2 App Manager server. User activities that affect operations/procedures, events and files are listed along with the user responsible and the time stamp. Audit logs can be used to trace missing records (e.g. to identify compliance issues or to investigate fraudulent activities).

Audit logs can be enabled for the following user actions in the App Publisher and App Store,

App Publisher	App Store
Logging in to the App Publisher Creating a webapp Updating a webapp Changing the lifecycle state of a webapp Deleting a webapp Creating a new version of a webapp Creating documentation Logging out from the App Publisher	Logging in to the App Store Subscribing to a webapp Unsubscribing to a webapp Adding a web app into the Favourite app list Removing a web app from the Favourite app list Rating/commenting on a webapp

To enable audit logs, open the <APPM_HOME>/repository/conf/log4j.properties file and append the following audit log configurations,

# Configure audit log for auditing purposes
log4j.logger.AUDIT_LOG=INFO, AUDIT_LOGFILE
log4j.appender.AUDIT_LOGFILE=org.apache.log4j.DailyRollingFileAppender
log4j.appender.AUDIT_LOGFILE.File=${carbon.home}/repository/logs/audit.log
log4j.appender.AUDIT_LOGFILE.Append=true
log4j.appender.AUDIT_LOGFILE.layout=org.wso2.carbon.utils.logging.TenantAwarePatternLayout
log4j.appender.AUDIT_LOGFILE.layout.ConversionPattern=[%d] %P%5p - %x %m %n
log4j.appender.AUDIT_LOGFILE.layout.TenantPattern=%U%@%D [%T] [%S]
log4j.appender.AUDIT_LOGFILE.threshold=INFO
log4j.additivity.AUDIT_LOG=false

If the WSO2 App Manager server is already running, restart the server.
Notice that an audit.log file is created in the <APPM_HOME>/repository/logs folder.

Once any of the above user actions occur, the relevant logs are generated and persisted in the audit.log file. User log in, app creation, update and delete actions contain audit logs similar to the example below,

[2016-06-22 09:47:24,242]  INFO -  Initiator : admin@carbon.super | Action : Login | Target : ApplicationAuthenticationFramework | Data : { "ContextIdentifier" : "6003337f-ec87-4bbb-8ada-32a89ba1c99a","AuthenticatedUser" : "admin@carbon.super","AuthenticatedUserTenantDomain" : "carbon.super","ServiceProviderName" : "publisher","RequestType" : "samlsso","RelyingParty" : "publisher","AuthenticatedIdPs" : "eyJ0eXAiOiJKV1QiLCAiYWxnIjoibm9uZSJ9.eyJpc3MiOiJ3c28yIiwiZXhwIjoxNDY2NTY5MDQ0MjI4MzAwMCwiaWF0IjoxNDY2NTY5MDQ0MjI4LCJpZHBzIjpbeyJpZHAiOiJMT0NBTCIsImF1dGhlbnRpY2F0b3IiOiJCYXNpY0F1dGhlbnRpY2F0b3IifV19." } | Result : Success
[2016-06-22 09:47:24,619]  INFO -  "Time" : "2016-06-22 09:47:24 +0530 ", "Action" : "User SignedIn ","TenantID" : "-1234","UserName" : "admin@carbon.super ", "Subject" : "", "SubjectID" : ""
[2016-06-22 09:47:30,061]  INFO -  "Time" : "2016-06-22 09:47:30 +0530 ", "Action" : "NewPolicyCreated ","TenantID" : "-1234","UserName" : "admin@carbon.super ", "Subject" : "", "SubjectID" : ""
[2016-06-22 09:48:00,371]  INFO -  "Time" : "2016-06-22 09:48:00 +0530 ", "Action" : "NewAssetAdded ","TenantID" : "-1234","UserName" : "admin@carbon.super ", "Subject" : "webapp", "SubjectID" : "{providerName='admin', apiName='travelApp', version='v1'}"
[2016-06-22 09:48:00,580]  INFO -  Initiator : admin | Action : create | Target : 0 | Data : { travelApp-v1 } | Result : Success
[2016-06-22 09:48:00,689]  INFO -  Initiator : admin | Action : update | Target : 21 | Data : { travelApp-v1 } | Result : Success
[2016-06-22 09:49:37,522]  INFO -  "Time" : "2016-06-22 09:49:37 +0530 ", "Action" : "AssetUpdated ","TenantID" : "-1234","UserName" : "admin ", "Subject" : "webapp", "SubjectID" : "{providerName='admin', apiName='travelApp', version='v1'}"
[2016-06-22 09:50:03,527]  INFO -  "Time" : "2016-06-22 09:50:03 +0530 ", "Action" : "AssetDeleted ","TenantID" : "-1234","UserName" : "admin@carbon.super ", "Subject" : "webapp", "SubjectID" : "{providerName='admin', apiName='travelApp', version='v1'}"