Audit logging

Introduction

Logging in the operation of IBM Industry Solutions Workbench means the creation of records from which the following questions can be answered:

  • Who initiated what or accessed what by what means and when?

  • Who had what access rights from when to when (derive system statuses)?

The aim of logging is to be able to trace significant changes in the product and applications in order to understand their security. The audit logging includes the selective event types monitor / activity / control.

Note: This feature can be enabled and configured with the Audit Binding.

Prerequisite

The audit logging in IBM Industry Solutions Workbench requires a pre-installed instance of Fluentd service before enabling. Please check the prerequisites for more information.

Audit data format

IBM Industry Solutions Workbench follows CADF format to record audit events.

This standard provides all round information about the occurred event such as,

  • initiator (who),

  • target (on what),

  • observer (from/to where),

  • action (what),

  • outcome (result),

  • timestamp (when), etc.

Audit Common Service

Deployment and binding

The Audit Common Service creates a custom binding k5-auditlog-settings. This Audit binding contains an auditEnabled field to enable/disable the audit logging and a connectionString which should contain the internal URL of the deployed Fluentd service as mentioned in prerequisites.

The secret can be read/updated by using the Audit Binding.

Implementation

The internal components which need to register audit events make HTTP calls to the Audit Common Service. The Audit Common Service receives the audit log within the API request body and validates it.

The configured Fluentd service URL is invoked with the CADF audit payload for log collection and forwarded to the configured visualizer.

Note: In case of downtime / unavailability of Fluentd service the audit payload is stored in log files within the Audit Common Service container.