Audit log configuration
Introduction
Do not turn off audit logging
Do not turn off all audit logging. Even if you do not have a compliance need for this data, it is highly useful when analysing any issues.
We are not able to provide full support without audit logging. We highly recommend at least keeping 14 days of audit logging for support purposes.
There are two sets of audit logs, both can normally be found in /core/logs.
- Encap server audit log. Found at
core/logs/audit.log. Audit logging for the Encap server. - Encap cmd audit log. Found at
core/logs/audit_cmd.log. Audit logging for the Encap admin commands.
Note
Audit logging is by default logging on INFO level with the AUDIT marker.
Previously, this was logged to ERROR level to be certain logging was never disabled.
Since Encap version 3.18, we now log to ERROR only if the appender has not been configured on INFO level together with a warning in the log as shown below.
2023-09-27 10:33:51,137 WARN d4040e62-999f-4a46-873f-c949dab70ddb |-[com.encapsecurity.encap.logging.AuditLogger] Log level for Audit log is not set to INFO!
2023-09-27 10:33:51,137 ERROR d4040e62-999f-4a46-873f-c949dab70ddb |+AUDIT-[com.encapsecurity.encap.logging.AuditLogger] {"purpose":"ACTIVATION","eventType":"PLATFORM_BEGIN_ACTIVATE","eventStatus":"BEGIN","eventId":"1951dcca-1aa2-4872-a809-ca6c56f0b2eb","sessionId":null,"sessionUuid":"cc4b0aa0-125f-4e47-ab22-583880c451b0","sessionStatus":null,"altId":null,"responseTime":0,"clientAddress":"127.0.0.1","metaInfo":"","auditLogVersion":4,"requestId":"d4040e62-999f-4a46-873f-c949dab70ddb","registrationId":"152c4a88-b68a-42d6-ba03-f6416cab5b0c","applicationId":"encap","time":"2023-09-27T08:33:51.137UTC","organizationId":"83d1dfb6-2a54-49c7-bde2-acc21b821584","ltime":1695803631137}
Sending audit logs to system out
Encap server audit logging
To get Encap server audit to print to console add the following to core/config/logback.xml.
Note
This will not affect other audit log outputs.
- Replace the following:
With:
<!-- Audit logging - should always be set to INFO -->
<logger name="com.encapsecurity.encap.logging.AuditLogger" level="INFO" additivity="false">
<appender-ref ref="audit"/>
</logger><!-- Audit logging - should always be set to INFO -->
<logger name="com.encapsecurity.encap.logging.AuditLogger" level="INFO" additivity="false">
<appender-ref ref="audit"/>
<appender-ref ref="stdout"/>
</logger> - This will give the following style of output in the console (if the server is started with the foreground option
./run.sh start -f):You can read about the format of the message on the Encap server logs page, under the section Audit log.2023-09-27 10:28:58,393 INFO 16b80d7f-8a17-44ef-a7d7-58e308858bfb |+AUDIT-[com.encapsecurity.encap.logging.AuditLogger] {"purpose":"AUTHENTICATION","eventType":"PLATFORM_BEGIN_AUTHENTICATE","eventStatus":"BEGIN","eventId":"d42b79cc-7190-4b66-95a0-3c01a5bbd766","sessionId":null,"sessionUuid":"34620d5b-e0da-48a9-9d1e-b88fb405064e","sessionStatus":null,"altId":null,"responseTime":0,"clientAddress":"127.0.0.1","metaInfo":"","auditLogVersion":4,"requestId":"16b80d7f-8a17-44ef-a7d7-58e308858bfb","registrationId":"a0de36a1-efba-4039-b8c2-39d17f6124eb","applicationId":"encap","time":"2023-09-27T08:28:58.393UTC","organizationId":"83d1dfb6-2a54-49c7-bde2-acc21b821584","ltime":1695803338393}
2023-09-27 10:28:58,399 INFO 16b80d7f-8a17-44ef-a7d7-58e308858bfb |+AUDIT-[com.encapsecurity.encap.logging.AuditLogger] {"purpose":"AUTHENTICATION","eventType":"PLATFORM_BEGIN_AUTHENTICATE","eventStatus":"SUCCESS","eventId":"d42b79cc-7190-4b66-95a0-3c01a5bbd766","sessionId":245,"sessionUuid":"6a42ff47-ce7a-4c09-9015-1309f0658475","sessionStatus":"IN_PROGRESS","altId":null,"responseTime":6,"clientAddress":"127.0.0.1","metaInfo":"","auditLogVersion":4,"requestId":"16b80d7f-8a17-44ef-a7d7-58e308858bfb","registrationId":"a0de36a1-efba-4039-b8c2-39d17f6124eb","applicationId":"encap","time":"2023-09-27T08:28:58.399UTC","organizationId":"83d1dfb6-2a54-49c7-bde2-acc21b821584","ltime":1695803338399}
2023-09-27 10:28:58,423 INFO ac06b70a-287b-46aa-89f9-23096e35fe74 |+AUDIT-[com.encapsecurity.encap.logging.AuditLogger] {"purpose":"ADMIN","eventType":"PLATFORM_GET_SESSION","eventStatus":"BEGIN","eventId":"572ddca5-56d1-47aa-bd4d-484c1ff97083","sessionId":245,"sessionUuid":"6a42ff47-ce7a-4c09-9015-1309f0658475","sessionStatus":null,"altId":"sessionUuid=6a42ff47-ce7a-4c09-9015-1309f0658475","responseTime":0,"clientAddress":"127.0.0.1","metaInfo":"","auditLogVersion":4,"requestId":"ac06b70a-287b-46aa-89f9-23096e35fe74","registrationId":"a0de36a1-efba-4039-b8c2-39d17f6124eb","applicationId":"encap","time":"2023-09-27T08:28:58.423UTC","organizationId":"83d1dfb6-2a54-49c7-bde2-acc21b821584","ltime":1695803338423}
2023-09-27 10:28:58,431 INFO ac06b70a-287b-46aa-89f9-23096e35fe74 |+AUDIT-[com.encapsecurity.encap.logging.AuditLogger] {"purpose":"ADMIN","eventType":"PLATFORM_GET_SESSION","eventStatus":"SUCCESS","eventId":"572ddca5-56d1-47aa-bd4d-484c1ff97083","sessionId":245,"sessionUuid":"6a42ff47-ce7a-4c09-9015-1309f0658475","sessionStatus":null,"altId":"sessionUuid=6a42ff47-ce7a-4c09-9015-1309f0658475","responseTime":8,"clientAddress":"127.0.0.1","metaInfo":"","auditLogVersion":4,"requestId":"ac06b70a-287b-46aa-89f9-23096e35fe74","registrationId":"a0de36a1-efba-4039-b8c2-39d17f6124eb","applicationId":"encap","time":"2023-09-27T08:28:58.431UTC","organizationId":"83d1dfb6-2a54-49c7-bde2-acc21b821584","ltime":1695803338431}
Encap command audit logging
To get Encap command audit to print to console add the following to core/config/logback-cmd.xml.
Note
This will not affect other audit log outputs (by default audit-cmd.log).
- Replace the following:
With:
<appender name="consoleAppender" class="ch.qos.logback.core.ConsoleAppender">
<filter class="ch.qos.logback.core.filter.EvaluatorFilter">
<encoder>
<Pattern>%.-1p %-6r %m%n%xEx</Pattern>
</encoder>
</appender><appender name="consoleAppender" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<Pattern>%-5replace(%marker){'^$', 'STD'}|%d %-5p |-[%c] %m%n%xEx</Pattern>
</encoder>
</appender> - Replace the following:
With:
<!-- Audit logging to file -->
<logger name="com.encapsecurity.encap.service.logging.AuditLogger" level="INFO">
<appender-ref ref="audit"/>
</logger><!-- Audit logging to file -->
<logger name="com.encapsecurity.encap.service.logging.AuditLogger" level="INFO">
<appender-ref ref="audit"/>
<appender-ref ref="consoleAppender"/>
</logger> - This will give the following style of output in the console when a command is run (see AUDIT lines amongst the normal output of the command).:
./scripts/manageApiKey.sh create -o 31489d56-5d7d-4d3b-825e-eb1f4d2a986c
AUDIT|2023-09-28 10:42:32,248 INFO |-[com.encapsecurity.encap.logging.AuditLogger] {"purpose":"ADMIN","eventType":"API_KEY_CREATE","eventStatus":"BEGIN","eventId":"81cdbea5-a40f-45cb-b637-b73bd2899e9a","sessionId":null,"sessionUuid":null,"sessionStatus":null,"altId":null,"responseTime":0,"clientAddress":"192.168.1.122","metaInfo":"UserID: 'olaj'; Description: null, Generated from: Command line","auditLogVersion":4,"requestId":null,"registrationId":null,"applicationId":"NA","time":"2023-09-28T08:42:32.210UTC","organizationId":"31489d56-5d7d-4d3b-825e-eb1f4d2a986c","ltime":1695890552210}
AUDIT|2023-09-28 10:42:32,283 INFO |-[com.encapsecurity.encap.logging.AuditLogger] {"purpose":"ADMIN","eventType":"API_KEY_CREATE","eventStatus":"SUCCESS","eventId":"81cdbea5-a40f-45cb-b637-b73bd2899e9a","sessionId":null,"sessionUuid":null,"sessionStatus":null,"altId":null,"responseTime":72,"clientAddress":"192.168.1.122","metaInfo":"UserID: 'olaj'; Description: null, Generated from: Command line","auditLogVersion":4,"requestId":null,"registrationId":null,"applicationId":"NA","time":"2023-09-28T08:42:32.282UTC","organizationId":"31489d56-5d7d-4d3b-825e-eb1f4d2a986c","ltime":1695890552282}
Your API key id is: a246d741-e608-41a7-af8c-e8d0171b5518
Your API key secret is: 0LiqFm+5kOC3JB7L1W1Z8A==
Logstash encoded audit logs
LogstashEncoder is supported in Encap. This allows you to write Encap logs using LogstashEncoding and enables you to use the Logstash appenders to push the logs directly to your Logstash instance.
To set this up, you need to add an appender for this in your logback.xml and logback-cmd.xml, found in <ENCAP_HOME>/core/configs/. By default, logback is configured to scan for changes to the configuration. If this has not been disabled, then these changes can be done without restarting the server.
Logback configuration for Logstash
Example: LogstashEncoded audit log to file
<appender name="stash" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>./logs/stashAudit.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>./logs/stashAudit.%d{yyyy-MM-dd}.log</fileNamePattern>
<maxHistory>${AUDIT_LOG_RETAIN_DAYS}</maxHistory>
</rollingPolicy>
<encoder class="net.logstash.logback.encoder.LogstashEncoder"/>
</appender>
Example: Sending LogstashEncoded audit logs to Logstash
<appender name="stash" class="net.logstash.logback.appender.LogstashTcpSocketAppender">
<destination>0.0.0.0:5000</destination>
<encoder class="net.logstash.logback.encoder.LogstashEncoder"/>
</appender>
For more details what appenders Logstash provides, see GitHub - logfellow/logstash-logback-encoder: Logback JSON encoder and appenders.
Example: Add the new appender to the audit logger
<logger name="com.encapsecurity.encap.service.logging.AuditLogger" level="INFO">
<appender-ref ref="audit"/>
<appender-ref ref="stash" />
</logger>