Audit log message formats

Plixer Endpoint Analytics supports five audit logging formats for output to internal or external syslog. The following audit logging formats can be enabled by setting their respective rule values to true in the audit.xml file:

• page - Basic format used for auditing page access.

  <rule name="page" type="boolean" default="false" value="true"/>

• rpc - Format used for auditing all json-rpc methods.

  <rule name="rpc" type="boolean" default="false" value="true"/>

• formRender - Overrides page format when a form appears on a page.

  <rule name="formRender" type="boolean" default="false" value="true"/>

• formSubmit - Overrides page format when a form is submitted.

  <rule name="formSubmit" type="boolean" default="false" value="true"/>

  Note

  The args value will only show what was changed by the form submission.

• content - Open entry for adding a special audit point.

  <rule name="content" type="boolean" default="false" value="true"/>

Hint

The use rule (<rule name="use" type="boolean" default="false" value="true"/>) disables all auditing when its value is set to false.

Audit log message contents

Audit log messages consist of a single line and includes the following fields:

1. IP-Address: IP address of the client provided by the web server.

2. Mode: Either r (read), w (write), or x (execute).

3. User(id): Username and serial_id of the user.

4. Page: The page requested.

5. Args: Either the rpc command and its arguments or the fields of the form.