Track Configuration Changes with Auditing

APM administrators configure APM Team Center, WebView, and Workstation features. As an APM administrator of a large environment with many other APM administrators, you can track these configuration changes with auditing.
apmdevops106
APM administrators configure APM Team Center, WebView, and Workstation features. As an APM administrator of a large environment with many other APM administrators, you can track these configuration changes with auditing.
View the changes in audit log text files. The logs are stored only on the local computer and are updated based on the log rotation settings. Every log contains information about the type of change (what changed, old and new value), who made the change and when.
APM administrators can:
  • View the audit log in the
    <EM_Home>\logs\audit
    directory.
  • Use audit logging to keep multiple audit log files for system changes.
  • Use audit log management to change the log rotation settings.
Configure Auditing
Edit the following properties in the IntroscopeEnterpriseManager.properties file to configure the auditing functionality.
Follow these steps:
  1. Navigate to the IntroscopeEntepriseManager.properties file in the <EM_Home>\config directory.
  2. Open the file in a text editor.
  3. Edit the following properties to enable auditing:
    • introscope.apmserver.audit.enabled
      Enables or disables auditing. The possible values are
      True
      or
      False
      .
      Default:
      True
      Example:
      introscope.apmserver.audit.enabled=true
      This property is hot configurable. You do not need to restart the Enterprise Manager (EM).
    • introscope.apmserver.audit.max.age
      Sets the period, in days, that the audit records are stored in the Enterprise Manager database. The database cleanup then deletes the out-of-date records.
      Default:
      0
      Example:
      introscope.apmserver.audit.max.age=365
      You must restart the Enterprise Manager.
  4. (Optional) Use the Apache documentation to configure the following advanced Log4J functions:
    • log4j.appender.AUDIT_APPENDER=com.wily.org.apache.log4j.RollingFileAppender
    • log4j.appender.AUDIT_APPENDER.File=logs/audit/APMAudit.log
    • log4j.appender.AUDIT_APPENDER.append=true
    • log4j.appender.AUDIT_APPENDER.layout=com.wily.org.apache.log4j.PatternLayout
    • log4j.appender.AUDIT_APPENDER.layout.ConversionPattern=%d | %m%n
    • log4j.appender.AUDIT_APPENDER.MaxBackupIndex=5
    • log4j.appender.AUDIT_APPENDER.MaxFileSize=200MB
    • log4j.additivity.AUDIT_LOGGER=false
    • log4j.logger.AUDIT_LOGGER=INFO,AUDIT_APPENDER
      Do not remove the log4j.logger.AUDIT_LOGGER=INFO or log4j.logger.AUDIT_APPENDER properties. The log4j.logger.AUDIT_LOGGER value can only be set to INFO. The log4j.logger.AUDIT_APPENDER property can be edited.
Export Recorded Events
Call the REST API to export records from the EMs in JSON format.
Follow these steps:
  1. Use the following http command to export the recorded events:
    GET http://<EM_HOST>:<EM_WEB_PORT>/apm/appmap/audit?<parameters>
  2. Provide one or more of the following parameter values in the command:
    • from
      Indicates the date from timestamp in YYYY-MM-DDTHH:mm:ssZ format
    • to
      Indicates the date to timestamp in YYYY-MM-DDTHH:mm:ssZ format
    • userName
      Indicates the name of the user invoking the event
    • action
      Indicates the action being performed Values: CREATE, READ, UPDATE, DELETE, MOUNT, UNMOUNT, LOGIN, LOGIN_FAILED, LOGOUT, REGISTER, DEREGISTER, CANCEL_REGISTRATION, MAINTENANCE, and ONLINE
    • type
      Indicates the type of entity Values: GROUPING, ALERT, SUMMARY_ALERT, METRIC_GROUPING, DIFFERENTIAL_CONTROL, CALCULATOR, DASHBOARD, DOWNTIME_SCHEDULE, MANAGEMENT_MODULE, REPORT, ATTRIBUTE, DECORATION_POLICY, UNIVERSE, AGENT, TOKEN, SETTING, USER, EXPERIENCE_CARD, AGENT_CARD, SNMP_COLLECTION, ACTION, and PROVIDER
    • objectName
      Indicates the name of the object in management modules in the following format: DomainName|ModuleName|ObjectNameExample: SuperDomain|Default|New Calculator
Example: Export Recorded LOGIN Events
This command exports the recorded login events for the selected time period:
GET http://<EM_HOST>:<EM_WEB_PORT>/apm/appmap/audit?from=2017-09-21T12:25:41Z&to=2017-02-22T15:20:43Z&action=LOGIN
Expected Results:
The command returns an overview of the recorded login events and login details in the following format:
{
"executionTime": "2017-09-22T13:11:07Z",
"actionName": "LOGIN",
"userName": "Admin",
"objectType": "USER",
"objectName": "Admin",
"data": {
"to": {
"_et": "UserAuditable",
"name": "Admin"
},
"details": {
"ipAddress": "127.0.0.1",
"hostname": "Admin01",
"clientType": "CLW",
"timezone": "-08:00",
"result": 1
},
"summary": "User 'Admin' logged in (address=127.0.0.1, hostname=Admin01, client=CLW, timezone=-08:00, result=1)"
}
}
Example: Log File Export
This example shows the format of a log file export for further analysis:
2017-10-09 10:32:24,263 | User 'Admin' logged in (address=127.0.0.1, hostname=localhost, client=WEBVIEW, timezone=+01:00, result=1)
2017-10-09 10:34:24,712 | User 'Admin' created a settings 'Test type card' (type='EXPERIENCE', data='{"name":"Test type card","universeId":"UNFWEnterprise Team Center","filter":null,"graphType":"VOLUME","groupAttributes":["type"],"owner":"admin","public":true}' (address=127.0.0.1, hostname=localhost, client=ATC, timezone=+01:00, result=1))
2017-10-09 10:36:04,470 | User 'Admin' updated the ALERT 'SuperDomain|System|CPU Tier Risks' (cautionTargetValue='60'->'70' (address=127.0.0.1, hostname=localhost, client=WEBVIEW, timezone=+01:00, result=1))
2017-10-09 10:36:38,823 | User 'Admin' created a ACTION 'SuperDomain|System|My Action' (address=127.0.0.1, hostname=localhost, client=WEBVIEW, timezone=+01:00, result=1)
2017-10-09 10:36:50,050 | User 'Admin' updated the ACTION 'SuperDomain|System|My Action' (isActive='false'->'true' (address=127.0.0.1, hostname=localhost, client=WEBVIEW, timezone=+01:00, result=1))
Audited Events
Auditing logs record system changes that APM administrators make. The logs show the following changes for:
APM Team Center:
  • User - Login, Logout, Login_Failed
  • Experience Card - Created, Deleted, Edited
  • Perspective - Created, Deleted, Edited, Set as Default
  • Custom Attribute - Created, Deleted, Edited
  • Universe - Created, Deleted, Filter changed, Renamed, User permission changed
  • Attribute Rule - Created, Deleted, Edited, Duplicated
  • Provider - Set for maintenance, Cancelled maintenance, Deregistered, Cancelled reregistration, Forced removal
  • Security Token - Set Expiration, Renamed, Invalidated
WebView:
  • Metric Grouping - Created, Edited, Deleted
  • Simple Alert - Created, Edited, Deleted
  • Summary Alert - Created, Edited, Deleted
  • Send SMTP Mail Action - Created, Edited, Deleted
  • Console Notification Action - Created, Edited, Deleted
  • Transaction Trace Action - Created, Edited, Deleted
  • UIM Alert Action - Created, Edited, Deleted
  • Differential Control - Created, Edited, Deleted
  • Management Module - Edited
  • Agent - Mounted, Unmounted
Workstation:
  • Metric Grouping - Created, Edited, Deleted
  • Simple Alert - Created, Edited, Deleted
  • Summary Alert - Created, Edited, Deleted
  • Alert Downtime Schedule - Created, Edited, Deleted
  • Send SMTP Mail Action - Created, Edited, Deleted
  • Send SNMP Alert Action - Created, Edited, Deleted
  • Send SNMP Notification Action - Created, Edited, Deleted
  • Shell Command Action - Created, Edited, Deleted
  • Calculator - Created, Edited, Deleted
  • Console Notification Action - Created, Edited, Deleted
  • Transaction Trace Action - Created, Edited, Deleted
  • UIM Alert Action - Created, Edited, Deleted
  • SNMP Collection -  Created, Edited, Deleted
  • Report Template - Created, Edited, Deleted
  • Management Module - Create, Edited, Deleted
  • Agent - Mounted, Unmounted