The support for three “As of Enterprise” applications: Authentication, Authorization, and Audit was introduced in Log Analysis 1.3.1. Authentication and Authorization has been explained in my earlier blog. In this blog, I will briefly summarize the audit feature.
Audit support in Log Analysis is enabled for following features/actions:
- Login/Logout actions to access LA
- User and role management actions for configuring authorization
- Ingesting data through REST API
- Running search queries from UI or through REST API
- Execution of alert actions
The audit data is written, optionally, in JSON format to files (audit.log) in the Log Analysis logs directory and/or into a Solr collection (AuditCollection). The data can be viewed by reading the audit files or querying Solr index. Audit files are up to 20 rolling files, each of 50 MB configured out-of-box. One can update the log settings to change this to choice.
Log Analysis supports a couple of configuration parameters for audit: AUDIT_ACTIONS (LOG or INDEX) and AUDIT_INTERVAL (how frequently to write audit data).