Audit logging for OpenDJ

This is a short piece on audit logging for OpenDJ.

What is audit logging?

OpenDJ provides a facility to log all changes made on the directory to a file called the audit log (in fact its name is simply “audit”).

[Find the official doc covering audit logging in OpenDJ here]

This is different from the access and error logs in that the actual command sequence to make the change is logged in the audit log, using standard LDIF format. Each change includes a timestamp (in Zulu time) and the dn of the entry making the change (for example “cn=Directory Manager”).

An example:

# 28/Mar/2013:07:14:22 -0400; conn=0; op=1
dn: ds-task-id=20130328071422214,cn=Scheduled Tasks,cn=Tasks
changetype: add
objectClass: ds-task
objectClass: ds-task-export
objectClass: top
ds-task-export-ldif-file: /data/backup/ldap/prod.20130328071417.ldif
ds-task-export-backend-id: userRoot
ds-task-id: 20130328071422214
ds-task-export-include-branch: dc=example,dc=com
ds-task-class-name: org.opends.server.tasks.ExportTask
ds-task-scheduled-start-time: 20130328111422Z
entryUUID: 9e5d4e76-8cd7-4653-94d9-0425a2f3262f
createTimestamp: 20130328111422Z
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config

In OpenDJ, the audit log is not enabled by default. This is actually more a hat tip of convenience to administrators who usually make substantial numbers of changes their directory data before turning an environment over into general release (a/k/a “production”).

Checking audit log status

There are a few ways to do this. For example, you could just look under $DSHOME/logs to see if there’s an “audit” file and then tail it to determine if it’s being written to.

The other way is to check the configuration, read on.

Audit Log Configuration

You can check the logger configuration with an LDAP browser by connecting as an admin user (like “cn=Directory Manager”) to “cn=config” and then drilling down to “cn=File-Based Audit Logger, cn=Loggers, cn=config”. It will look something like this:

dn: cn=File-Based Audit Logger,cn=Loggers, cn=config
ds-cfg-retention-policy: cn=File Count Retention Policy,cn=Log Retention Policie
 s,cn=config
ds-cfg-rotation-policy: cn=24 Hours Time Limit Rotation Policy,cn=Log Rotation P
 olicies,cn=config
ds-cfg-rotation-policy: cn=Size Limit Rotation Policy,cn=Log Rotation Policies,c
 n=config
ds-cfg-suppress-internal-operations: true
ds-cfg-asynchronous: true
objectClass: ds-cfg-log-publisher
objectClass: ds-cfg-access-log-publisher
objectClass: top
objectClass: ds-cfg-file-based-audit-log-publisher
ds-cfg-suppress-synchronization-operations: false
cn: File-Based Audit Logger
ds-cfg-enabled: false
ds-cfg-java-class: org.opends.server.loggers.TextAuditLogPublisher
ds-cfg-log-file: logs/audit
ds-cfg-log-file-permissions: 640

Note that the shipping configuration for the audit logger is pretty reasonable and I usually don’t modify it, unless there’s a requirement to relocate where it’s writing to. The last time I checked the ds-cfg-log-file-permissions parameter didn’t do anything. Hopefully that will get fixed in a later version so that log file contents can at least be shared with the members of the directory server owner’s group.

Here are some dsconfig commands that provide information on how your logger is configured:

dsconfig get-log-publisher-prop 
-h localhost 
-p 5444 
-j $HOME/etc/pwd.txt 
--enabled 
--publisher-name "File-Based Audit Logger" 
--property retention-policy 
--property rotation-policy

Output will look something like this:

Property         : Value(s)
-----------------:-------------------------------------------------------------
enabled          : false
retention-policy : File Count Retention Policy
rotation-policy  : 24 Hours Time Limit Rotation Policy, Size Limit Rotation
                 : Policy

If the value for “enabled” is true, then the audit log is already turned on.

Enabling audit logging

This can be done either over LDAP or using dsconfig. To do it using LDAP either use your LDAP browser to change the value for ds-cfg-enabled to true or create an LDIF file that will do it:

dn: File-Based Audit Logger, cn=Loggers, cn=config
changetype: modify
replace: ds-cfg-enabled
ds-cfg-enabled: true

Here is the dsconfig syntax to accomplish the same result:

dsconfig set-log-publisher-prop 
--publisher-name "File-Based Audit Logger" 
--set enabled:true 
--h localhost 
--port 5444 
-j $HOME/etc/pwd.txt 
-X 
-n

See my OpenDJ Cheat Sheet for more info on using the dsconfig commands.

This entry was posted in Directory, Identity Management on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).