Audit Log Fields
Auditing events on the gateway are informational, the default auditing level is informational (INFO) and it cannot be changed.
The Audit logs located at $gatewaydir/knox/logs/gateway-audit.log.$date
have the following structure:
EVENT_PUBLISHING_TIMEROOT_REQUEST_ID | PARENT_REQUEST_ID | REQUEST_ID | LOGGER_NAME | TARGET_SERVICE_NAME | USER_NAME | PROXY_USER_NAME | SYSTEM_USER_NAME | ACTION | RESOURCE_TYPE | RESOURCE_NAME | OUTCOME | LOGGING_MESSAGE
where:
-
EVENT_PUBLISHING_TIME : contains the timestamp when record was written.
-
ROOT_REQUEST_ID : Reserved, the field is empty.
-
PARENT_REQUEST_ID : Reserved, the field is empty.
-
REQUEST_ID : contains a unique value representing the request.
-
LOGGER_NAME : contains the logger name. For example
audit. -
TARGET_SERVICE_NAME : contains the name of the service. Empty indicates that the audit record is not linked to a service. For example, an audit record for topology deployment.
-
USER_NAME : contains the ID of the user who initiated session with Knox Gateway.
-
PROXY_USER_NAME : contains the authenticated user name.
-
SYSTEM_USER_NAME : Reserved, field is empty.
-
ACTION : contains the executed action type. The value is either authentication, authorization, redeploy, deploy, undeploy, identity-mapping, dispatch, or access.
-
RESOURCE_TYPE contains the resource type of the action. The value is either
uri,topology, orprincipal. -
RESOURCE_NAME : contains the process name of the resource. For example,
topologyshows the inbound or dispatch request path andprincipalshows the name of mapped user. -
OUTCOME contains the action results,
success,failure, orunavailable. -
LOGGING_MESSAGE contains additional tracking information, such as the HTTP status code.