Configuring security logging 

Configure comprehensive security logging in logback.xml that records user activity within OpsCenter.

Configure comprehensive security logging in logback.xml that records user activity within OpsCenter, such as:
  • Creating or deleting users and roles
  • Adding or deleting users from roles
  • Changing permissions for a role, including the specific details about all permission changes
  • Resetting user passwords
  • Logging in attempts both successful and unsuccessful

In addition, all login attempts that are anonymous or admin binds with regard to LDAP authentication are also logged. Therefore, comparisons between the OpsCenter authentication logging and LDAP logs should match exactly.

For more information, see OpsCenter logback.xml configuration.

logback.xml 

The location of the logback.xml file depends on the type of installation:

  • Package installations: /etc/opscenter/logback.xml
  • Tarball installations: install_location/conf/logback.xml

Procedure

  1. Open logback.xml for editing.
  2. Add the following section:
    
    <appender name="security" class="ch.qos.logback.core.rolling.RollingFileAppender">
        <file>./log/security.log</file>
        <encoder>
            <pattern>%date{ISO8601, UTC} [%X{cluster_id}] %msg ==%X{structured}== \(%thread\)%n%exception{20}</pattern>
        </encoder>
        <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
            <fileNamePattern>./log/security.%i.log</fileNamePattern>
            <minIndex>1</minIndex>
            <maxIndex>10</maxIndex>
        </rollingPolicy>
        <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
            <maxFileSize>10MB</maxFileSize>
        </triggeringPolicy>
        <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
            <level>INFO</level>
        </filter>
    </appender>
  3. To set structured data output, set %X{structured} as shown in the following example:
    <pattern>%date{ISO8601, UTC} [%X{cluster_id}] %msg ==%X{structured}== \(%thread\)%n%exception{20}</pattern>
  4. Restart OpsCenter.

Example

The following example shows structured versus unstructured log output:
2016-04-07 21:42:16,664 [] Login failure user: foo (MainThread)
2016-04-07 21:42:16,664 [] Login failure user: foo =={"event": "login-failure", "user": "foo", "opsc-initiated": false, "ip": "0:0:0:0:0:0:0:1"}== (MainThread)