Configure/Decoding AEM AuditLogs

-
AEM Developers, Infrastructure Engineers / Dev-ops teams working in the financial domain regularly come across a challenge for event auditing in AEM. This helps in identifying most of the activities happening in AEM.
Audit logs are a very effective way to debug the content issue & to know what all is happening in your environment and by whom.
This article addresses in a simple way on how to enable the audit logs, its different ways, and how to understand the audit logs. 
This article covers the following -

  • How can we enable Audit logs in AEM.
  • How can we read and understand the Audit logs/ tools to use it.
  • Audit log on file system in crx-quickstart/logs folder.  
  • Audit logs for User creation / Modification.
  • How can you archive/purge the audit logs.

How can we enable Audit logs in AEM?         

By Default, the Audit logs are pre-configured in AEM, for a few basic operations of DAM and for all other operations of Pages and replications activity etc..
To get it configured for all the operations or as per the need for assets you need to change/update a couple of configurations –

1 – Open system console and check the configuration -Adobe CQ DAM Event Audit Listener” make sure it is enabled, if not please enable it.


2 – Make sure you have all required events checked in the configuration by default few are checked you can check more events as per your need.  – Day CQ DAM Event Recorder
This will enable the audit logs for required events in DAM and you can test it by doing some modification, replication, delete operation from the console to any of your asset/page etc.. 

NOTE : Any operation done from the crx/de or from crx/explorer will not be captured in the audit log.

How can we read and understand the audit logs/ tools to use it?

Option -1 

You can find the audit logs in crx/de in form of node structure under the path /var/audit/ –


Option 2  – 
You can write your own query to search the /var/audit folder to fetch the information based on any page, asset, time, user etc.. 

 Option 3 - 
Adobe ACS team has GUI tool for Audit logs search, which you can leverage to find audit trail. This tool is easy to use and can save your efforts for the manual query.
[0] https://adobe-consulting-services.github.io/acs-aem-commons/
[1] https://adobe-consulting-services.github.io/acs-aem-commons/features/audit-log-search/index.html



Enable Audit log in the file system -
You can also enable the audit log on the file system and it will be written in the /crx-quickstart/logs folder like any other logs file.
1.  Go to:- http://localhost:4502/system/console/slinglog
2. Search for audit.log entry (not the auditlog.log) and change the log level to Debug or Trace.
3. Save your changes.

Audit logs for User creation / Modification
You can also achieve the auditing of the user / group creation, modification etc.. Please follow the below steps – 
1. Go to:- http://localhost:4502/system/console/slinglog
2. Create a new log file , say useraudit.log and add the API mentioned.  Leave the logger level to information.
           a- com.adobe.granite.security.user.internal.Audit
          b- com.adobe.granite.security.user.internal.servlets.AuthorizableServlet

 This will give the logs like below –

 
23.04.2020 07:42:17.464 *INFO* [0:0:0:0:0:0:0:1 [1579569137461] POST /home/users/c/cND9nn7ZEFMG6-O-z-OJ HTTP/1.1] com.adobe.granite.security.user.internal.audit.AuditGroupAction User 'admin56' was added to the group 'administrators'
23.04.2020 08:16:01.684 *INFO* [0:0:0:0:0:0:0:1 [1579571161681] POST /home/users/R/R3oxB9kTexWYrXRzjDki HTTP/1.1] com.adobe.granite.security.user.internal.audit.AuditGroupAction User '2' was removed from the group 'administrators'
23.04.2020 08:17:57.491 *INFO* [0:0:0:0:0:0:0:1 [1579571277489] POST /home/users/R/R3oxB9kTexWYrXRzjDki HTTP/1.1] com.adobe.granite.security.user.internal.audit.AuditGroupAction User '2' was added to the group 'administrators'
23.04.2020 08:20:14.820 *INFO* [0:0:0:0:0:0:0:1 [1579571414818] POST /home/users/R/R3oxB9kTexWYrXRzjDki HTTP/1.1] com.adobe.granite.security.user.internal.audit.AuditGroupAction User '2' was removed from the group 'administrators'
23.04.2020 08:26:57.536 *INFO* [0:0:0:0:0:0:0:1 [1579571817534] POST /home/users/R/R3oxB9kTexWYrXRzjDki HTTP/1.1] com.adobe.granite.security.user.internal.audit.AuditGroupAction User '2' was removed from the group 'administrators'
23.04.2020 08:27:07.581 *INFO* [0:0:0:0:0:0:0:1 [1579571827579] POST /home/users/R/R3oxB9kTexWYrXRzjDki HTTP/1.1] com.adobe.granite.security.user.internal.audit.AuditGroupAction User '2' was added to the group 'administrators'
23.04.2020 08:27:13.358 *INFO* [0:0:0:0:0:0:0:1 [1579571833356] POST /home/users/R/R3oxB9kTexWYrXRzjDki HTTP/1.1] com.adobe.granite.security.user.internal.audit.AuditGroupAction User '2' was removed from the group

  How can you archive/purge the audit logs?


 Vital points to keep in mind, the audit log keeps a very huge space in the disk as well as in the crx/de node structure under /var/audit/. Hence you need to configure the audit log purge in AEM, both from the file system and crx/de. 

Purging from crx/de -
OTB AEM gives you the mechanism for audit log purging. 
Adobe helpx documentation has a good description of audit logs purge.  Please refer the link for detailed steps [3]
[3]   https://docs.adobe.com/content/help/en/experience-manager-65/administering/operations/operations-audit-log.html

Purging from File system - 
For the logs creating on the file system in you crx-quickstart/logs folder, please develop the script for purging the log files to free the disk space. Or move these to some other location/server.

References –






Comments

  1. AnonymousApril 7, 2022 at 1:08 PM

    Nice article. To the point, informative.

    ReplyDelete

Post a Comment

Popular Posts

AdobeDispatcherHacks ".statfile"

-
Image
AEM DISPATCHER STATFILE UNDERSTANDING & CACHE INVALIDATION:- AEM Developers, Infrastructure Engineers regularly come across a challenge on decoding the statfile and using it efficiently especially statfile becomes highly relevant in a multi-tenanted environment with different project teams controlling different sites. The article addresses in a simple way on how to understand the mechanisms of stat file and gives a detailed explanation of how it can be used in a multi-tenant environment model.  The image for your reference as a quick overview of the data flow, before we take a deep dive.  This article covers - 1 - When dispatcher serves the old version of the content. How to avoid it. 2- Cache invalidation mechanism. Assumption - If you are reading this article, I believe you would have a basic understanding of Dispatcher and it's configuration. Firstly let’s set the initial configuration for the cache invalidation section of the dis
Read more

how to clear dispatcher cache in aem ?

-
Image
How to clear dispatcher cache in aem ? As you may know, the Dispatcher cache in Adobe Experience Manager (AEM) is used to improve the performance of your website by caching static resources and pages. However, sometimes you may need to clear the cache to ensure that the latest content and changes are displayed on your website. In this blog post, we'll show you how to clear the Dispatcher cache in AEM.   This method will clear the entire Dispatcher cache, including all cached pages and resources. Keep in mind that clearing the cache may affect the performance of your website, as it may take some time to rebuild the cache. Clear Cache using the Dispatcher Flush Agent You can use the Dispatcher Flush Agent. Follow these steps:   Log in to your AEM instance and navigate to http://localhost:4502/etc/replication/agents.author.html . Click on the "Dispatcher Flush" agent to open the agent's configuration page. Clic
Read more

How to Increase Apache Request Per Second ?

-
Image
How to Increase Apache Request Per Second ? By default, Apache web server is configured to support 160 requests per second. As your website traffic increases, Apache will start dropping additional requests and this will spoil customer experience.  Here’s how to increase Apache requests per second. 1. Install MPM module We need to install MPM Apache module to be able to increase Apache requests per second. You can use mpm_worker or mpm_event module for this, instead of mpm_prefork module which consumes a lot of memory. You can easily install MPM module in Apache with following command For CentOS7/RHEL7 : Adjust /etc/httpd/conf.modules.d/00-mpm.conf Comment the line LoadModule mpm_prefork_module modules/mod_mpm_prefork.so by adding # in front of it. Uncomment the line LoadModule mpm_worker_module modules/mod_mpm_worker.so by removing # in front of it. For Ubuntu/Debian :  Use a2dismod / a2enmod to disable mpm_prefork and enable mpm_worker 2. Increase Max Connections in Apache Open MP
Read more

How Does S3 works with AEM ?

-
Image
How Does S3 works with AEM  ? Accommodating a huge amount of assets in any content management platform is challenging. Adobe Experience Manager offers an integration with the Amazon S3 storage solution, allowing binary data for images, documents and videos to be stored in an S3 bucket. Amazon S3 is highly performant and offers nearly infinite storage capacity.   When talking about terabyte storage, performance is everything. The choices made during the planning and architecting phase can literally make or break the performance of a CMS system and the websites running on it.  Adobe Experience Manager offers a number of storage methods, each offering a different way of storing data. Each of these options has its strengths and weaknesses. In AEM storage the mechanisms are called Micro Kernels, or MK for short.  In this article we will look at the AEM with S3 data store. For the detailed steps for S3 configuration you can refer -  https://www.aemrules.com/2022/05/how-to-configure-s3-in-aem
Read more

How to Sync HMAC in AEM ?

-
Image
Crypto Support in AEM (Syncing HMAC among AEM instances) AEM OOTB provides a feature where we can encrypt the secured and confidential data through OOTB AEM Crypto Support and store it in a code repository in the form of OSGi configuration. Crypto Support is based on keys (hmac and master files) which are unique for each AEM instance. Encrypted text generated for the same plain-text string on one AEM instance will be different from another instance. This can raise alarms in cases where we have the same OSGi configuration values shared among Author and Publish instances under the same topology. For e.g. /apps/project/config.prod/com.day.cq.db.dbservice.xml Here DB password for Default DB Service will be same across all Prod AEM instances. So, in order to make sure that the same encrypted value works on all Prod instances, we will have to sync hmac and master files among Prod Author and Publish instances. Vital Points to know before HMAC SYNC  Sync of HMAC/keys will break the AEM SSL and
Read more

AEM Security Headers

-
Image
Added Security in AEM via Headers:-  In design a robust architecture AEM Architects, Developers, Infrastructure Engineers regularly come across a challenge for adding the additional security in AEM.  In this article, we will understand the key security headers which can be used in webserver and give an additional layer of security for your Publish server and content.  I have used Apache webserver for all the examples.  This article covers -  1 - X-XSS protection  2 - HTTP Strick Transport Security 3 - X-Frame Option  4 - Content Security  1- X-XSS Protection:-  X-XSS-Protection header can prevent some level of XSS (cross-site-scripting ) attacks.  Configure the x-xss-protection header to 1 in your apache httpd.conf file or Vhost file if you have for all domains as applicable.   <IfModule mod_headers.c>   <FilesMatch "\.(htm|html)$">                         #Force XSS (should be on by default in most browsers anyway)                  
Read more

Dispatcher flush from AEM UI

-
Image
How to Delete Dispatcher cache without logging into the Dispatcher servers? Our Authoring team faces day to day challenges while deleting/flush the dispatcher cache. when the changes are not visible on server. They have to be depended on the IT operations/Dev ops teams to do the same. Which some time get very much time consuming for a small work.  In this article we will see it can be configure and used by Author UI itself.  This will allow  AEM authors (or “super authors”) to flush parts of the dispatcher cache manually without the involvement of IT Operations. How to Use 1. Log in to AEM Author 2. Download the ACS commons tool from  ACS Commons Official page 3. Install the downloaded package via aem package manager.   4. Make sure you create the dispatcher flush agents on Author for all Dispatchers. from http://<<host:port>>/miscadmin#/etc/replication/agents.author, check the NOTE's part at the end of page. 5. Navigate to Tools 6. Under the acs-commmons/dispatcher-flu
Read more

How to protect AEM against CSRF Attack ?

-
Image
How to protect AEM against CSRF Attack ? Adobe Experience Manager (AEM) is a popular content management system that is widely used to develop and manage websites, mobile apps, and other digital experiences. However, like any other web application, AEM is vulnerable to cross-site request forgery (CSRF) attacks. CSRF attacks are malicious attacks where an attacker tricks a user into performing an action they did not intend to perform by exploiting the user's active session on a website. In this blog, we will discuss some measures that can be taken to protect AEM from CSRF attacks.   Implement CSRF protection in AEM:   The first and most important step to protect AEM from CSRF attacks is to implement CSRF protection in the application. AEM provides a built-in CSRF protection mechanism that can be enabled by setting the "sling.filter.methods" property in the OSGi configuration. This property specifies which HTTP methods are allowed to execute without requiring a CSRF
Read more

How to prevent DDoS in Apache ?

-
Image
Prevent DDoS in Apache & IP Block Automation DDoS (Distributed Denial of Service) attacks are a type of cyberattack that can cause serious damage to your web server. These attacks involve flooding your server with a huge volume of traffic, overwhelming its resources and causing it to crash. In this blog post, we'll discuss how to prevent DDoS attacks in Apache, without using any third part tool/application.     Available Options to Prevent DDoS : You can use various mentioned methods to achieve the same. But using WAF, CDN, etc will cost extra dollars. Which might not be necessary for a small scale application.   Use a Web Application Firewall (WAF): A WAF can help detect and block malicious traffic before it reaches your Apache server. It can also help block common attack vectors, such as SQL injection and cross-site scripting (XSS). Install mod_evasive: mod_evasive is an Apache module that helps detect and block DDoS attacks. It wor
Read more