Layer 7 API Management

Expand all | Collapse all

Audits to File

Jump to Best Answer
  • 1.  Audits to File

    Posted 01-04-2018 08:37 AM

    Hello,

     

    Revising my question...  I wasn't clear on this at all

     

    I have Splunk forwarding agent already installed on my gateways.  I'm looking for the configuration to ONLY log to the default log file.  I already have Splunk ingesting my gateway logs and I want to avoid the DB hits.

     

    In Policy Manager, I only see the option in Manage Audit Sinks to send to DB, Sink, or both.  However, I have to choose one.  If writing to the log is done by default, why is a Sink needed? 

     

    If it is needed, how should it be configured so that it becomes a No-Op?  Is the intent to have this set up as a "global" audit?  I'm okay with that if it is... Could someone please clarify for me?

     

     

    Thanks!

     

    Alejandro



  • 2.  Re: Audits to File
    Best Answer

    Posted 01-04-2018 02:33 PM

    Replying to myself

     

    I believe this is what I am looking for - https://communities.ca.com/message/241957675-re-which-property-is-required-to-enable-and-disable-the-audit-events?commen… 

     

    The suggestion is to effectively add a pass through to the audit sink.  Why is the default behavior of the audit sink a failure?!  That seems to be counterproductive and causes additional audit records to be produced in the DB (if that option is kept).

     

    Anyway... I'd LOVE to hear how people perform audits and logs.  Would anyone be willing to share policy that lays out their audit/log format?

     

    Thanks,

     

    Alejandro



  • 3.  Re: Audits to File

    Posted 01-10-2018 11:51 AM

    FWIW - I'll share my logging:

     

    I'm logging using a custom logger to capture policy execution - "PolicyExecLog" for ease of filtering.

     

    Here is a snippet of my standard policy with the relevant logging bits:

     

     

    I pair this up with a traffic logger defined as follows:

     

    ${requestId} | ${ssgnode.hostname} | ${request.http.header.x-forwarded-for} | ${request.http.method} | ${request.url} | ${response.http.status}

     

    I'm considering the following:

    - Adding a switch to dump out request and response bodies.

    - Capturing a correlation id on the request.  If it is not present, generating one on the gateway

    - Adding a response header that carries the correlation id

     

    Thanks,

     

    Alejandro