Layer7 API Management

 View Only
Expand all | Collapse all

Which fields are necessary for the internal audit-lookup policy work?

  • 1.  Which fields are necessary for the internal audit-lookup policy work?

    Posted Mar 15, 2018 03:35 PM

    Hello,

     

    The documentation for developing the internal audit-lookup policy states that :

     

    Audit Lookup Context Variables - CA API Gateway - 9.2 - CA Technologies Documentation 

     

    We must fill all these variables for the audit appear in the "Policy Manager - Gateway Audit Events" window?

     

    ${recordQuery.queryresult.count}
    ${recordQuery.id.X}
    ${recordQuery.nodeid.X}
    ${recordQuery.time.X}
    ${recordQuery.type.X}
    .....

     

    There are 40 fields to be filled.

    Which ones are really necessary for the audit entry to appear?

     

    The default audit-lookup policy from the gateway comes empty, is there any sample policy for populating these context variables?

     

    We are not using the audit-sink policy, its empty.

    We are storing the audit logs in a syslog server then another process uploads it to an elasticsearch server.

    The problem is that we disabled storing audit logs in the internal database so the  "Gateway Audit Events" window shows nothing.We are implementing the audit-lookup policy to fetch the audit data from elasticsearch but I'm having the beforementioned problem of not showing anything "via audit lookup policy" option on "Gateway Audit Events" window.

     

    Any help will be appreciated.

     

    Best regards,

    Henrique Jotha



  • 2.  Re: Which fields are necessary for the internal audit-lookup policy work?

    Broadcom Employee
    Posted Dec 19, 2018 05:29 PM
      |   view attached

    Henrique,

     

    Good afternoon, I've read through your scenario and the default audit sink lookup policy is designed to pull the data from the database tables into context variables. I've attached the template Audit Sink Lookup policy.

     

    The 2 key queries that are done are:

    Pulls all Audit records for a period of time

    SELECT id,nodeid,time,audit_level,name,message,signature,type from audit_main where time>=1545251464098 and time<1545253273578 and audit_level in (300, 400, 500, 700, 800, 900, 1000) and nodeid like '%' and type like '%' and lower(name) like lower('%') escape '#' and lower(user_name) like lower('%') and lower(user_id) like lower('%') and lower(message) like lower('%') and lower(entity_class) like lower('%') and entity_id like '%' and lower(operation_name) like lower('%') and lower(request_id) like lower('%') order by time desc limit 10000

     

    When you select one that has an Associated Log entry

    select * from audit_detail where audit_oid in ('aeb9073c-029d-42f2-ae61-228ba7758dad')

     

    So the returned variables appear to be recordQuery.id, recordQuery.time,recordQuery.audit_level,recordQuery.name,recordQuery.message,recordQuery.signature,and recordQuery.type for the basic view in the Audit Viewer. As you click on each then it will pull back all the values in the table (shown below) and add "recordQuery." to the begin like recordQuery.ip_address. If there is an Associated log then it will pull values from the audit_detail table.

     

    mysql> desc audit_main;
    +--------------------+---------------+------+-----+---------+-------+
    | Field | Type | Null | Key | Default | Extra |
    +--------------------+---------------+------+-----+---------+-------+
    | id | varchar(40) | NO | PRI | NULL | |
    | nodeid | varchar(40) | NO | MUL | NULL | |
    | time | bigint(20) | NO | MUL | NULL | |
    | type | varchar(50) | YES | MUL | NULL | |
    | audit_level | varchar(12) | NO | MUL | NULL | |
    | name | varchar(255) | YES | MUL | NULL | |
    | message | varchar(255) | NO | MUL | NULL | |
    | ip_address | varchar(39) | YES | MUL | NULL | |
    | user_name | varchar(255) | YES | MUL | NULL | |
    | user_id | varchar(255) | YES | MUL | NULL | |
    | provider_oid | varchar(40) | NO | | -1 | |
    | signature | varchar(1024) | YES | | NULL | |
    | properties | mediumtext | YES | | NULL | |
    | entity_class | varchar(255) | YES | MUL | NULL | |
    | entity_id | varchar(40) | YES | MUL | NULL | |
    | status | int(11) | YES | | NULL | |
    | request_id | varchar(40) | YES | MUL | NULL | |
    | service_oid | varchar(40) | YES | | NULL | |
    | operation_name | varchar(255) | YES | | NULL | |
    | authenticated | tinyint(1) | YES | | 0 | |
    | authenticationType | varchar(40) | YES | | NULL | |
    | request_length | int(11) | YES | | NULL | |
    | response_length | int(11) | YES | | NULL | |
    | request_xml | mediumblob | YES | | NULL | |
    | response_xml | mediumblob | YES | | NULL | |
    | response_status | int(11) | YES | | NULL | |
    | routing_latency | int(11) | YES | | NULL | |
    | component_id | int(11) | YES | | NULL | |
    | action | varchar(32) | YES | | NULL | |
    +--------------------+---------------+------+-----+---------+-------+

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support

    Attachment(s)