Hi.
This information is easier to retrieve from Audit.
One option is to create an audit log sink and add some logic to collect the data.
E.g.:
The snippet below produces the exemple from image.
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
<wsp:All wsp:Usage="Required">
<wsp:OneOrMore wsp:Usage="Required">
<wsp:All wsp:Usage="Required">
<L7p:ComparisonAssertion>
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Expression1 stringValue="${audit.type}"/>
<L7p:Operator operatorNull="null"/>
<L7p:Predicates predicates="included">
<L7p:item dataType="included">
<L7p:Type variableDataType="string"/>
</L7p:item>
<L7p:item binary="included">
<L7p:CaseSensitive booleanValue="false"/>
<L7p:RightValue stringValue="admin"/>
</L7p:item>
</L7p:Predicates>
</L7p:ComparisonAssertion>
<L7p:AuditDetailAssertion>
<L7p:CustomLoggerSuffix stringValue="admin.activity"/>
<L7p:Detail stringValue="User ${audit.user.name} executed action ${audit.action} in entity name ${audit.name} of type ${audit.entity.class}."/>
<L7p:LoggingOnly booleanValue="true"/>
</L7p:AuditDetailAssertion>
<L7p:assertionComment>
<L7p:Properties mapValue="included">
<L7p:entry>
<L7p:key stringValue="LEFT.COMMENT"/>
<L7p:value stringValue="ADMIN ACTIVITY"/>
</L7p:entry>
</L7p:Properties>
</L7p:assertionComment>
</wsp:All>
<L7p:TrueAssertion/>
</wsp:OneOrMore>
</wsp:All>
</wsp:Policy>
------------------------------
Sr. Consultant Services
HCL Enterprise Studio
------------------------------
Original Message:
Sent: 07-19-2019 05:55 PM
From: Chris Bertagnolli
Subject: Basic auditing of policy change details, can't get the who/where/what
Can anyone provide an example of a log sink that can audit the most basic of details needed for security investigations / real-time monitoring of changes? I'm having a heck of a time getting what should be a simple thing to give me what I need.
All I need to be able to get into a log is (not this format but this info that is)
Admin Username=Blah From IP xxx.xxx.xxx.xxx changed Policy or config XYZ
Seems like the bare minimum information we need for auditing. But getting that in the API GW doesn't seem to work - unless i'm missing something....All I ever get is just that A policy was changed but not by which admin or what IP they came from.
My current sink properties:
Severity=ALL
Category=Audits
Category=Gateway Log
Global properties:
audit.messageThreshold=INFO
audit.detailThreshold=INFO
But all it tells me is like this:
2019-07-19T16:38:22.277-0500 INFO 415 com.l7tech.server.admin: Policy #somePolicy (Policy for service #someServiceID, MyService) updated (changed xml)
2019-07-19T16:51:38.788-0500 INFO 651 com.l7tech.server.admin: SinkConfiguration #0000000000000000fffffffffffffcd6 (ssg) updated (changed severity)
So I have no idea which admin made the change (who) or where it came from or anything useful other than it changed.
The intent is that during security investigations we know who changes what. And also real-time monitoring in our logging solution(s) to alert if changes occur to certain policies by any account or IP NOT in a valid white list of allowed accounts/networks outside of planned migration windows.