Layer7 API Management

Hello Techies ,

Could you please let me know after enabling Audit sink which file or database table getting changed .

Please have a look over below attached screen shot for more and help.

Thanks!
Prashant Srivastava

So the above configuration you picture, 

To my understanding, 

You can check either off or Both.

The first option, 

Save Audit Records to Gateway Database 

This is the default audits so it updates the mysql audit_main and audit_detail basically the ssg audit_* tables. Which tend to fill up mysql if you are not frequently cleaning audits or have not increased your mysql partition allocation. 

The second option 

Output audit Records via audit sink policy

Creates an internal Audit sink (and audit lookup) which are configured and typically used as a remote logger for audits. The default behavior of the Audit sink policy is if it fails to also write the Audits back to the internal database (same as option 1) unless configured otherwise there are cluster properties to not fallback. 

In the event you have both checked off both sources are being written to. In the case you have Output audit records only the custom audit sink is being used unless the service fails and then it falls back to the internal database. 

But on the highlighted option only you should be writing to audit_* tables.

Hope that helps.

And if I missed the question and it was what is the now enabled via audit sink doing. 

It would be doing whatever you created the internal audit sink policy to perform.

To determine this log into policy manager in the lower left service search box look for, 

"Internal Audit Sink Policy"

Double click on the policy and it should be writing to whatever it was setup to do on the right hand pane.

So if its doing JDBC then to whatever JDBC Driver created and whatever (query/Queries are there) for example,

insert into audit_main(id

Would be also inserting into audit_main on the JDBC connection if you used JDBC and setup a remotedb with the schema generated when creating the audit sink policy. 

Thank you Charles for replying !

Actual I wanted to know , if i want to enable audit sink without using policy manager which file or database property need to change .

Thanks!

Prashant Srivastava

Prashant,

The audit sink configuration is stored in the database in the cluster_properties table, however changing this value won't go into affect until the ssg service is restarted. Furthermore, directly modifying these configurations in the database is not supported.

You can also modify cluster-wide properties via RESTman, but I believe this particular cluster-wide property would still require an ssg restart after doing so. Here is more information about our REST Management API:
REST Management API - CA API Gateway - 9.2 - CA Technologies Documentation 

--Azad

Hi Prashant0384 

Is this the solution you were looking for? 

If so can you please mark it as answered.

Kind Regards,

Anwar

Thanks Azad for reply ! !

I will check which parameter is getting changed in cluster_properties table after enabling audit sink . 

Will update the group by tomorrow .

Thanks You ! 

Hi Azad,

As per table description seems its storing some where else .If you have info under which under which attribute its storing then please share complete detail.

[ Moto :want auto alert in case someone enabled audit sink ]

mysql> desc cluster_properties;
+------------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+------------+--------------+------+-----+---------+-------+
| goid | binary(16) | NO | PRI | NULL | |
| version | int(11) | NO | | NULL | |
| propkey | varchar(255) | NO | UNI | NULL | |
| propvalue | mediumtext | NO | | NULL | |
| properties | mediumtext | YES | | NULL | |
+------------+--------------+------+-----+---------+-------+

However in case we are enabling trace of any service that will store in published_service under tracing column as 1 or 0.

Try using the following query to find the audit related entries in the cluster_properties table:

select * from cluster_properties where propkey like '%audit%'\G;

Prashant,

If you want to track if this is being enabled there are both log and audit entries written out with the following output:

NONE    69e22f4c815a7c4aa5910ecfbbe65af1    Gateway1    20170921 11:26:43.748    INFO        ClusterProperty #69e22f4c815a7c4aa5910ecfbbe65af0 (audit.sink.policy.guid) created
NONE    69e22f4c815a7c4aa5910ecfbbe65aef    Gateway1    20170921 11:26:43.278    INFO        ClusterProperty #69e22f4c815a7c4aa5910ecfbbe65aee (audit.sink.alwaysSaveInternal) created
NONE    69e22f4c815a7c4aa5910ecfbbe65af2    Gateway1    20170921 11:26:43.860    INFO        Audit Sink Policy started

Sincerely,

Stephen Hughes

Director, CA Support

Thank you Stephen for reply!!

You are saying correct even by using same I already build script to check in case audit sink enabled over server .In ssg_0_0.log we can all get info in case of enabled and disabled audit sink  like below .

Log file location Will be :'/opt/SecureSpan/Gateway/node/default/var/logs/ssg_0_0.log'

 String in case of enabled :"com.l7tech.server: Internal Audit System started"

String in case of disabled :"com.l7tech.server: Internal Audit System disabled"

But i am curious to know if some where in configuration (database or file) any parameter also getting changed ?

Just FYI : I did not get any parameter related to audit sink in clusterwide table.

Thanks!

Prashant Srivastava

Prashant,

The logs entries will show you when this changes and for the setting showing in the database the below are the entries created in bold:

select propkey,propvalue from cluster_properties where propkey like "%audit.%";
+-------------------------------+---------------------------------------------+
| propkey                       | propvalue                                   |
+-------------------------------+---------------------------------------------+
| audit.sink.alwaysSaveInternal | true                                        |
| audit.sink.policy.guid        | 46639933-fdb7-491d-a67a-050b89dbd709        |
| audit.lookup.policy.guid      | 4482e7f2-8f25-4e88-92d5-93a1239a3161        |
| audit.acknowledge.highestTime | 1506018412136                   |
+-------------------------------+---------------------------------------------+

Sincerely,

Stephen Hughes

Director, CA Support

Great thanks Stephen !! 

I will try to configure email alert on the basic of parameter audit.sink.alwaysSaveInternal | true. 

Will update this group by tomorrow .

Thanks!

Prashant Srivastava

Great Thanks Stephen!!

Just tested enable and disable audit sink  , Can see  property  audit.sink.alwaysSaveInternal    | true and false respectively .

*****Closing this Thread , Thank you all for your inputs *********