Skip to main content

Administrating MarkLogic Server

Auditable Events

There are many auditable events in MarkLogic Server. When auditing is enabled, any enabled auditable event logs are written to the AuditLog.txt file. In a clustered environment, audit events are written to the audit file on the host in which the event occurs. Some activities might result in audit events that are distributed over multiple hosts, because events are audited on the host in which the event occurs. For example, the document access audit events are audited on the data node where the forest containing the document is hosted, therefore if a query that updates a document is run, it could cause (depending on the audit configuration and the cluster configuration) audit events to occur on the node in which the query is evaluated (the evaluation-node) and on one or more data-nodes where the affected documents are hosted.

The following table lists the auditable events you can enable in MarkLogic Server:

Event

Description

URI Restrictions

Role/User Restrictions

Success or Failure Restrictions

amp-usage

Audits the URI of an amp when it is evaluated.

Yes, based on the URI of the amp

Yes

Success Only

audit-configuration-change

Audits the success or failure of a change to an auditing configuration.

N/A

Yes

Yes

audit-shutdown

Audits when the audit system is disabled.

N/A

Yes

Yes

audit-startup

Audits when the audit system is enabled. Note that this event does not occur when MarkLogic Server starts up, only when the audit system is enabled.

N/A

Yes

Yes

authentication-failure

Audits failed authentication attempts.

N/A

Yes

Failure Only

concurrent-request-denial

Audits when a request is denied because the concurrent request limit on the App Server was reached.

N/A

Yes

Failure Only

configuration-change

Audits the success or failure of a change to a configuration file, including the path to the configuration file that changed.

N/A

Yes

Yes

document-execute

Audits when a document in a database is executed (for example, an XQuery document) and includes the document URI in the audit record.

Yes

Yes

Success Only

document-insert

Audits when a new document is created and includes the document URI in the audit record.

Yes

Yes

Success Only

document-protect

Audits the document URI when a temporal document is protected from certain operations.

Yes

Yes

Success Only

document-read

Audits when a document is read and includes the document URI in the audit record.

Yes

Yes

Success Only

document-update

Audits when a document is updated and includes the document URI in the audit record.

Yes

Yes

Success Only

document-wipe

Audits when a temporal document is wiped (all versions deleted) and includes the document URI in the audit record.

Yes

Yes

Success Only

estimate

Audits when an xdmp:estimate expression is evaluated.

N/A

Yes

Success Only

eval

Audits when a path expression that accesses the database is evaluated.

N/A

Yes

Success Only

exists

Audits when an xdmp:exists expression is evaluated.

N/A

Yes

Success Only

external-authentication-failure

Audits when an external authorization attempt fails.

N/A

Yes

Success Only

FIPS-Disabled

Audits when FIPS mode is disabled.

N/A

N/A

Success Only

FIPS-Enabled

Audits when FIPS mode is enabled.

N/A

N/A

Success Only

HTTP-client-authentication-failure

Audits failed HTTP client authentication attempts.

N/A

Yes

Failure Only

internal-keystore [ML 10.0-4 and up]

Audits all operations on the internal KMS.

No

No

No

LDAP-client-authentication-failure

Audits failed LDAP client authentication attempts.

N/A

Yes

Failure Only

lexicon-read

Audits when a value lexicon (for example, cts:element-values) call is used.

N/A

Yes

Success Only

login-dynamic-roles

Audits the user and role information when the user is logged in with dynamic roles.

No

No

Success Only

mlcp-copy-export-finish

Audits when an mlcp copy or export job has completed whether or not it is successful.

N/A

N/A

No

mlcp-copy-export-start

Audits when an mlcp copy or export job is about to start.

N/A

N/A

Success Only

no-permission

Audits when an operation fails because of a SEC-PERMDENIED exception, which happens when an operation on a document (insert, update, or execute) is attempted without the needed permissions.

Yes

Yes

Failure Only

no-privilege

Audits when a user has insufficient privileges to perform a particular function.

Yes

Yes

Failure Only

optic

Audits when an Optic call completes.

N/A

Yes

Success Only

permissions-change

Audits when permissions on a document are modified.

Yes

Yes

Yes

qconsole-eval [ML 10.0-4 and up]

Audits queries evaluated in the query console.

No

No

No

request-blackout-denial

Audits when a request is denied due to a request blackout period.

N/A

Yes

Failure Only (when denied)

role-change-failure

Audits when adding or removing a user role fails.

N/A

Yes

Failure Only

role-query-change-failure [ML 10.0-7 and up]

Audits when QBAC fails to add a user role to or remove a user role from a query.

No

No

Failure Only

search

Audits when a cts:search expression is evaluated.

N/A

Yes

Success Only

security-access

Audits when one of these security-related functions is called:

N/A

Yes

Yes

server-restart

Audits when MarkLogic Server is restarted with a clean restart (for example, from the Admin Interface).

N/A

Yes

Success Only

server-shutdown

Audits when MarkLogic Server is shut down with a clean shutdown (for example, from the shutdown scripts or from the Admin Interface).

N/A

Yes

Success Only

server-startup

Audits when MarkLogic Server starts up.

N/A

N/A

Success Only

SMTP-client-authentication-failure

Audits failed SMTP client authentication attempts.

N/A

Yes

Failure Only

SPARQL

Audits when a SPARQL call completes.

N/A

Yes

Success Only

SQL

Audits when a SQL call completes.

N/A

Yes

Success Only

temporal-override

Audits when the user overrides system-managed metadata for temporal documents.

No

No

No

TLS-Failure

Audits when a TLS or SSL request fails and includes the IP address.

N/A

N/A

Failure Only

user-configuration-change

Audits when anything in a user configuration changes.

N/A

Yes

Yes

user-role-addition

Audits when a user role is added.

N/A

Yes

Yes

user-role-query-addition [ML 10.0-7 and up]

Audits when QBAC adds a user role to a query.

No

No

Success Only

user-role-query-removal [ML 10.0-7 and up]

Audits when QBAC removes a user role from a query.

No

No

Success Only

user-role-removal

Audits when a user role is removed.

N/A

Yes

Yes