MarkLogic Server provides an auditing facility to audit various events such as document read access, server startup, server shutdown, document permission changes, and so on. These audit event records are logged to audit files stored under the MarkLogic Server data directory for each instance of MarkLogic Server. This chapter describes the auditing features and includes the following parts:
Auditing in MarkLogic Server enables you to specify which events should generate an audit event record. You can choose from a large list of events to audit, and can restrict audit events based on various identities (user, role, or document URI). This section describes the logging capabilities of MarkLogic Server and includes the following parts:
When auditing is enabled, MarkLogic Server writes audit events to the AuditLog.txt
file. Each host in a cluster maintains its own audit log files. Some actions might trigger multiple audit events, and those events might be logged over multiple hosts, as events are audited on the host in which the event occurs. For more information about the audit events, see Auditable Events. Note the following about the audit event log files:
AuditLog.txt
file for various events._AccessLog.txt
) and the Error log files (ErrorLog.txt
), which is in the <marklogic-data-dir>/Logs
directory. These files are private to the host in which the audit event occurred. The following table shows the location of the AuditLog.txt
files on the various platforms.
You can configure auditing to restrict events that are audited based on the following criteria:
For the procedure to set up auditing, see Configuring Auditing to Audit Certain Events and Set Up Certain Restrictions.
You can choose to audit only unsuccessful, only successful, or both types of events. If you audit many events and/or if you audit both successful and unsuccessful events, then you may end up auditing a lot of events. It is not really a problem to audit many events, but it might make your audit logs get very large very fast. For the procedure to set up auditing, see Configuring Auditing to Audit Certain Events and Set Up Certain Restrictions.
You can enable or disable auditing for each group. If auditing is enabled for a group, any configured auditable event for that group is audited. For details on the procedure to enable auditing, see Enabling Auditing for a Group.
There are many auditable events in MarkLogic Server. When auditing is enabled, any enabled auditable event logs are written to the AuditLog.txt
file. In a clustered environment, audit events are written to the audit file on the host in which the event occurs. Some activities might result in audit events that are distributed over multiple hosts, because events are audited on the host in which the event occurs. For example, the document access audit events are audited on the data node where the forest containing the document is hosted, therefore if a query that updates a document is run, it could cause (depending on the audit configuration and the cluster configuration) audit events to occur on the node in which the query is evaluated (the evaluation-node) and on one or more data-nodes where the affected documents are hosted.
The following table lists the auditable events you can enable in MarkLogic Server.
The information included in an audit log depends on the type of event. All audit log entries include basic information such as the event type, user, success, and roles assigned to the user. Audit log entries may include the following space-separated fields:
Log Entry Field | Description | Example |
---|---|---|
Timestamp | Contains the date and time the auditable action occurred. | 2012-03-26 10:55:53.735 |
Event | The name of the event that triggered the log entry. The possible auditable events are listed in Auditable Events. | event=amp-usage |
Function | The function that was being executed during the event. | function=http://marklogic.com/xdmp/admin:read-config-file |
Expression | The query expression that triggered this audit event. | expr=cts:element-value-query(xs:QName("info:status"), ("active", "unloading"), ("unstemmed","lang=en"), 1) |
Type | The type of task inside the MarkLogic server that generated the specific event. | type=node-update |
URI | The document URI involved in the event. | uri=/queries/5523898374388210414.txt |
Database | The database that was accessed during the event. | database=Security |
Outcome | This indicates the success or failure of the action that triggered the audit event. | success=true |
User | The user that performed the action. | user=infostudio-admin |
Roles | The roles assigned to the user performing the action. | roles=cpf-restart,infostudio-user |
Here are some sample AuditLog.txt
entries with user-specific information obfuscated.
2018-12-05 02:23:15.302 event=SMTP-client-authentication-failure; user=daemon; host=smtp.marklogic.com; success=false; 2018-12-05 02:42:11.515 event=HTTP-client-authentication-failure; user=xyz; type=digest; url=http://localhost:2975/qstring.sjs?sname=http-auth-digestbasic-modules-db; success=false; 2018-12-05 02:41:50.036 event=LDAP-client-authentication-failure; url=ldap://dc1.mltest1.local:389; success=false;
Auditing is configured at the group level using the Auditing page of the Admin Interface. For details on groups, see Groups. This section describes the following audit configuration procedures:
Perform the following steps to disable auditing for a group:
This will immediately disable auditing for the group. Any settings you had configured will remain, but will not be in effect until you enable auditing again.
The following is the general procedure for configuring audit events and audit restrictions. Your procedure will vary depending on what events and restrictions you choose to configure.