Auditable Events
There are many auditable events in MarkLogic Server. When auditing is enabled, any enabled auditable event logs are written to the AuditLog.txt file. In a clustered environment, audit events are written to the audit file on the host in which the event occurs. Some activities might result in audit events that are distributed over multiple hosts, because events are audited on the host in which the event occurs. For example, the document access audit events are audited on the data node where the forest containing the document is hosted, therefore if a query that updates a document is run, it could cause (depending on the audit configuration and the cluster configuration) audit events to occur on the node in which the query is evaluated (the evaluation-node) and on one or more data-nodes where the affected documents are hosted.
The following table lists the auditable events you can enable in MarkLogic Server:
Event |
Description |
URI Restrictions |
Role/User Restrictions |
Success or Failure Restrictions |
|---|---|---|---|---|
|
Audits the URI of an amp when it is evaluated. |
Yes, based on the URI of the amp |
Yes |
Success Only |
|
Audits the success or failure of a change to an auditing configuration. |
N/A |
Yes |
Yes |
|
Audits when the audit system is disabled. |
N/A |
Yes |
Yes |
|
Audits when the audit system is enabled. Note that this event does not occur when MarkLogic Server starts up, only when the audit system is enabled. |
N/A |
Yes |
Yes |
|
Audits failed authentication attempts. |
N/A |
Yes |
Failure Only |
|
Audits when a request is denied because the concurrent request limit on the App Server was reached. |
N/A |
Yes |
Failure Only |
|
Audits the success or failure of a change to a configuration file, including the path to the configuration file that changed. |
N/A |
Yes |
Yes |
|
Audits when a document in a database is executed (for example, an XQuery document) and includes the document URI in the audit record. |
Yes |
Yes |
Success Only |
|
Audits when a new document is created and includes the document URI in the audit record. |
Yes |
Yes |
Success Only |
|
Audits the document URI when a temporal document is protected from certain operations. |
Yes |
Yes |
Success Only |
|
Audits when a document is read and includes the document URI in the audit record. |
Yes |
Yes |
Success Only |
|
Audits when a document is updated and includes the document URI in the audit record. |
Yes |
Yes |
Success Only |
|
Audits when a temporal document is wiped (all versions deleted) and includes the document URI in the audit record. |
Yes |
Yes |
Success Only |
|
Audits when an |
N/A |
Yes |
Success Only |
|
Audits when a path expression that accesses the database is evaluated. |
N/A |
Yes |
Success Only |
|
Audits when an |
N/A |
Yes |
Success Only |
|
Audits when an external authorization attempt fails. |
N/A |
Yes |
Success Only |
|
Audits when FIPS mode is disabled. |
N/A |
N/A |
Success Only |
|
Audits when FIPS mode is enabled. |
N/A |
N/A |
Success Only |
|
Audits failed HTTP client authentication attempts. |
N/A |
Yes |
Failure Only |
|
Audits all operations on the internal KMS. |
No |
No |
No |
|
Audits failed LDAP client authentication attempts. |
N/A |
Yes |
Failure Only |
|
Audits when a value lexicon (for example, |
N/A |
Yes |
Success Only |
|
Audits the user and role information when the user is logged in with dynamic roles. |
No |
No |
Success Only |
|
Audits when an mlcp copy or export job has completed whether or not it is successful. |
N/A |
N/A |
No |
|
Audits when an mlcp copy or export job is about to start. |
N/A |
N/A |
Success Only |
|
Audits when an operation fails because of a |
Yes |
Yes |
Failure Only |
|
Audits when a user has insufficient privileges to perform a particular function. |
Yes |
Yes |
Failure Only |
|
Audits when an Optic call completes. |
N/A |
Yes |
Success Only |
|
Audits when permissions on a document are modified. |
Yes |
Yes |
Yes |
|
Audits when any internal server operations occur that are related to PKI or KMS usage. |
N/A |
N/A |
No |
|
Audits when any public API operations occur that are related to PKI or KMS usage. |
N/A |
N/A |
No |
|
Audits queries evaluated in the query console. |
No |
No |
No |
|
Audits when a request is denied due to a request blackout period. |
N/A |
Yes |
Failure Only (when denied) |
|
Audits when adding or removing a user role fails. |
N/A |
Yes |
Failure Only |
|
Audits when QBAC fails to add a user role to or remove a user role from a query. |
No |
No |
Failure Only |
|
Audits when a |
N/A |
Yes |
Success Only |
|
Audits when one of these security-related functions is called: |
N/A |
Yes |
Yes |
|
Audits when MarkLogic Server is restarted with a clean restart (for example, from the Admin Interface). |
N/A |
Yes |
Success Only |
|
Audits when MarkLogic Server is shut down with a clean shutdown (for example, from the shutdown scripts or from the Admin Interface). |
N/A |
Yes |
Success Only |
|
Audits when MarkLogic Server starts up. |
N/A |
N/A |
Success Only |
|
Audits failed SMTP client authentication attempts. |
N/A |
Yes |
Failure Only |
|
Audits when a SPARQL call completes. |
N/A |
Yes |
Success Only |
|
Audits when a SQL call completes. |
N/A |
Yes |
Success Only |
|
Audits when the user overrides system-managed metadata for temporal documents. |
No |
No |
No |
|
Audits when a TLS or SSL request fails and includes the IP address. |
N/A |
N/A |
Failure Only |
|
Audits when anything in a user configuration changes. |
N/A |
Yes |
Yes |
|
Audits when a user role is added. |
N/A |
Yes |
Yes |
|
Audits when QBAC adds a user role to a query. |
No |
No |
Success Only |
|
Audits when QBAC removes a user role from a query. |
No |
No |
Success Only |
|
Audits when a user role is removed. |
N/A |
Yes |
Yes |