[OPENAM-14123] Audit logs not showing before and after values Created: 13/Dec/18  Updated: 19/Dec/18  Resolved: 19/Dec/18

Status: Closed
Project: OpenAM
Component/s: audit logging, configurator, debug logging, log
Affects Version/s: 13.5.0, 13.5.2, 5.5.1
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Jobby Thomas Assignee: Unassigned
Resolution: Not a defect Votes: 0
Labels: Logging, audit
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Rank: 1|hzxah3:
Support Ticket IDs:


Problem Description:

Customer is trying to capture OpenAm Configuration changes to Audit tables. When customer make any changes in realm or configuration changes are not captured in  Before Object and After Object fields are null in am_auditconfig table. Even in the audit log of AM and DS audit logging that has AM as it data store/config store


Business Case: Customer wants possibly capture that information that will be great as this way customer ave the proof, what was done before the change and what it became after the change.

Current behavior:

After making an authentication module optional. The audit logs only records the after change

13/Dec/2018:13:56:37 -0600; conn=8; op=136 dn: ou=ldapService,ou=Configurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthConfiguration,ou=services,dc=example,dc=com changetype: modify replace: sunKeyValue sunKeyValue: iplanet-am-auth-configuration=<AttributeValuePair><Value>DataStore OPTIONAL </Value></AttributeValuePair> - replace: modifiersName modifiersName: cn=Directory Manager,cn=Root DNs,cn=config - replace: modifyTimestamp modifyTimestamp: 20181213195637Z


This is the audit log located in  (if AM have DS as config store)


Please also review the  audit.am_auditconfig


Comment by Andrew Vinall [ 17/Dec/18 ]

Bug Triage: Craig McDonnell Do we do this already and filter it out? Can we change this by config or is there a code change required?

Comment by Craig McDonnell [ 18/Dec/18 ]

By default, we filter out the before and after state from audit logs. To log this information:

  • Login to the admin console
  • Select "Configure" > "Global Services" > "Audit Logging"
  • On the "Global Attributes" tab, remove /config/before and /config/after from the "Field exclusion policies" and "Save Changes"
  • On the "Realm Defaults" tab, remove /config/before and /config/after from the "Field exclusion policies" and "Save Changes"

If you have added the Audit Service to a realm, you will need to make a similar change to the realm audit service configuration:

  • Navigate to <<Realm>>
  • Select "Services"
  • Select "Audit Logging" (if the audit logging service is not present then there's nothing to configure for this realm)
  • On the "Configuration" tab, remove /config/before and /config/after from the "Field exclusion policies" and "Save Changes"
Generated at Mon Mar 08 12:12:48 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.