Question
Logs for SMA login details
Hi,
Is there anyway to enable logs to monitor the Users loging into SMA. We have enabled Security for SMA, but we do not have any track on who/when logged in to SMA.
domenicoGiffone_GCS Thank You, Any such property in WebSphere Application Server ?
Hi domenicoGiffone_GCS is there any update on KrishnanS9686 question? apprecieate your help on this. thank you.
Hi @JohnPaulB apologies for the delayed reply.
The same task can be performed on WAS after the SMA application has been secured by enabling the WebSphere security auditing subsystem.
The main steps to follows are:
- Enabling the security auditing subsystem
- Configure the security auditing event type filters
- Configure the audit service provider
After applying the former steps and restarting the server an audit log file will be created in the $LOG_ROOT path.
In my case the file was placed in the /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs path and named BinaryAudit_DefaultCell01_DefaultNode01_server1.log
To make a test I mapped the PegaDiagnosticUser role to the wsadmin user and the following content appeared in the audit log as soon as I logged in SMA:
Seq = 642 | Event Type = SECURITY_AUTHN | Outcome = SUCCESSFUL | OutcomeReason = SUCCESS |
OutcomeReasonCode = 5 | SessionId = null | RemoteHost = 172.17.0.1 | RemoteAddr = 172.17.0.1 |
RemotePort = 56248 | ProgName = /getnodes | Action = webAuth | AppUserName = wsadmin |
ResourceName = GET | RegistryUserName = defaultWIMFileBasedRealm/wsadmin |
AccessDecision = authnSuccess | ResourceType = web |
ResourceUniqueId = 0 | PermissionsChecked = null |
PermissionsGranted = null | RolesChecked = null | RolesGranted = null |
CreationTime = Fri Aug 31 12:42:10 EET 2018 |
GlobalInstanceId = 0 | EventTrailId = null | FirstCaller = /UNAUTHENTICATED |
Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry |
AuthnType = challengeResponse | Provider = WebSphere |
ProviderStatus = providerSuccess
For further details on Auditable security events please refer to the link below.
If you want to reduce the verbosity of the audit file you can create a dedicated filter for SECURITY_AUTHN events only.
Hi DomenicoGiffone_GCS, thank you very much for your response it was very helpful and apology for belayed reply.
one more clarification please, as we checked all login logs is monitored including WAS/PRPC log in, is there a way to filter on SMA logs? thank you.
Hi @JohnPaulB,
thanks for the feedback. I'm not aware of a way to filter auditable events just for a single application but better to route this question to your Websphere administrator.
You can however filter the generated logs for all the events produced by the prsysmgmt application.
Another way to quickly identify SMA authentication events is to filter for events with the following predicates:
- "Event Type = SECURITY_AUTHN"
- "ProgName = /getnodes | Action = webAuth"
Cheers,
Domenico
Since SMA authentication is leveraging container managed authentication you need to configure the application server accordingly.
In Tomcat this is as easy as adding the following entries to your $CATALINA_BASE/conf/logging.properties
Then, when logging into SMA with the username (smauser) configured in the security realm, you can observe the following entries in the catalina.out logs