topic Re: Alfresco 4.2 Audit Filter in Alfresco Forum

Alfresco 4.2 Audit Filter

luca — Wed, 01 Feb 2017 17:40:43 GMT

Hi,I'm trying to filter data in the build in alfresco-access audit application, but it's not working.I want to audit only READ and DELETE actions and exclude one particular user called synchronizer, so in my alfresco-global.properties I put this:# Auditaudit.enabled=trueaudit.tagging.enabled=falseau

Re: Alfresco 4.2 Audit Filter

afaust — Thu, 02 Feb 2017 22:03:28 GMT

The audit filter can only filter the audit events if they actually contain the specific property to filter on. Filtering is performed on the inbound data. Since that inbound data does not contain the "user" property (instead it contains "loginUser") the event passes the user filter.

Re: Alfresco 4.2 Audit Filter

luca — Fri, 03 Feb 2017 08:34:18 GMT

Hi Axel,

thanks for your help, but reading this guide is not clear what I have to write down. I looked also in AuditComponentImpl, but I see that it never checks PropertyAuditFilter because it is searching for a property named audit.filter.alfresco-api.post.AuthenticationService.default.enabled or audit.filter.alfresco-api.pre.AuthenticationService.authenticate.default.enabled but it doesn't find anything.

Can you please tell me what is the right configuration if I want to audit only READ and DELETE actions and exclude user synchronizer?

By the way, I used also your cleanAlfPropTables-PostgreSQL.sql and build it as a function. Now I wanted to contribute back, but don't know how. I have forked your repository, cloned mine locally, added the cleanAlfPropFunction-PostgreSQL.sql and pushed back in my repository.

How can I make a pull request?

Re: Alfresco 4.2 Audit Filter

afaust — Fri, 03 Feb 2017 08:51:20 GMT

The clean up script has been integrated into Alfresco 5.x. Since mine is just a Gist I don't know if there even is a way to create a pull request for those.

You need to change

audit.filter.alfresco-access.login.user=~System;~null;~synchronizer;.*‍

into

audit.filter.alfresco-api.post.AuthenticationService.authenticate.args.userName=~System;~null;~synchronizer;.*‍‍

This is because - as I said - audit filters only work on inbound data, and for the login use case the inbound data comes from the alfresco-api data producer and only if it is not rejected does it get mapped into the alfresco-access audit application. See the definition of alfresco-access path mapping for reference.

Years ago I filed MNT-10070 for better (easier to use) audit filter support but Alfresco has not really implemented that - instead they focused on a small thing in that ticket, fixed that and called it "done".

Re: Alfresco 4.2 Audit Filter

luca — Fri, 03 Feb 2017 09:31:22 GMT

Thank you very much for pointing me out alfresco-access path mapping. Now I understand much better what to put as filter configuration.

Also your configuration works as you said, thank again!