Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco 4.2 Audit Filter

Go to answer
luca
Star Contributor
Star Contributor

‎02-01-2017 12:40 PM

Hi,

I'm trying to filter data in the build in alfresco-access audit application, but it's not working.

I want to audit only READ and DELETE actions and exclude one particular user called synchronizer, so in my alfresco-global.properties I put this:

# Audit
audit.enabled=true
audit.tagging.enabled=false
audit.alfresco-access.enabled=true

# audit access-filter
audit.filter.alfresco-access.default.enabled=false
audit.filter.alfresco-access.default.user=~System;~null;~synchronizer;.*
audit.filter.alfresco-access.default.type=cm:folder;cm:content
audit.filter.alfresco-access.default.path=/app:company_home/.*
audit.filter.alfresco-access.transaction.user=~System;~null;~synchronizer;.*
audit.filter.alfresco-access.transaction.action=READ;DELETE
audit.filter.alfresco-access.login.user=~System;~null;~synchronizer;.*

In the log I see that login from synchronizer user are stored in the audit tables:

2017-02-01 18:18:45,067  DEBUG [repo.audit.AuditComponentImpl] [http-bio-8881-exec-5]
Extracted audit data:
        Application:    AuditApplication[ name=alfresco-access, id=2, disabledPathsId=5694]
        Values:
                /alfresco-access/login=null
                /alfresco-access/loginUser=synchronizer




        New Data:
                /alfresco-access/login/user=synchronizer




 2017-02-01 18:18:45,070  DEBUG [repo.audit.AuditComponentImpl] [http-bio-8881-exec-5]
New audit entry:
        Application ID: 2
        Entry ID:       58797
        Values:
                /alfresco-access/login=null
                /alfresco-access/loginUser=synchronizer




        Audit Data:
                /alfresco-access/login/user=synchronizer
Labels:
0 Kudos
1 ACCEPTED ANSWER

Go to answer
afaust
Legendary Innovator
Legendary Innovator
In response to luca

‎02-03-2017 03:51 AM

The clean up script has been integrated into Alfresco 5.x. Since mine is just a Gist I don't know if there even is a way to create a pull request for those.

You need to change

audit.filter.alfresco-access.login.user=~System;~null;~synchronizer;.*

into

audit.filter.alfresco-api.post.AuthenticationService.authenticate.args.userName=~System;~null;~synchronizer;.*‍

This is because - as I said - audit filters only work on inbound data, and for the login use case the inbound data comes from the alfresco-api data producer and only if it is not rejected does it get mapped into the alfresco-access audit application. See the definition of alfresco-access path mapping for reference.

Years ago I filed MNT-10070 for better (easier to use) audit filter support but Alfresco has not really implemented that - instead they focused on a small thing in that ticket, fixed that and called it "done".

View answer in original post

4 REPLIES 4

Go to answer
afaust
Legendary Innovator
Legendary Innovator

‎02-02-2017 05:03 PM

The audit filter can only filter the audit events if they actually contain the specific property to filter on. Filtering is performed on the inbound data. Since that inbound data does not contain the "user" property (instead it contains "loginUser") the event passes the user filter.

0 Kudos

Go to answer
luca
Star Contributor
Star Contributor
In response to afaust

‎02-03-2017 03:34 AM

Hi Axel,

thanks for your help, but reading this guide is not clear what I have to write down. I looked also in AuditComponentImpl, but I see that it never checks PropertyAuditFilter because it is searching for a property named audit.filter.alfresco-api.post.AuthenticationService.default.enabled or audit.filter.alfresco-api.pre.AuthenticationService.authenticate.default.enabled but it doesn't find anything.

Can you please tell me what is the right configuration if I want to audit only READ and DELETE actions and exclude user synchronizer?

By the way, I used also your cleanAlfPropTables-PostgreSQL.sql and build it as a function. Now I wanted to contribute back, but don't know how. I have forked your repository, cloned mine locally, added the cleanAlfPropFunction-PostgreSQL.sql and pushed back in my repository.

How can I make a pull request?

0 Kudos

Go to answer
afaust
Legendary Innovator
Legendary Innovator
In response to luca

‎02-03-2017 03:51 AM

The clean up script has been integrated into Alfresco 5.x. Since mine is just a Gist I don't know if there even is a way to create a pull request for those.

You need to change

audit.filter.alfresco-access.login.user=~System;~null;~synchronizer;.*

into

audit.filter.alfresco-api.post.AuthenticationService.authenticate.args.userName=~System;~null;~synchronizer;.*‍

This is because - as I said - audit filters only work on inbound data, and for the login use case the inbound data comes from the alfresco-api data producer and only if it is not rejected does it get mapped into the alfresco-access audit application. See the definition of alfresco-access path mapping for reference.

Years ago I filed MNT-10070 for better (easier to use) audit filter support but Alfresco has not really implemented that - instead they focused on a small thing in that ticket, fixed that and called it "done".

Go to answer
luca
Star Contributor
Star Contributor
In response to afaust

‎02-03-2017 04:31 AM

Thank you very much for pointing me out alfresco-access path mapping. Now I understand much better what to put as filter configuration.

Also your configuration works as you said, thank again!

0 Kudos
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2024 Khoros, LLC