02-01-2017 09:40 AM
Hi,
I'm trying to filter data in the build in alfresco-access audit application, but it's not working.
I want to audit only READ and DELETE actions and exclude one particular user called synchronizer, so in my alfresco-global.properties I put this:
# Audit
audit.enabled=true
audit.tagging.enabled=false
audit.alfresco-access.enabled=true
# audit access-filter
audit.filter.alfresco-access.default.enabled=false
audit.filter.alfresco-access.default.user=~System;~null;~synchronizer;.*
audit.filter.alfresco-access.default.type=cm:folder;cm:content
audit.filter.alfresco-access.default.path=/app:company_home/.*
audit.filter.alfresco-access.transaction.user=~System;~null;~synchronizer;.*
audit.filter.alfresco-access.transaction.action=READ;DELETE
audit.filter.alfresco-access.login.user=~System;~null;~synchronizer;.*
In the log I see that login from synchronizer user are stored in the audit tables:
2017-02-01 18:18:45,067 DEBUG [repo.audit.AuditComponentImpl] [http-bio-8881-exec-5]
Extracted audit data:
Application: AuditApplication[ name=alfresco-access, id=2, disabledPathsId=5694]
Values:
/alfresco-access/login=null
/alfresco-access/loginUser=synchronizer
New Data:
/alfresco-access/login/user=synchronizer
2017-02-01 18:18:45,070 DEBUG [repo.audit.AuditComponentImpl] [http-bio-8881-exec-5]
New audit entry:
Application ID: 2
Entry ID: 58797
Values:
/alfresco-access/login=null
/alfresco-access/loginUser=synchronizer
Audit Data:
/alfresco-access/login/user=synchronizer
02-03-2017 12:51 AM
The clean up script has been integrated into Alfresco 5.x. Since mine is just a Gist I don't know if there even is a way to create a pull request for those.
You need to change
audit.filter.alfresco-access.login.user=~System;~null;~synchronizer;.*
into
audit.filter.alfresco-api.post.AuthenticationService.authenticate.args.userName=~System;~null;~synchronizer;.*
This is because - as I said - audit filters only work on inbound data, and for the login use case the inbound data comes from the alfresco-api data producer and only if it is not rejected does it get mapped into the alfresco-access audit application. See the definition of alfresco-access path mapping for reference.
Years ago I filed MNT-10070 for better (easier to use) audit filter support but Alfresco has not really implemented that - instead they focused on a small thing in that ticket, fixed that and called it "done".
02-02-2017 02:03 PM
The audit filter can only filter the audit events if they actually contain the specific property to filter on. Filtering is performed on the inbound data. Since that inbound data does not contain the "user" property (instead it contains "loginUser") the event passes the user filter.
02-03-2017 12:34 AM
Hi Axel,
thanks for your help, but reading this guide is not clear what I have to write down. I looked also in AuditComponentImpl, but I see that it never checks PropertyAuditFilter because it is searching for a property named audit.filter.alfresco-api.post.AuthenticationService.default.enabled or audit.filter.alfresco-api.pre.AuthenticationService.authenticate.default.enabled but it doesn't find anything.
Can you please tell me what is the right configuration if I want to audit only READ and DELETE actions and exclude user synchronizer?
By the way, I used also your cleanAlfPropTables-PostgreSQL.sql and build it as a function. Now I wanted to contribute back, but don't know how. I have forked your repository, cloned mine locally, added the cleanAlfPropFunction-PostgreSQL.sql and pushed back in my repository.
How can I make a pull request?
02-03-2017 12:51 AM
The clean up script has been integrated into Alfresco 5.x. Since mine is just a Gist I don't know if there even is a way to create a pull request for those.
You need to change
audit.filter.alfresco-access.login.user=~System;~null;~synchronizer;.*
into
audit.filter.alfresco-api.post.AuthenticationService.authenticate.args.userName=~System;~null;~synchronizer;.*
This is because - as I said - audit filters only work on inbound data, and for the login use case the inbound data comes from the alfresco-api data producer and only if it is not rejected does it get mapped into the alfresco-access audit application. See the definition of alfresco-access path mapping for reference.
Years ago I filed MNT-10070 for better (easier to use) audit filter support but Alfresco has not really implemented that - instead they focused on a small thing in that ticket, fixed that and called it "done".
02-03-2017 01:31 AM
Thank you very much for pointing me out alfresco-access path mapping. Now I understand much better what to put as filter configuration.
Also your configuration works as you said, thank again!
Explore our Alfresco products with the links below. Use labels to filter content by product module.