AEM has introduced the ability to log permission changes so they can be audited at a later time.
The enhancement allows for the auditing CRUD (Create, Read, Update, Delete) actions on permissions and group assignments of users. More specifically, it will log:
- A new user getting created
- A user being added to a group
- Permission changes of an existing user or group
Redirecting the output to a separate log file
In order to redirect the logging output to a separate log file, you'll need to create a new Apache Sling Logging Loggerconfiguration. We'll use useraudit.log as the name of the separate file in the example below.
1. Go to the Web Console by browsing to http://serveraddress:serverport/system/console/configMgr
2. Search for Apache Sling Logging Logger. Then, press the "+" in the right hand side of the entry to create a new factory configuration.
3. Create the following configuration:
Log Level: Information
Log File: logs/useraudit.log
Message Pattern: leavel default
Logger: com.adobe.granite.security.user.internal.audit, com.adobe.granite.security.user.internal.servlets.AuthorizableServlet
4. In order to enter both loggers into the Logger field, you need to enter the name of the first, then create another field by pressing the "+" button and entering the name of the second logger.
Sample out of useraudit.log file:
1. 19.05.2017 15:21:34.419 *INFO* [0:0:0:0:0:0:0:1 [1495196494417]
POST /home/groups/d/dGf7f7vGrZRLs6HS3AK-.rw.html HTTP/1.1]
com.adobe.granite.security.user.internal.audit.AuditAuthorizableAction Group 'group1' was removed
2. 19.05.2017 15:21:34.419 *INFO* [0:0:0:0:0:0:0:1 [1495196494417]
POST /home/groups/d/dGf7f7vGrZRLs6HS3AK-.rw.html HTTP/1.1]
com.adobe.granite.security.user.internal.servlets.AuthorizableServlet Delete Group 'group1' operation initiated by User 'admin' (administrator)
No comments:
Post a Comment
If you have any doubts or questions, please let us know.