Help

Alfresco 4.2 Audit Filter

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
luca
Established Member
‎1 Feb 2017 5:40 PM

Alfresco 4.2 Audit Filter

Jump to solution

Hi,

I'm trying to filter data in the build in alfresco-access audit application, but it's not working.

I want to audit only READ and DELETE actions and exclude one particular user called synchronizer, so in my alfresco-global.properties I put this:

# Audit
audit.enabled=true
audit.tagging.enabled=false
audit.alfresco-access.enabled=true

# audit access-filter
audit.filter.alfresco-access.default.enabled=false
audit.filter.alfresco-access.default.user=~System;~null;~synchronizer;.*
audit.filter.alfresco-access.default.type=cm:folder;cm:content
audit.filter.alfresco-access.default.path=/app:company_home/.*
audit.filter.alfresco-access.transaction.user=~System;~null;~synchronizer;.*
audit.filter.alfresco-access.transaction.action=READ;DELETE
audit.filter.alfresco-access.login.user=~System;~null;~synchronizer;.*

In the log I see that login from synchronizer user are stored in the audit tables:

2017-02-01 18:18:45,067  DEBUG [repo.audit.AuditComponentImpl] [http-bio-8881-exec-5]
Extracted audit data:
        Application:    AuditApplication[ name=alfresco-access, id=2, disabledPathsId=5694]
        Values:
                /alfresco-access/login=null
                /alfresco-access/loginUser=synchronizer




        New Data:
                /alfresco-access/login/user=synchronizer




 2017-02-01 18:18:45,070  DEBUG [repo.audit.AuditComponentImpl] [http-bio-8881-exec-5]
New audit entry:
        Application ID: 2
        Entry ID:       58797
        Values:
                /alfresco-access/login=null
                /alfresco-access/loginUser=synchronizer




        Audit Data:
                /alfresco-access/login/user=synchronizer
0 Kudos
1 Solution

Accepted Solutions
afaust
Master
‎3 Feb 2017 8:51 AM

Re: Alfresco 4.2 Audit Filter

Jump to solution

The clean up script has been integrated into Alfresco 5.x. Since mine is just a Gist I don't know if there even is a way to create a pull request for those.

You need to change

audit.filter.alfresco-access.login.user=~System;~null;~synchronizer;.*

into

audit.filter.alfresco-api.post.AuthenticationService.authenticate.args.userName=~System;~null;~synchronizer;.*‍

This is because - as I said - audit filters only work on inbound data, and for the login use case the inbound data comes from the alfresco-api data producer and only if it is not rejected does it get mapped into the alfresco-access audit application. See the definition of alfresco-access path mapping for reference.

Years ago I filed MNT-10070 for better (easier to use) audit filter support but Alfresco has not really implemented that - instead they focused on a small thing in that ticket, fixed that and called it "done".

View solution in original post

4 Replies
afaust
Master
‎2 Feb 2017 10:03 PM

Re: Alfresco 4.2 Audit Filter

Jump to solution

The audit filter can only filter the audit events if they actually contain the specific property to filter on. Filtering is performed on the inbound data. Since that inbound data does not contain the "user" property (instead it contains "loginUser") the event passes the user filter.

0 Kudos
luca
Established Member
‎3 Feb 2017 8:34 AM

Re: Alfresco 4.2 Audit Filter

Jump to solution

Hi Axel,

thanks for your help, but reading this guide is not clear what I have to write down. I looked also in AuditComponentImpl, but I see that it never checks PropertyAuditFilter because it is searching for a property named audit.filter.alfresco-api.post.AuthenticationService.default.enabled or audit.filter.alfresco-api.pre.AuthenticationService.authenticate.default.enabled but it doesn't find anything.

Can you please tell me what is the right configuration if I want to audit only READ and DELETE actions and exclude user synchronizer?

By the way, I used also your cleanAlfPropTables-PostgreSQL.sql and build it as a function. Now I wanted to contribute back, but don't know how. I have forked your repository, cloned mine locally, added the cleanAlfPropFunction-PostgreSQL.sql and pushed back in my repository.

How can I make a pull request?

0 Kudos
afaust
Master
‎3 Feb 2017 8:51 AM

Re: Alfresco 4.2 Audit Filter

Jump to solution

The clean up script has been integrated into Alfresco 5.x. Since mine is just a Gist I don't know if there even is a way to create a pull request for those.

You need to change

audit.filter.alfresco-access.login.user=~System;~null;~synchronizer;.*

into

audit.filter.alfresco-api.post.AuthenticationService.authenticate.args.userName=~System;~null;~synchronizer;.*‍

This is because - as I said - audit filters only work on inbound data, and for the login use case the inbound data comes from the alfresco-api data producer and only if it is not rejected does it get mapped into the alfresco-access audit application. See the definition of alfresco-access path mapping for reference.

Years ago I filed MNT-10070 for better (easier to use) audit filter support but Alfresco has not really implemented that - instead they focused on a small thing in that ticket, fixed that and called it "done".

luca
Established Member
‎3 Feb 2017 9:31 AM

Re: Alfresco 4.2 Audit Filter

Jump to solution

Thank you very much for pointing me out alfresco-access path mapping. Now I understand much better what to put as filter configuration.

Also your configuration works as you said, thank again!

0 Kudos
Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.