Skip to main content

Security Audit Logging

Specific actions in CDM are audited so you can see which users are granted permissions for the application, reports, and so on, as well as who modifies application settings (for example, data source connections, workflow templates, and so on)

The application actions are logged by default in core.AuditLog, a CDM SQL DB table. However, you can configure CDM to log the actions in a log file as well.

Security audit logging is disabled by default when CDM is installed. To enable this feature, see Enable Security Audit Logging.

For logging to a database table, there is a buffer size of 100 set as the default (<bufferSizevalue="100" />), meaning, information is not written in the database until the threshold of 100 lines is reached. This setting can be modified.

Log messages contain:

  • The time, logging level, User ID and User Login ID of the user performing the operation, operation ID, operation type, action, message (details).
  • The Message column contents might be different depending on the operation type.
  • One row per action (for example, granting an entire suite of permissions to a user generates as many rows as the number of permissions granted).

These application actions are logged (regardless of what triggers them. In effect, Import Report triggers Report Permissions Assignment, Add Data Source, Add Data Query, Add Query Variable, Associate Data Query to Report):

  • Administration > Reports
    • Export Report
  • Administration > Security > Users
    • Add/Import new user
    • Activate/Inactivate User
    • Change Password
  • Administration > Security > Groups
    • Add/Import new group
    • Activate/Inactivate group
    • Autoregister On/Off
  • Administration > Security > Associate Users with Groups
    • Save
  • Administration > Security > Application Permissions
    • Add/Update/Remove User application permission
    • Add/Update/Remove Group application permission
  • Administration > Security > Report Permissions
    • Add/Update/Remove User report permission
    • Add/Update/Remove Group report permission
  • Administration > External Data
    • Add/Edit/Remove Data Source
    • Add/Edit/Remove Data Query
    • Preview Data Query
    • Add/Edit/Remove Query Variable
    • Add/Edit/Remove Query Association to Reports
  • Administration > Workflow > Workflow Templates
    • Add/Remove User Assignment to Workflow State
    • Add/Remove Group Assignment to Workflow State

Enable Security Audit Logging

You can enable security audit logging in CDM.

Security audit logging is disabled in default when CDM is installed. Perform these steps to enable the security audit logging feature.

  1. Open the Logging.config file on the computer where CDM Server is installed. The default location is C:\inetpub\wwwroot\CertentCDM-Server\Config.
  2. Locate the audit logging key and change the level value from OFF to INFO.
    <logger name="Ibm.CognosDM.BusinessLogic.Audit.AuditLog"additivity="false"> <level value="OFF" /> <appender-ref ref="AuditLogDatabaseAppender" /> </logger>

Configure Security Audit Logging to a File

You can configure security audit logging in CDM to put logging information in a file.

Security audit logging information is logged by default in core.AuditLog, a CDM SQL DB table. You can also configure CDM to place the information into a log file.

  1. Open the Logging.config file on the computer where CDM Server is installed. The default location is C:\inetpub\wwwroot\CertentCDM-Server\Config.
  2. Add the appender to log to file key to the file and give it these values:
    <appender name="AuditLogAppender" typee="log4net.Appender.RollingFileAppender"> <!--logfile: .\LogFiles\AuditLog.yyMMdd.log--> <file value="LogFiles\AuditLog"/> <datePattern value=".yyMMdd.'log'" /> <rollingStylevalue="Date" /> <encoding value="utf-8" /> <staticLogFileName value="false" /> <appendToFile value="true"/> <lockingModel typee="log4net.Appender.FileAppender+MinimalLock" /> <maxSizeRollBackups value="2" /> <maximumFileSize value="500KB"/> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%date{MM/dd/yyyy HH:mm:ss} Level:%-5levelLoginId:%X{currentUserId} CurrentUser:%X{loginId} OperationId:%X{operationId}Operation:%X{operationType} Action:%X{operationCrudTypes}Message:%message%newline%newline" /> </layout> </appender>
  3. Add the appender to log to file to the logger:
    <logger name="Ibm.CognosDM.BusinessLogic.Audit.AuditLog" additivity="false"> <level value="INFO" /> <appender-ref reff="AuditLogDatabaseAppender" /> <appender-ref reff="AuditLogAppender" /> </logger>

    The security audit logging information is now sent to a log file and the core.AuditLog database table.

  4. If you want to send the security audit logging information to only the log file, comment or delete the AuditLogDatabaseAppender appender and remove the reference of the database appender from the logger.

Was this article helpful?

We're sorry to hear that.