Missing user logon events in the Logging when choosing AUDIT as filter
search cancel

Missing user logon events in the Logging when choosing AUDIT as filter

book

Article ID: 266529

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We have a problem with our Logging .

For our Layer7 API Management systems we have a Log Sink for our internal Logging. This Log Sink is defined with:
Type: Syslog
Severity Threshold: Info
Filters: Category=Audits

We have installed: Layer7 API Gateway 10.1 CR03

When I login into Policy Manager our local ssg-Log shows (e.g) the following log-messages:2023-05-16T14:34:24.295+0200 INFO    390 com.l7tech.server.admin.AdminLoginImpl: User 'username ' logged in from IP 'xxx.xxx.xxx.xxx'.
2023-05-16T14:34:24.295+0200 INFO    390 com.l7tech.server.admin: User logged in

But our defined Logger didn't show all of this messages.  The message with which user logs in is not logged.

I thought all of these messages are audit-messages and should be sent to the log system with this logger configuration. But the log-message:
2023-05-16T14:34:24.295+0200 INFO    390 com.l7tech.server.admin.AdminLoginImpl: User 'username' logged in from IP 'xxx.xxx.xxx.xxx''.
doesn't appear in the LOG -system.

What do I need to change within our log sink configuration so that we also receive this message?

Environment

Release : 10.1

Resolution

Gateway events are talking about gateway management. 

Logging in via policy manager is privileged activity, and therefore related to gateway management rather than end user activity.

As a workaround you can create a log sink and filter on Package.

Create a new log sink include Gateway log and then add a filter type Package with com.l7tech.server.admin.AdminLoginImp

This will only log this specific message to this logger.