Unable to view audit logs in Policy Manager
search cancel

Unable to view audit logs in Policy Manager


Article ID: 42916


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway




The Gateway Audit Viewer in the Layer 7 Policy Manager is used to review audit records stored in the Gateway cluster database. This database is used to store recent audits locally for troubleshooting and support purposes. In development and testing environments, it is useful for audits to be immediately available to administrators and policy authors for testing and debugging purposes. In production systems, it is not recommended that audits be saved to the Gateway cluster databases as the quantity and size of audits can consume all available database and Gateway storage.

To avoid this, Layer 7 Technologies recommends implementing the Gateway internal audit sink policy. This allows the Gateway to route audit records to external storage facilities to retain them in accordance with our customers' regulatory, fiduciary, and legal requirements.


The main issue that occurs is the Gateway Audit Viewer will suddenly show no audits or no recent audits, even though the Gateway is successfully processing traffic. Additionally, a count of the number of records in the Gateway database's audit table indicates no audits are being generated.


Typically, this behavior occurs because an administrator has disabled the Internal Audit System. To verify that the Internal Audit System is enabled, open the?Manage Log/Audit Sinks task in the Layer 7 Policy Manager. Select the?Manage Audit Sink?button. Inspect the Save audit records to Gateway database?check box. If unchecked, the Gateway is utilizing the?Internal Audit Sink Policies?to route audit records to an external destination.

Additionally, you can determine if the Internal Audit System was disabled by checking the Gateway log files or Gateway syslog output for the following string: INFO 63 com.l7tech.server : Internal Audit System disabled

Lastly, this issue can occur if the Gateway's system or hardware clock is signfiicantly offset from the workstation accessing the Layer 7 Policy Manager. This can be caused by the time, date, or time zone of the Gateway being set improperly. This is especially likely in virtual appliances that have been restored from snapshots or migrated from other environments where the memory is preserved--resulting in stale and incorrect time and date settings.


The resolution will vary based upon the issue presenting. If the Gateway Audit Viewer is not showing audits because the Gateway is not recording audits to the local database, then re-enable the?Save audit records to Gateway database check box. You can confirm the behavior is re-enabled through the Gateway log files or syslog output for the following string:?INFO 63 com.l7tech.server : Internal Audit System started

If the time and date settings is the cause, then correcting the discrepancy should resolve the issue



Component: APIGTW