Using the Auditing Service Policy
Learn how to create and configure an Auditing Service policy.
For information about using policies in the context of the developer portal, see Business Policies.
Table of Contents
- Creating an Auditing Service Policy
- Configuring an Auditing Service Policy
- Auditing Service Policy Options
- Auditing Service policy use cases
The Auditing Service policy allows you to specify conditions under which messages will be audited.
Note: In versions prior to 2019.0.0, the platform did not support attaching multiple auditing policies to a service or API; for example, Basic Auditing policy or Detailed Auditing policy. In 2019.0.0 and later you can set up Basic Auditing for successful messages and Detailed Auditing for error conditions.
Creating an Auditing Service Policy
The first step in creating a policy is to define the basic policy information.
To add an operational policy
- Go to Workbench > Browse > Organization, and select Policies > Operational Policies. The Policies Summary is displayed.
- Click Add Policy.
- Choose the policy type and click Next.
- Specify a name (required) and description (optional) and click Finish. At the Completion Summary, click Close. The Add Policy Wizard creates a draft policy instance that you can then configure on the Policy Details page.
For more information, see Add Policy.
At this point, you've created the policy, but it doesn't do anything. The next step is to configure the policy details. See Configuring an Auditing Service Policy below.
Configuring an Auditing Service Policy
Once you've created the policy, you can configure the policy details that determine how the policy works. Then you can activate the policy so that it can be used.
To configure an Auditing Service policy in Policy Manager
- In the Organization Tree, find the level where the policy was defined. Click to select.
- In the center pane, in the Auditing Service Policy section, click Modify. The Modify Auditing Service Policy overlay is displayed, as shown below.
- Specify values for the messages you want to apply the policy to, the audit identities, and the reporting options. For details on field values, see Auditing Service Policy Options below.
- Click Apply.
Now that the policy is defined, you can activate it and start using it. On the right, under Actions, choose Activate Policy.
Auditing Service Policy Options
On the Auditing Service Policy Options page, you can specify:
- Audit Messages: Which messages the policy is applied to.
- Audit Binding: Which bindings the policy is applied to.
- Audit Identities: Which identities the policy is applied to.
- Reporting Options: How policy exceptions are reported.
Refer to the field descriptions below.
Use this section to identify which messages should be audited. The Audit Messages section includes two main options:
- Audit All Messages: Enables the auditing of all messages.
- Filter Messages: Filter settings determine which messages are audited. Options:
Exchanges resulting in an error: Audits only messages with errors.
Percentage of exchanges: Audits a random sample of messages based on a specified percentage. If you choose this option, specify an integer percentage from 1 to 99.
Filter by message content: Allows you to filter the messages to be audited by providing one or more regular expressions, JSONPath expressions, or XPath expressions. If message content matches the specified expressing, auditing is triggered.
Note: Initially, only the XPath option is available, since auditing is performed on the normalized message. If you choose to apply auditing at the binding level (see Audit Binding below), the additional options appear.
The XPath option includes a table where you can define Prefix and Namespace for each XPath expression. Click Add or Delete to modify the list. You can also sort the list by clicking the table header. Allows you to filter the messages to be audited by An example is shown below.
The XPath option includes a table where you can define Prefix and Namespace for each XPath expression. Click Add or Delete to modify the list. You can also sort the list by clicking the table header.
Audit Messages: additional options
The Audit Messages section includes the following additional checkboxes:
- Audit Input Message: Enables the auditing of input messages.
- Audit Output Message: Enables the auditing of input messages.
- Audit Fault Message: Enables the auditing of fault messages.
- Audit Contract: Enables the auditing of a contract governing a message.
- Audit Message Size: Enables the auditing of the size of messages in the exchange.
API Platform Version: 2018.0.0 and later
Use this section to identify that the message binding should be audited. If you check Audit Binding, the policy settings apply to the entire message binding. If you check Audit Transport, you can specify one or more transport headers to exclude.
For example, you could use this option to exclude the authorization cookie so that it isn't recorded in the logs.
Note: When the binding checkbox is selected, the Auditing Service policy is applied at the binding level. At that point, the content can be in any format, so it can be filtered in multiple ways. In this scenario, in the Audit Messages section, RegEx, XPath, and JSONPath are available options. If the policy is applied at the service level (Audit Binding option is cleared) then auditing is performed on the normalized exchange. Since normalized exchanges are always XML, in this scenario only XPath is available in the Audit Messages section.
The Transport Header table stores a list of transport headers to be audited. Click Add or Delete to modify the list. You can also sort the list by clicking the table header.
Checking this box enables the auditing of specified identities included in a request message. Options:
- Audits the consumer identity sent with a request message.
- Audits the end-user identity sent with a request message.
- Additional Subject Categories
- Audits the identity associated with one or more specified Subject Categories sent with a request message. If you choose this option, you can create one or more user-defined subject categories that you want to use. You can also add or delete from the table.
The following reporting options are available:
- Indicates that audit information should be logged.
- Indicates that audit information should be delivered in an alert event.
Auditing Service policy use cases
Use cases are available for the following policies, which are implementations of the Auditing Service policy:
- Basic Auditing Policy: see Basic Auditing Policy: use case for Policy Manager
- Detailed Auditing Policy: see Detailed Auditing: Audit Entire Message and Message Metrics
- Detailed auditing on failure, basic auditing on success (2019.0.0 and later): see Detailed Auditing on failure, Basic Auditing on success