My goal is to audit deletion of authorities in Alfresco. When audit logging is enabled (which generates a lot of log entries), deleting a group results in these log entries (shortend):
/alfresco-api/pre/AuthorityService/deleteAuthority/args/name=GROUP_test_group_for_audit
/alfresco-node/beforeDeleteNode/node=workspace://SpacesStore/a4f5e9bb-6584-4997-a550-6080d0dce177
/alfresco-api/post/AuthorityService/deleteAuthority/args/name=GROUP_test_group_for_audit
/alfresco-api/post/AuthorityService/deleteAuthority/no-error=null
If I understand the documentation correctly, an audit XML file like this should record the first event:
<?xml version='1.0' encoding='UTF-8'?>
<Audit
xmlns="http://www.alfresco.org/repo/audit/model/3.2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.alfresco.org/repo/audit/model/3.2 alfresco-audit-3.2.xsd"
>
<DataExtractors>
<DataExtractor name="simpleValue" registeredName="auditModel.extractor.simpleValue"/>
</DataExtractors>
<DataGenerators>
<DataGenerator name="currentUser" class="org.alfresco.repo.audit.generator.AuthenticatedUserDataGenerator"/>
<DataGenerator name="personFullName" class="org.alfresco.repo.audit.generator.AuthenticatedPersonDataGenerator"/>
</DataGenerators>
<PathMappings>
<PathMap source="/alfresco-api/pre/AuthorityService/deleteAuthority" target="/deleteAuthority"/>
</PathMappings>
<Application name="DeleteAuthority" key="deleteAuthority">
<AuditPath key="deleteAuthority">
<RecordValue key="name" dataExtractor="simpleValue" dataSource="/deleteAuthority/args/name"/>
</AuditPath>
</Application>
</Audit>
Note that in the source of the PathMap I use the path /alfresco-api/pre/AuthorityService/deleteAuthority as it appears in the first log entry. This looks correct to me, even though I am quite unsure how the Application element should look.
Putting this into the XML file tomcat/shared/classes/alfresco/extension/audit/alfresco-audit-deleteAuthority-extractors.xml registers the application correclty:
$ curl -u 'admin:secret' http://alfresco:8080/alfresco/service/api/audit/control
{
"enabled" : true,
"applications":
[
{
"name": "Alfresco Tagging Service",
"path" : "/tagging",
"enabled" : true
}
,
{
"name": "DeleteAuthority",
"path" : "/deleteAuthority",
"enabled" : true
}
,
{
"name": "alfresco-access",
"path" : "/alfresco-access",
"enabled" : true
}
]
}
But when I now delete a group, nothing is recorded. A query for the application returns an empty result:
$ curl -u 'admin:secret' http://alfresco:8080/alfresco/service/api/audit/query/DeleteAuthority
{
"count":0,
"entries":
[
]
}
Question: Is my above audit application configuration correct? How would I have to change it to generate audit entries for the deletion of authorities?
Your path-mapping section is correct, your application definition though is not set correctly to track the correct path. You probably should try something like :
<?xml version='1.0' encoding='UTF-8'?>
<Audit
xmlns="http://www.alfresco.org/repo/audit/model/3.2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.alfresco.org/repo/audit/model/3.2 alfresco-audit-3.2.xsd"
>
<DataExtractors>
<DataExtractor name="simpleValue" registeredName="auditModel.extractor.simpleValue"/>
</DataExtractors>
<DataGenerators>
<DataGenerator name="currentUser" registeredName="auditModel.generator.user"/>
</DataGenerators>
<PathMappings>
<PathMap source="/alfresco-api/pre/AuthorityService/deleteAuthority" target="/deleteAuthority"/>
</PathMappings>
<Application name="DeleteAuthority" key="deleteAuthority">
<AuditPath key="deleteAuthority">
<RecordValue key="authority" dataExtractor="simpleValue" dataSource="/deleteAuthority/args/name" dataTrigger="/deleteAuthority/args/name"/>
<GenerateValue key="deletingUser" dataGenerator="currentUser"/>
</AuditPath>
</Application>
</Audit>