cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Where is the Audit log for AppMon 7.0 server ?

rolf_gunnar_mah
Contributor

We run AppMon 7.0 on linux. In 6.5 we had the audit log in Audit.0.0.log, but in 7.0 I cannot find this file. I cannot see this change in docs for 7.0.
I can see SecAudit-FrontendServer.1.log and SecAudit-BackendServer.1.log on dT server 7.0 which are binary files. Any hints ?

8 REPLIES 8

arihant_polavar
Dynatrace Pro
Dynatrace Pro

Hello Rolf,

Have you tried opening the SecAudit files on the AppMon Client itself? Those are much more readable and easy to consume. Here's a screenshot of what it looks like on our server.

Hope this helps,

Ari

I can try this, but I use Splunk to capture logs and that worked so great in 6.5

I'm not sure why the format was changed to be honest. We almost exclusively consume the audit log files through the client.

asahoo1
Organizer

We have the same issue. We used to analyze the data in Audit logs using Splunk. After 7.0 upgrade, we can't consume the data in Splunk. Is there any plan to get the Audit log output back in a text file?

Thanks,

Abhaya

christian_gusen
Newcomer

Hi,

we changed the audit log format because we had to meet some security requirements (see Payment Card Industry Data Security Standard). So we're encrypting the log entries now. There are plans to support sending the audit log entries to log servers directly in future releases, too, but I can't give you any dates here.

Meanwhile, if you don't care about audit log security you can deactivate the encryption of the log files using a so called "audit.config.xml" file:

<?xml version="1.0" encoding="UTF-8"?>
<dynatrace version="7.0.5.1003">
<secauditconfig memento.version="7.0.5.1003"
eventlogformattype="1"
maxlogfilesize="10485760"
logfilepath="../log/server"
transporttype="1"
certificateid=""
retentiontime="105" />
</dynatrace>

Paste the above content into a new server/conf/audit.config.xml file on the server, then stop the server, remove (maybe backup?) the existing SecAudit*.log files and start the server again. Then you should get plain audit log entries. Note, the (plain) log entry format has changed, too.

The parameter called "eventlogformattype" in the audit.config.xml should be set to "1" for unencrypted/plain log entries or to "2" for encrypted log entries.

Hope that helps,
Christian.

It worked just fine. Thanks

Rolf Gunnar

tarjei
Organizer

Any update on forwarding the encryptet files?


Hi,

I'm afraid that remote logging currently has a very very low priority. And as long as customers do not request it, it will not be implemented.

Regards,
Christian.