Skip to main content
Redhat Developers  Logo
  • Products

    Platforms

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat AI
      Red Hat AI
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • View All Red Hat Products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat Developer Hub
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat OpenShift Local
    • Red Hat Developer Sandbox

      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Secure Development & Architectures

      • Security
      • Secure coding
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • Product Documentation
    • API Catalog
    • Legacy Documentation
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

How to enable the JBoss EAP 7 management audit log

November 17, 2023
Francisco De Melo Junior
Related topics:
JavaSecurity
Related products:
Red Hat JBoss Enterprise Application Platform

Share:

    This article explains how to enable and use the management audit log in Red Hat JBoss Enterprise Application Platform (JBoss EAP) 7.

    The management audit log is used to register admin functions and it is created in the $JBOSS_HOME/standalone/data/ $JBOSS_HOME/domain/data/ directory. It logs all operations performed using the management console, command-line interface (CLI), or custom application using the Management API, as described in the JBoss EAP 7.4 configuration guide. Consult the JBoss EAP security configuration documentation to learn about the security audit logging logs authentication success and failures.

    Management audit log versus security audit log

    The security audit log (or the Elytron audit log in WildFly) is used for security operations. Elytron's audit log is created in $JBOSS_HOME/standalone/logs.

    The management audit log is used to register admin functions; this log is created in the $JBOSS_HOME/standalone/data/ directory.

    How to set the management log

    The following JBoss CLI commands enable management logging:

    /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
    /core-service=management/access=audit/logger=audit-log:write-attribute(name=log-boot,value=true)
    /core-service=management/access=audit/logger=audit-log:write-attribute(name=log-read-only,value=true)
    

    For the XML configuration file, you can use the following format (you will find the file audit-log.log in the data directory):

    <audit-log>
                <formatters>
                    <json-formatter name="json-formatter"/>
                </formatters>
                <handlers>
                    <file-handler name="file" formatter="json-formatter" relative-to="jboss.server.data.dir" path="audit-log.log"/>
                </handlers>
                <logger log-boot="true" log-read-only="false" enabled="true">
                    <handlers>
                        <handler name="file"/>
                    </handlers>
                </logger>
            </audit-log>

    The audit logs are inside the management context, essentially inside the core-management subsystem:

        <management> <!--- biggest context -->
            <security-realms>
                <security-realm name="ManagementRealm">
                   ....
                </security-realm>
                <security-realm name="ApplicationRealm">
                ...
            </security-realms>
            <audit-log> <!--- audit log -->
                ...
            </audit-log>

    The configuration above has the following properties: enabled, log-boot, and log-read-only. These audit log operations are defined as follows:

    • enabled: If true, the management operations will be recorded in the log.
    • log-boot: Use true to log the management operations when booting the server, false otherwise.
    • log-read-only: If enabled, all operations will be added to the audit log.

    Use cases and usage

    A user can get the audit logs, view the operation and the corresponding timestamp, and respond accordingly. Here are a few real-world use case examples:

    • Which user deployed and undeployed a specific application, what was the timestamp, and on which host?
    • Someone disabled HTTP/2 (HTTP upgrade) in JBoss EAP by mistake, and now the Enterprise Java Beans (EJB) remote communication is not working—which user was that and what time did it occur?
    • What are the realms and endpoints configured in the server?
    • What time was a certain property/subsystem changed?

    However, audit log isn't typically used for the exact order of deployment (starting) of the subsystems, given that the EAP 7 subsystem start order is not defined, except for specific dependencies; thus, that would not be useful.

    Of course, as you can see, a management audit log can be very useful for several scenarios, but it gets complex because during boot, some initialization operations will happen, like here:

    "operation" : "add",
    "address" : [{"subsystem" : "undertow"},
        {"server" : "default-server"},
        {"host" : "default-host"},
        {"setting" : "http-invoker"}], "security-realm" : "ApplicationRealm"},

    Here is an example of removing one deployment:

       2021-11-04 21:02:03 - {
           "type" : "core",
           "r/o" : false,
           "booting" : false, <----- wasn't done in boot time
           "version" : "7.4.1.GA", <----- version
           "user" : "celine", <----- user, yes, the user is celine
           "domainUUID" : null,
           "access" : "HTTP", <----- http access
           "remote-address" : "/127.0.0.1",<----- url
           "success" : true,  <----- succeed
           "ops" : [{
               "operation" : "remove",
               "address" : [{
                   "deployment" : "jboss-helloworld-singleton.war" <----- deployment
               }],
               "operation-headers" : {
                   "access-mechanism" : "HTTP",
                   "caller-type" : "user"
               }
           }]
       }

    How do we properly parse JSON blocks to capture relevant security events showing date/time, user, and type of change? The capture data is written in the audit logs via the file handler; you can use any tool you think is necessary. The server deployment part of this is to feed the audit.log with information.

    What are some of the keywords that you can search to identify security-related changes? Searching relevant terms directly on the audit.log. Also, the user can create scripts and use log aggregators to make it easy for you to find any terms you think is necessary.

    There are several relevant terms; the user, ops, timestamp, etc., will depend on what your needs. You can parse with any tool you use to view the logs, like a log aggregator, to see any piece of information your team think is relevant.

    The EAP management audit system is highly customizable, and the logs can record events on the EAP side. (Note that developing aggregators or custom scripts is beyond the scope of the support team; this would require engaging consulting services.)

    I've summarized the output details below. They are also are explained in the latest WildFly documentation and referenced in Enabling JBoss EAP Management Audit Log and increasing its level.

    • timestamp: The timestamp that the operation happened.
    • type: This can have the values core, meaning it is a management operation, or jmx, meaning it comes from the JMX subsystem (see the JMX subsystem to configure the JMX subsystem's audit logging).
    • r/o: true if the operation does not change the management model, false otherwise.
    • booting: true if the operation was executed during the bootup process, false if it was executed once the server is up and running.
    • version: The version number of the WildFly/EAP instance.
    • user: The username of the authenticated user. In this case, the operation has been logged via the CLI on the same machine as the running server, so the special $local user is used.
    • domainUUID: An ID to link together all operations as they are propagated from the Domain Controller to IT servers, Host Controllers, and Host Controller servers.
    • remote-address: The address of the client executing this operation.
    • success: true if the operation succeeded, false if it was rolled back.
    • ops: The operations being executed; this is a list of the operations serialized to JSON. At boot, this will be all the operations resulting from parsing the XML. Once booted, the list will typically just contain a single entry.

    JBoss EAP 7 audit logs

    The JBoss EAP 7 audit logs can register admin functions and later verify them. In other words, the audit.log file will register all operations performed with the management console, management CLI, or custom application that uses the Management API.

    Additional resources

    For any other specific inquiries about working with audit logs, please open a case with Red Hat support. Our global team of experts can help you with any issues.

    Related Posts

    • The road to JBoss EAP 8

    • Automate and deploy a JBoss EAP cluster with Ansible

    • A visual guide to deploying JBoss EAP on AWS

    • JBoss EAP 7 Domain deployments - Part 1: Set up a simple EAP Domain

    • Elytron: A New Security Framework in WildFly/JBoss EAP

    • Load balancing Red Hat JBoss Enterprise Application Platform subclusters with mod_cluster

    Recent Posts

    • Migrating Ansible Automation Platform 2.4 to 2.5

    • Multicluster resiliency with global load balancing and mesh federation

    • Simplify local prototyping with Camel JBang infrastructure

    • Smart deployments at scale: Leveraging ApplicationSets and Helm with cluster labels in Red Hat Advanced Cluster Management for Kubernetes

    • How to verify container signatures in disconnected OpenShift

    What’s up next?

    Learn how to deploy applications to multiple application servers via Tomcat, JBoss Enterprise Application Platform, and Wildfly with the IntelliJ IDE extension.

    https://developers.redhat.com/learn/java/deploy-applications-middleware-servers-jboss-eap-wildfly-tomcat-intellij-ide-extension
    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue