What is the entity for Event Source in User Audit Event?
Is it some certain class, method, global, api, application or neither? If the entity is some of this what is the syntax?
Comments
Hi Dmitrij,
Is the documentation here and here helpful for answering your question? If not, could you please elaborate on what you are trying to do or find out?
I see that you tagged this as being about IRIS BI, but the kind of audit events with an Event Source, as discussed at the links above, are separate from the IRIS BI auditing options that you can read about here. If you have questions about IRIS BI auditing, please let me know.
Hi!
Thanks for your answer. I've read the docs through out couple times to find the explanation but did not find any. I'll try to express my self more crystal
Suppose i have some myUI app in my IRIS instance. This myUI using DeepSee REST API to get the data. I need to get track of any activity on that UI at any time (in general when a user requests the data)
What should i need as the audit source?
myUI? Some endpoint from API? Some class executing by this endpoint?
Documentation says:
"Event Source*
The component of the InterSystems IRIS instance that is the source of the event. For InterSystems IRIS events, this is “%System” or “%Ensemble”. For user-defined events, the name can be any string that includes alphanumeric characters or punctuation, except for colons and commas; it can begin with any of these characters except for the percent sign. This can be up to 64 bytes."
Ok, what string? How any random string can be serve as audit source? Same for the audit type
I get that the string represents my app or part of it, but how that will track actions from myUI?
Audit does not happen automatically. For some record to appear in the Audit log you need to call the following method:
Do $SYSTEM.Security.Audit(EventSource,EventType,Event,EventData,Description)
So in order for the REST-calls of the REST API to be audited you need to add the call above in the REST API
EventSource in this case is anything you specify when calling the Audit() method. Later, in the Audit Database UI you can filter by this EventSource
Thank you, @Alexander Koblov !
Should the developer of the REST.API service call this method everytime, or there is a way to understand whether the Audit is on for the particular REST.API service?
"Should the developer of the REST.API service call this method everytime" Yes!
"there is a way to understand whether the Audit is on for the particular REST.API service? " See if there are User audit events defined in the system that look like the ones that responsible for this REST service. If no -- then likely there are no audit events
Thank you, @Alexander Koblov !
Thanks for the answer. If i understand correctly, this specific line should be place inside REST API for make audit to work? So, if i don't have any access to the REST API code the desired audit is not possible?
Correct!
See though "Event Class" in the web-application definition. That's subclass of %CSP.SessionEvents. You can create such class, override OnStartRequest. And put some logic there
Thank you so much. You were very helpful.
As others in this thread have said, custom audit events from applications are added to the Audit Log using a call to $system.Security.Audit(). The events must be defined ahead of time in the Portal, using Configure User Events. All events (system and custom) have a 3-part name: Source, Type, and Name. I think of these parts as Main Category, Subcategory, and Name.
The person(s) defining the custom events can choose all 3 parts of the name, in order to categorize all the custom events they're defining. So you could use Source = ABC, Type = DEF, and Name = XYZ. The names are totally up to you. Once defined, the event gets added by some code calling $system.Security.Audit("ABC", "DEF", "XYZ").
💡 This question is considered a Key Question. More details here.