==== Implementing the Audit Event Stream Handler =====
Last update: 22 June 2021
Access Anywhere provides audit events that can be viewed in the browser and exported for compliance. These audit logs can also be written to syslogs.
\\
Sometimes you may want to process the audit logs in real time by external systems e.g. intrusion detection systems. The Access Anywhere allows you to write your own handler to process these events and integrate with other systems.
\\
\\
=== Implementing Audit Event Stream Handler ===
You will need to implement __AuditEventHandlerInterface__. Sample code is provided below to get you started. You only need to implement one method __handleEvent__. A AuditEvent data object is passed to this method, that contains the data.
\\
\\
== Sample Code ==
$auditEvent->getActor(),
'eventType' => $auditEvent->getEventType(),
'ip' => $auditEvent->getIp(),
'date' => $auditEvent->getDate()->format(DATE_RFC822),
'log_str' => $auditEvent->getLog(),
'name' => $auditEvent->getName(),
'objid' => $auditEvent->getObjectId(),
'params' => $auditEvent->getParams()
];
file_put_contents(
__DIR__ . '/audit.log',
json_encode($itemToLog)."\n",
FILE_APPEND
);
}
}
\\
\\
=== Configuring Audit Event Stream ===
* SSH to Appliance and //su// to //smestorage// user
\\
\\
* Copy SampleAuditEventHandler.php to /var/www/smestorage/auditevents/ ( if the folder does not exist, create the folder).
\\
\\
* Add the following line to ///var/www/smestorage/public_html/config.inc.php//
\\
\\
var $audit_event_handler_path = '/var/www/smestorage/auditevents/SampleAuditEventHandler.php';
\\
\\
Once configured the Audit Log Stream can integrated into a variety of products that work with Audit log stream, such as an [[https://www.elastic.co/what-is/elk-stack|ELK Stack]]:
\\
\\
{{ ::elkstack.png?600 |}}
\\
\\
=== Things To Be Careful About ===
* The Handler code is part of main path of execution, your handler should process the event quickly. Do not wait for IO or do processing in the handler code.
\\
* We recommend that you publish the events to a message system or cache e.g. Kafka or Redis and then consume from the message system. This will keep the latency low
\\
\\
* The Handler should not throw any exceptions or fail as the code will be executed in the main thread. Catch and deal with any errors gracefully