audit:event:stream

Implementing the Audit Event Stream Handler

Last update: 22 June 2021

Access Anywhere provides audit events that can be viewed in the browser and exported for compliance. These audit logs can also be written to syslogs.

Sometimes you may want to process the audit logs in real time by external systems e.g. intrusion detection systems. The Access Anywhere allows you to write your own handler to process these events and integrate with other systems.

Implementing Audit Event Stream Handler

You will need to implement AuditEventHandlerInterface. Sample code is provided below to get you started. You only need to implement one method handleEvent. A AuditEvent data object is passed to this method, that contains the data.

Sample Code

<?php

/**
 * Class SampleAuditEventHandler
 *
 * This is an example Event Handler Interface that recieves event notifications and publishes out
 * to a local file called audit.log
 *
 */
class SampleFileAuditEventHandler implements AuditEventHandlerInterface
{
    /**
     * Handles an event from the audit stream
     *
     * @param SMEAPP_Audit_Event $auditEvent
     */
    public function handleEvent(SMEAPP_Audit_Event $auditEvent)
    {
        $itemToLog = [
            'actor' => $auditEvent->getActor(),
            'eventType' => $auditEvent->getEventType(),
            'ip' => $auditEvent->getIp(),
            'date' => $auditEvent->getDate()->format(DATE_RFC822),
            'log_str' => $auditEvent->getLog(),
            'name' => $auditEvent->getName(),
            'objid' => $auditEvent->getObjectId(),
            'params' => $auditEvent->getParams()
        ];
        
         file_put_contents(
             __DIR__ . '/audit.log',
             json_encode($itemToLog)."\n",
            FILE_APPEND
        );
    }

}

Configuring Audit Event Stream

SSH to Appliance and su to smestorage user
Copy SampleAuditEventHandler.php to /var/www/smestorage/auditevents/ ( if the folder does not exist, create the folder).
Add the following line to /var/www/smestorage/public_html/config.inc.php

var $audit_event_handler_path = '/var/www/smestorage/auditevents/SampleAuditEventHandler.php';

Once configured the Audit Log Stream can integrated into a variety of products that work with Audit log stream, such as an ELK Stack:

Things To Be Careful About

The Handler code is part of main path of execution, your handler should process the event quickly. Do not wait for IO or do processing in the handler code.
We recommend that you publish the events to a message system or cache e.g. Kafka or Redis and then consume from the message system. This will keep the latency low
The Handler should not throw any exceptions or fail as the code will be executed in the main thread. Catch and deal with any errors gracefully