(Available from File Fabric version 1803)

Implementing the Audit Event Stream Handler

The Enterprise File Fabric provides audit events that can be viewed in the browser and exported for compliance. These audit logs can also be written to syslogs.

Sometimes you may want to process the audit logs in real time by external systems e.g. intrusion detection systems. The File Fabric allows you to write your own handler to process these events and integrate with other systems.

Implementing Audit Event Stream Handler

You will need to implement AuditEventHandlerInterface. Sample code is provided below to get you started. You only need to implement one method handleEvent. A AuditEvent data object is passed to this method, that contains the data.

Sample Code
<?php

/**
 * Class SampleAuditEventHandler
 *
 * This is an example Event Handler Interface that recieves event notifications and publishes out
 * to a local file called audit.log
 *
 */
class SampleAuditEventHandler implements AuditEventHandlerInterface
{
    /**
     * Handles an event from the audit stream
     *
     * @param SMEAPP_Audit_Event $auditEvent
     */
    public function handleEvent(SMEAPP_Audit_Event $auditEvent)
    {
        file_put_contents(
            '/var/www/smestorage/auditevents/audit.log',
            sprintf(
                'New audit event. User: %s, Type: %s, IP: %s, Date: %s, Tool: %s, Log: "%s"',
                $auditEvent->getActor(),
                $auditEvent->getEventType(),
                $auditEvent->getIp(),
                $auditEvent->getDate()->format(DATE_RFC822),
                $auditEvent->getTool(),
                $auditEvent->getLog()
            )."\n",
            FILE_APPEND
        );
    }



Configuring Audit Event Stream

  • SSH to Appliance and su to smestorage user

  • Copy SampleAuditEventHandler.php to /var/www/smestorage/auditevents/ ( if the folder does not exist, create the folder).

  • Add the following line to /var/www/smestorage/public_html/config.inc.php

var $audit_event_handler_path = '/var/www/smestorage/auditevents/SampleAuditEventHandler.php';



Things To Be Careful About

  • The Handler code is part of main path of execution, your handler should process the event quickly. Do not wait for IO or do processing in the handler code.

  • We recommend that you publish the events to a message system or cache e.g. Kafka or Redis and then consume from the message system. This will keep the latency low

  • The Handler should not throw any exceptions or fail as the code will be executed in the main thread. Catch and deal with any errors gracefully