Log4j Audit Log

When using Admin CLI or Admin WS interfaces, you can configure Log4j for audit logging in the Application Server.

The following can be edited in JBOSS_HOME/standalone/configuration/standalone.xml:

XML
<subsystem xmlns="urn:jboss:domain:logging:1.2">
    ...
    <periodic-rotating-file-handler name="SignServer" autoflush="true">
        <formatter>
            <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
        </formatter>
        <file relative-to="jboss.server.log.dir" path="signserver.log"/>
        <suffix value=".yyyy-MM-dd"/>
        <append value="true"/>
    </periodic-rotating-file-handler>
    <periodic-rotating-file-handler name="SignServer_audit" autoflush="true">
        <formatter>
            <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
        </formatter>
        <file relative-to="jboss.server.log.dir" path="signserver_audit.log"/>
        <suffix value=".yyyy-MM-dd"/>
        <append value="true"/>
    </periodic-rotating-file-handler>

    <logger category="org.signserver">
        <level name="DEBUG"/>
        <handlers>
            <handler name="SignServer"/>
        </handlers>
    </logger>
    <logger category="org.ejbca">
        <level name="DEBUG"/>
        <handlers>
            <handler name="SignServer"/>
        </handlers>
    </logger>
    <logger category="org.cesecore">
        <level name="DEBUG"/>
        <handlers>
            <handler name="SignServer"/>
        </handlers>
    </logger>
    <logger category="org.signserver.server.log.SignServerLog4jDevice">
        <handlers>
            <handler name="SignServer_audit"/>
        </handlers>
    </logger>
    ...
</subsystem>

Masking Sensitive Properties

Masking of properties is applied to the audit log to reduce the risk of accidentally exposing sensitive data.

By default, the following properties are masked:

  • PIN

  • KEYSTOREPASSWORD

  • KEYDATA

For more information and configuration options, see Masking Sensitive Properties.