Skip to main content
Skip table of contents

Flat File - IBM WebSphere App Server v7 Audit Log

The IBM WebSphere Application Server (WAS) is built using open standards such as Java EE, XML, and Web Services.


The Agent flat file collection mechanism uses state tracking to reference the directory and retain the last log read from the file. You need the following information to configuring collection of WebSphere Application Server Audit Logs:

  • The full path to the directory containing the flat files.
  • The LogRhythm System Monitor Agent that will collect the audit logs from the flat file.

Configure the WebSphere Application Server Audit Log

  1. Ensure the application server is running.
  2. From the left side of the administrative console, select Security, then click Global Security.
  3. Ensure Enable administrative security is checked under Administrative Security.
    If necessary, enable it and restart the application server.
  4. On the left, click Users and Groups, then click Administrative user roles.
  5. Click Add.
  6. Select Auditor from the Role(s) list.
  7. Assign a user to this role.
  8. Click OK.
  9. On the left, click Security, then click Security Auditing.
  10. Click Audit Monitor under Related Items.
  11. Under Notifications, click New.
  12. Enter Log_Notification for the notification name.
  13. Check the Message log box.
  14. Click OK.
  15. Check the Enable Monitoring box.
  16. Verify that Log_Notification is selected in the Monitor notification pull-down.
  17. Click OK.
  18. Check the Enable Security Auditing box.
  19. From the Audit subsystem failure action pull-down, select Log warning.
  20. From the Primary auditor user name, select the user that you assigned to the Auditor role in a previous step.
  21. Apply and save changes.
  22. Restart the server.
  23. To ensure the log files are being created, go to the directory of the server in the Logs directory and verify that a file name that starts with BinaryAudit exists.
  24. Make a note of this location for later use.

    For the remainder of this document, it will be referred to as <WebSphereDir>/logs/BinaryAudit*.

After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. LogRhythm requires a LogRhythm System Monitor Agent be used to collect the logs. The files being collected must be viewable on the host with the Agent using a standard file name path such as: /var/log/logfile.txt or C:\logs\logfile.txt.

Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

The name of the log message source is Flat File - IBM WebSphere App Server v7 Audit Log. In addition, when configuring this log source:

  • For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
  • For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
  • On the Flat File Settings tab, enter the following:
    • File Path. <WebSphereDir>/logs/BinaryAudit*

    • Date Parsing Format. Select existing IBM WebSphere Application Server v7 Audit Log (CreationTime = <DD> <MM> <d> <h>:<m>:<s> /w+ <yy>)

    • Log Message Start Regex. Seq = \d+

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.