ActiveMQ 5.5: Audit Logging

The PCI DSS (Payment Card Industry (PCI) Data Security Standard) v2.0, specifies that all user actions must be audited, so they can be inspected later if needed. To be deployable in such environments, we added audit logging to ActiveMQ. In this article you can find the basics on how to configure and use it. Here, I’d like to expand the topic a bit and talk about add-ons you can find in Fuse Message Broker.

For starters, let’s quickly recap how it works. When enabled, by setting

-Dorg.apache.activemq.audit=true

system variable, all user (or to say management) actions will be logged. This basically means, that we will log all JMX commands and operations invoked using web console.

The implementation of audit logging in ActiveMQ is pluggable. A default one will just use the standard application log mechanism to store these logs (in ${ACTIVEMQ_BASE}/data/audit.log file by default). You can easily provide your own by log by implementing AuditLog interface and let the Java Service Loader to find it.

For the FuseSource flavor of ActiveMQ, we prepared some more goodness in this area. So if you deploy your broker in OSGi environment, like Apache Karaf, it will use OSGi platform infrastructure for audit logging. For starters, we will use OSGi service mechanism to lookup for the available audit loggers. Also, we provide a default implementation that uses OSGi event admin mechanism to sends audit logs as events to the org/fusesource/audit topic. A default topic handler is also provided, which simply logs the events in the log file. But with this solution, you can easily provide your topic handler that can process and store audit logs in any way that suits your environment.

In the future you can expect similar solution for the whole range of the FuseSource projects and unified way to handle the logs for the whole platform.

Leave a Reply