Audit
Why is Audit important?
Audit logs allow EZproxy administrators to gain insight into a range of user and security related issues. The data collected in these logs is highly customizable and, when used with other security directives in your config.txt, can provide you with a picture of what limits should be set to strike a balance between security and providing your users with the access to the resources they need.
This information can be used to determine if users are regularly having difficulty accessing your EZproxy resources. If your audit logs reflect numerous failed attempts and denied access to EZproxy, consider providing more specific instructions via documentation or tutorials to teach your users how to access resources remotely.
Description
Audit is a position-independent config.txt directive that commands EZproxy to record the occurrence of specified auditing events. The logs created by this directive are placed in a directory named 'audit' within the EZproxy installation directory. Individual files are created daily and named by year, month, and day (e.g. 20190512). Audit events can be viewed from the /audit EZproxy administration page. For more information about viewing audit events, see /audit.
Some libraries prefer to limit the timeframe over which such information is retained. Adding the AuditPurge directive allows you to specify the number of audit files that should be retained, allowing the automatic deletion of older audit files.
Fields to customize events to be audited
Audit should be followed by one or more of the events to be audited. Multiple events can be entered, but should be separated by spaces. The description tells what action caused this event to be logged in the audit file.
Event | Description |
---|---|
BlockCountryChange | A user's access was blocked because the country of the IP address from which the session began changed after access to EZproxy was established. This event only occurs if Option BlockCountryChange and Location directives appear in config.txt. |
Info.usr* | Audit event defined by the EZproxy administrator. Info.usr will appear in the Event column, and the user defined text will appear in the Other column when the defined event occurs. |
IntrusionAPI.BadIP* | Intrusion API indicates the address is associated with a known pirate/hacker |
IntrusionAPI.Error* |
An error occurred consulting the intrusion API (more information recorded in Other field); includes scenario in which SSL connection fails validation |
IntrusionAPI.None |
Intrusion API responded that address is not in database (this event is not enabled by AuditMost and must be added explicitly such as Audit Most IntrusionAPI.None) |
IntrusionAPI.Whitelisted* | Intrusion API responded that the address is whitelisted in their system (this event is not recorded if the address falls within a WhitelistIP range) |
Login.Denied* | User denied access based on a Deny directive in user.txt. This event may be suppressed from the audit logs by using Deny -NoAudit filename. |
Login.Success* |
Successful attempt to log in to EZproxy. |
Login.Success.Groups | Groups to which the user is assigned are logged as part of the Login.Success event. |
Login.Failure* | Failed attempt to log in to EZproxy. |
Login.Intruder.IP* | Intrusion attempts based on the IntruderIPAttempts directive. |
Login.Intruder.User* | Intrusion attempts based on the IntruderUserAttempts directive. |
Most | Most is a special value that indicates that all of the events in this table marked with an asterisk (*) should be audited. |
Session.IPChange |
A user established an EZproxy session from one IP address, and during that session the IP address changed. Depending on your users' network configuration, many of these messages could be recorded messages in messages.txt. Some institutions and network configurations will routinely change IP addresses in your session. |
Session.ReconnectBlocked* | An unauthenticated user attempted to connect to an existing session using the /connect request after the connect window had closed. See ConnectWindow for additional information. |
System* | General system activities that do not fall under other audit event categories (e.g. system startup). |
Unauthorized* | Unauthorized attempts to access administrative features of EZproxy (e.g. /admin). |
UsageLimit* | Events resulting from the UsageLimit directive. |
* Most commonly audited events.