Caché audit log analysis using Caché (DeepSee)
The delivery of Caché DBMS, in addition to the database server itself, includes the technology for real-time business intelligence DeepSee. Using it is the fastest way to add OLAP functionality to your Caché application.Another element of the installation is an audit subsystem with a web-interface, the ability to extend its own event types and APIs for use in application code.
Under the cat - a small example of sharing these subsystems, allowing you to answer questions - who, what, when did in the information system?
Audit subsystem
Designed to register events occurring in the system. There is a ready-made web interface in the Caché system management portal - search, filtering, export, cleaning, etc. You can use audit in the application code using the API - Security.Events classes - for registering event types,% SYS.Audit - events themselves,% SYSTEM.Security: Audit () is a convenient method for registering events. By default, the audit subsystem is inactive, launched through: Management Portal - System Administration - Security - Audit.
')
Below is an example of a page with several buttons that are clicked on are registered in the audit base.
An example of the use of auditing in the application code
/// An example of the use of the audit subsystem in the application code
Class habra.audit Extends % CSP.Page {
/// Registration of application (user) event types
ClassMethod EventTypesRegister () As % Status {
#; Event types are registered through a class from the% SYS system area.
set ns = $ namespace , $ namespace = "% SYS"
#; set status = ## class (Security.Events) .Create (Source, Type, Name, Description)
set statusC = ## class ( Security.Events ) .Create ( "habra" , "audit" , "create" , "Create event example" )
set statusR = ## class ( Security.Events ) .Create ( "habra" , "audit" , "read" , "Read event example" )
set statusU = ## class ( Security.Events ) .Create ( "habra" , "audit" , "update" , "Update event example" )
set statusD = ## class ( Security.Events ) .Create ( "habra" , "audit" , "delete" , "Delete event example" )
set $ namespace = ns
set status = (statusC && statusR && statusU && statusD)
Quit status
}
/// A simple page with a few buttons.
ClassMethod OnPage () As % Status {
& html << ! DOCTYPE html> < html > < head > </ head > < body >
< h3 > Hello, # ( $ username ) #! </ h3 > < hr >
< form method = 'post' >
< button name = 'create' > Create </ button >
< button name = 'read' > Read </ button >
< button name = 'update' > Update </ button >
< button name = 'delete' > Delete </ button >
</ form >
</ body > </ html >>
Quit 1
}
/// Parse form parameters
ClassMethod OnPreHTTP () As % Boolean [ ServerOnly = 1] {
#; the form will send to the server the only parameter - the name of the button
#; http: // [server] / [app] / [class]? name =
set name = $ order (% request .Data ( "" )) ; find out which button caused the send
#; save to audit log (Source, Type, Name, EventData, Description)
set status = ## class ( % SYSTEM.Security ) .Audit ( "habra" , "audit" , name, "pressed the button" , "1984" )
Quit 1
}
}
Class habra.audit Extends % CSP.Page {
/// Registration of application (user) event types
ClassMethod EventTypesRegister () As % Status {
#; Event types are registered through a class from the% SYS system area.
set ns = $ namespace , $ namespace = "% SYS"
#; set status = ## class (Security.Events) .Create (Source, Type, Name, Description)
set statusC = ## class ( Security.Events ) .Create ( "habra" , "audit" , "create" , "Create event example" )
set statusR = ## class ( Security.Events ) .Create ( "habra" , "audit" , "read" , "Read event example" )
set statusU = ## class ( Security.Events ) .Create ( "habra" , "audit" , "update" , "Update event example" )
set statusD = ## class ( Security.Events ) .Create ( "habra" , "audit" , "delete" , "Delete event example" )
set $ namespace = ns
set status = (statusC && statusR && statusU && statusD)
Quit status
}
/// A simple page with a few buttons.
ClassMethod OnPage () As % Status {
& html << ! DOCTYPE html> < html > < head > </ head > < body >
< h3 > Hello, # ( $ username ) #! </ h3 > < hr >
< form method = 'post' >
< button name = 'create' > Create </ button >
< button name = 'read' > Read </ button >
< button name = 'update' > Update </ button >
< button name = 'delete' > Delete </ button >
</ form >
</ body > </ html >>
Quit 1
}
/// Parse form parameters
ClassMethod OnPreHTTP () As % Boolean [ ServerOnly = 1] {
#; the form will send to the server the only parameter - the name of the button
#; http: // [server] / [app] / [class]? name =
set name = $ order (% request .Data ( "" )) ; find out which button caused the send
#; save to audit log (Source, Type, Name, EventData, Description)
set status = ## class ( % SYSTEM.Security ) .Audit ( "habra" , "audit" , name, "pressed the button" , "1984" )
Quit 1
}
}
DeepSee Business Intelligence Technology
DeepSee includes a variety of tools for building data warehouses, analyzing and visualizing data, user portal, reports, printing, export, etc. Uses Caché security and audit subsystems. There are various ways to organize DeepSee integration with almost any application - from the terminal to the web.
One of the features of DeepSee is the possibility of analytics on operational data. Achieved through background cube synchronization with your application data. To do this, the DSTIME and DSINTERVAL parameters are defined in the data class. When compiling a class, Caché generates an additional change-registration code. When synchronization starts, only a small part of the cube data is updated, and the synchronization can be performed immediately after the changes in the OLTP classes, which makes it possible to speak of “real-time” business analysis.
To use the background cube update in our example, you need to add the DSTIME and DSINTERVAL parameters to the% SYS.Audit system class and compile it.
Changes in% SYS.Audit
Together
After pre-setting the region (it is necessary to enable the global display ^ CacheAuditD) and the corresponding configuration of the web application for working with DeepSee, we proceed to the definition of the cube.
We specify the source class with the data. Class properties will form the basis for defining cube dimensions. In the% SYS.Audit class, the Username, Event, UTCTimeStamp properties store information for answering the questions posed at the beginning of the article. Based on the Username property, we define the Who dimension, the Event properties — the What dimension, the UTCTimeStamp properties — the When dimension. The default measure is the number of entries.
After compiling and initial filling of the cube, various data slices (pivot tables) are configured in DeepSee Analyzer. They, in turn, become a source of data for visual components - widgets. Widgets are combined into display panels (dashboard) and provide access to them for users. The user portal allows organizing the work of users with display panels without programming .
Based on the analysis of the audit log, you can easily see that one user is more likely to delete data in the system than another. On a real system, with a large number of events and users, this information would be difficult to identify by simply viewing the audit log. By including additional data in the cube, you can get a lot of other “interesting” information about the work of users in the system. The main thing is to be able to ask the right questions.
Useful links:
more about DeepSee
example sources
display of the DeepSee portal on mobile devices
Source: https://habr.com/ru/post/258289/
All Articles