Audit

Minimum version required

The features described on this page require EZproxy 3.6c GA (2006-03-10) or later.

Overview

Audit is a position-independent config.txt/ezproxy.cfg directive that enables the auditing of specific EZproxy events.

When recording auditing events, in the directory where EZproxy is installed, EZproxy creates a directory named audit and within that directory creates files based on the year, month, and day that the event occurred (e.g. 20080314.txt). Audit events can be viewed from the /admin EZproxy administration page.

Audit events record date, time, event type, source IP, username, EZproxy session identifier, and event-specific details. A new audit file is created every day.

Many libraries prefer to limit the timeframe over which such information is retained. The AuditPurge directive allows you to specify the number of audit files that should be retained, allowing the automatic deletion of older audit files.

Configuration

Audit should be followed by one or more of the events to be audited. Multiple events should be separated by spaces.

Event Description
BlockCountryChange The IP address of an active session changed, and the country associated with the new IP address did not match the country associated with the old IP address, so access was blocked. This event only occurs if Option BlockCountryChange and Location directives appear in config.txt. This event requires EZproxy 5.1b GA or later.
Info.usr * User audit event generated by the action Audit. This event requires EZproxy 5.1b GA or later.
Most Most is a special value that indicates that all of the following events that are marked with an asterisk (*) should be audited.
Login.Denied * User denied access based on a Deny directive in user.txt. This event may be suppressed by using Deny -NoAudit filename. This event requires EZproxy 5.1b GA or later..
Login.Success * Successful attempt to log in to EZproxy.
Login.Success.Groups Groups to which the user was assigned (augments Login.Success event; not recorded separately). This event requires EZproxy 3.6f GA or later.
Login.Failure * Failed attempt to log in to EZproxy.
Login.Intruder.IP * Intrusion attempts based on the IntruderIPAttempts directive.
Login.Intruder.User * Intrusion attempts based on the IntruderUserAttempts directive.
System * General system activities that do not fall under other audit event categories (e.g. system startup).
Unauthorized * Unauthorized attempts to access administrative features of EZproxy (e.g. /admin).
UsageLimit * Events resulting from the UsageLimit directive.

Sample use

The most common use for Audit is:

Audit Most

which enables the auditing of the events that have are marked with an asterisk (*).

To enable the most common events plus one extra such as Login.Success.Groups, you can use:

Audit Most Login.Success.Groups

To enable the most common events except one such as Unauthorized, you can use:

Audit Most -Unauthorized

Advanced example

An example of how to combine all of the security features of EZproxy appears at Securing Your EZproxy Server .