Skip to main content

Audit trails

The information provided in an Audit Trail can be leveraged for user accountability, reconstruction of events, intrusion detection, and other operational issues. As such, Audit Trails are an indispensable tool for regulatory compliance (e.g. SOX).

For operations performed by users with Operator privileges or above, the Compose Audit Trail shows which user performed the operation, when it was performed, and on which objects.

Compose retains audit files for two weeks or until they reach a total size of 500 MB (50 files). You can change these settings through the command line interface (CLI) as described in Exporting Audit Trail files below.

Audit Trail files are located in the following folder:

<Installation_Directory>\data\AuditTrail\audit_service

You can also export an audit trail file for a specific time range, as described in Exporting Audit Trail files.

Audit trail information

Audit Trail files provide all or some of the following information:

  • Timestamp - The time when the row was inserted into the Audit Trail.
  • User - The user that performed the operation.
  • Node - The IP of the server on which the operation was performed.
  • Requested Action - The API method/function that was called.
  • Required Permission - The minimum role of the user that can perform the operation.
  • Effective Permission - The actual role of the user that performed the operation.
  • Security Result - Whether the user is allowed to perform the operation.
  • Action Result - The completion status of the operation (success of failure).
  • Error Message - The error message if the operation failed.
  • Task - The name of the task where relevant.
  • Notification - The notification defined for the operation (if defined).
  • Payload - A URL. To view payload information, simply copy the link from the Payload column and paste it into your browser's address bar.

    Payloads for some operations (e.g. RegisterLicense) contain sensitive information and need to be decoded. For information on decoding payloads, see Decoding an encoded payload.

  • Project Name - The name of the Compose project.

Audit Trail files are compressed and tamper-protected.

Exporting Audit Trail files

You can export an audit trail file with a record of activity for a specific time range. In Compose, there are two way of doing this:.

  • Using the management console
  • Using the CLI

You can also export audit trails using the ExportAuditTrail API method. For further information, see the Qlik Enterprise Manager Help and API Guide.

Exporting an Audit Trail file via the management console

You can use the Compose management console to export the audit trail as a CSV file.

To do this:

  1. From the Management drop-down menu, select Audit Trail. The Audit Trail window opens.

  2. From the Time Range drop-down list, select the desired time range. If you select Custom, set From and To values as well.
  3. Click Generate.

Depending on your browser settings, you will either be prompted for a download location or the file will be downloaded automatically to your preferred location.

Exporting an Audit Trail file via the CLI

You can use the Compose CLI to export the audit trail as a JSON file.

To do this:

  1. Open a command prompt as Admin and switch the path to <COMPOSE_INSTALL_DIR>\bin.

  2. Establish a connection to the Compose server by running the following command:

     

    ComposeCli.exe connect

     

  3. To export the audit trail, run the following command:

     

    ComposeCtl.exe generate_audit_trail --start_timestamp timestamp [--end_timestamp timestamp] --outfile full_path

    Example:  

    ComposeCtl.exe generate_audit_trail --start_timestamp 2020-06-30T16:15:00Z --end_timestamp 2020-07-14T16:15:00Z --outfile "C:\compose audit trails\audit.json"

     

    Where:

    • --start_timestamp is the date and time from which you want the audit trail to start, in UTC format.
    • --end_timestamp is the date and time on which you want the audit trail to end, in UTC format. This is optional. When not specified, the file will end at the latest audit trail record.
    • --outfile is the full path to the output file. If the path contains spaces, it should be enclosed in quotation marks.

Configuring Audit Trail size and retention

  1. Open a command prompt and change the working directory to:

    <COMPOSE_INSTALL_DIR>\bin

    Default:

    C:\Program Files\Qlik\Compose\bin

  2. Run the following command:

    ComposeCli.exe connect

    The following message should be displayed:

    ComposeControl Program completed successfully.

  3. Run the following command:

    ComposeCtl.exe audit_trail control --age weeks --size megabytes

    Where:

    • weeks is the number of weeks to retain the audit trail file (default 2 weeks).

    • megabytes is the maximum size of the audit file to retain (default 500 MB).

Decoding an encoded payload

Some audit records (e.g. RegisterLicenses) may contain an encoded payload. Encoded payloads are displayed as byte arrays and need to be decoded using Base64.

  1. Locate the payload URL in the audit record.

    Example payload URL, available in audit record in the cell marked 'Payload'

  2. Copy the URL into your browser's address bar and press [Enter]. A byte array will be displayed.

    Example byte array available after $type Byte $value

  3. Copy the byte array into a Base64 decoder and decode it.