Business Audit log - recommended library or approach?

Question

Hello,

do you know any good Java library for audit logging? Or at least good book/article to help choose good approach to build audit log for an application?

Library requirements:
- define common audit metadata (userId, time, IP, ...)
- define audit message types (transaction sent, message received, ...)
- lock/sign individual audit messages (for non-reputability)
- search audit log based on metadata
- etc.

Edit:
I'm not looking for automated solution, I'm perfectly happy with calling something like:

AuditEvent event = new TransactionSentEvent(userId, account, amount, ...)
AuditLog.audit(auditEvent);

The point is to have the infrastructure behind it - safe storage do database, non-reputability etc.

Answer 1

If you are using Java, one way is to use springframework and aop. This is the most flexible option. Here is an example, http://books.google.com/books?id=Libjk0Oa87QC&pg=PA249&lpg=PA249&dq=springframework+audit+log&source=bl&ots=03Mh9O7CvZ&sig=P1Acl2pOj_5HF8FGt-EY6Yzq0ng&hl=en&ei=VlObTLHmCcKclgfv4tXjCQ&sa=X&oi=book_result&ct=result&resnum=8&ved=0CDUQ6AEwBw#v=onepage&q=springframework%20audit%20log&f=false

You can also do it at database level using hibernate, http://java.dzone.com/articles/using-a-hibernate-interceptor-

Answer 2

You can use AscpectJ library without Spring, via annotations

Answer 3

A good approach to business/operation level logging is to determine what exactly you need to log. You have already done that.

You don't really need any new framework or AOP to add. However, you have some extra requirements which prevent you from using the common logging frameworks such as Log4J or java.util.logging without creating more work.

The easiest approach I can think of you can do is to have a Audit class that has a JDBC connection injected or configured in it. This can be done through Spring if you are already using that framework. If you don't have a DI container then you need to define this as a singleton.

Another thing you need is a capability of signing. Java has a java.security.Signature to sign and verify data.

As I said earlier you have requirements that prevent you from using the available logging frameworks. That is:

• search audit log based on metadata

For you to facilitate searching you need to store data in a database as writing to a text file will be difficult to do. Using the logging frameworks you have to learn the API and be tied to the framework which is not part of the standard.

Answer 4

So, if you are looking for a framework, you could try logback-audit. It is by the folks who are behind the Java logging library, logback.